Install Slim Agent

The slim agent is a lighter version of the Sysdig agent that is created by splitting the regular agent image into two components responsible for different functions. The slim agent reduces the surface area of attack for potential vulnerabilities and is, therefore, more secure.

You install the slim agent package as two separate containers:

  • agent-kmodule: Responsible for downloading and building the kernel module. The image is short-lived. The container exits after the kernel module is loaded. The transient nature of the container reduces the time and opportunities for exploiting any potential vulnerabilities present in the container image.

    Prerequisites: The package depends on Dynamic Kernel Module Support (DKMS) and requires the compiler and kernel headers installed if you are using the agent-kmodule to build the kernel probe. Alternatively, you can use it without the kernel headers. In such cases, the agent-kmodule will attempt to download a pre-built kernel probe if it is present in the Sysdig probe repository.

    The module contains:

    • The driver sources

    • A post-install script that builds the module upon installation

  • agent-slim: Responsible for running the agent module once the kernel module has been loaded. When the slim agent is up and running it functions the same way as the regular agent.

Install Slim Agent in a Non-Orchestrated Environment

The agent is installed by running sysdig/agent-kmodule first, followed by running sysdig/agent-slim.

Note

Every host restart requires subsequent running of agent-kmodule and agent-slim containers.

  1. Build and load the kernel module:

    docker run -it --privileged --rm --name sysdig-agent-kmodule -v /usr:/host/usr:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro sysdig/agent-kmodule
  2. Run the agent module:

    docker run -it --rm --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=YOUR-ACCESS-KEY -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/ sysdig/agent-slim

Install Slim Agent on Kubernetes

The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

Note

The slim agent is not supported on GKE clusters running on COS (Container Optimized OS).

  1. Download sysdig-agent-slim-daemonset-v2.yaml, edit it as required, and deploy.

    An example daemonset is given below:

    ### WARNING: this file is supported from Sysdig Agent 0.80.0
    # apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: sysdig-agent
      labels:
        app: sysdig-agent
    spec:
      selector:
        matchLabels:
          app: sysdig-agent
      updateStrategy:
        type: RollingUpdate
      template:
        metadata:
          labels:
            app: sysdig-agent
        spec:
          volumes:
          - name: modprobe-d
            hostPath:
              path: /etc/modprobe.d
          - name: dshm
            emptyDir:
              medium: Memory
          - name: dev-vol
            hostPath:
              path: /dev
          - name: proc-vol
            hostPath:
              path: /proc
          - name: boot-vol
            hostPath:
              path: /boot
          - name: modules-vol
            hostPath:
              path: /lib/modules
          - name: usr-vol
            hostPath:
              path: /usr
          - name: run-vol
            hostPath:
              path: /run
          - name: varrun-vol
            hostPath:
              path: /var/run
          - name: sysdig-agent-config
            configMap:
              name: sysdig-agent
              optional: true
          - name: sysdig-agent-secrets
            secret:
              secretName: sysdig-agent
          hostNetwork: true
          hostPID: true
          tolerations:
            - effect: NoSchedule
              key: node-role.kubernetes.io/master
          # The following line is necessary for RBAC
          serviceAccount: sysdig-agent
          terminationGracePeriodSeconds: 5
          initContainers:
          - name: sysdig-agent-kmodule
            image: sysdig/agent-kmodule
            imagePullPolicy: Always
            securityContext:
              privileged: true
            resources:
              requests:
                cpu: 1000m
                memory: 384Mi
              limits:
                memory: 512Mi
            volumeMounts:
            - mountPath: /etc/modprobe.d
              name: modprobe-d
              readOnly: true
            - mountPath: /host/boot
              name: boot-vol
              readOnly: true
            - mountPath: /host/lib/modules
              name: modules-vol
              readOnly: true
            - mountPath: /host/usr
              name: usr-vol
              readOnly: true
          containers:
          - name: sysdig-agent
            # WARNING: the agent-slim release is currently dependent on the above
            # initContainer and thus only functions correctly in a kubernetes cluster 
            image: sysdig/agent-slim
            imagePullPolicy: Always
            securityContext:
              privileged: true
            resources:
              # Resources needed are subjective to the actual workload.
              # Please refer to Sysdig Support for more info.
              requests:
                cpu: 600m
                memory: 512Mi
              limits:
                cpu: 2000m
                memory: 1536Mi
            readinessProbe:
              exec:
                command: [ "test", "-e", "/opt/draios/logs/running" ]
              initialDelaySeconds: 10
            volumeMounts:
            - mountPath: /host/dev
              name: dev-vol
              readOnly: false
            - mountPath: /host/proc
              name: proc-vol
              readOnly: true
            - mountPath: /host/run
              name: run-vol
            - mountPath: /host/var/run
              name: varrun-vol
            - mountPath: /dev/shm
              name: dshm
            - mountPath: /opt/draios/etc/kubernetes/config
              name: sysdig-agent-config
            - mountPath: /opt/draios/etc/kubernetes/secrets
              name: sysdig-agent-secrets

    See Sysdig Cloud Scripts for the latest daemonset.

  2. Create a namespace to use for the Sysdig agent.

    # kubectl create ns sysdig-agent

    Note

    You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

  3. Create a secret key:

    # kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
  4. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

    # kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
    # kubectl create serviceaccount sysdig-agent -n sysdig-agent
    # kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent 
  5. Edit sysdig-agent-configmap.yaml to add the collectoraddress and port and the SSL/TLS information :

    collector: 
    collector_port: 
    ssl: #true or false
    check_certificate: #true or false
  6. Apply the configuration changes:

    # kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
  7. Deploy the kernel module and slim agent containers using the daemonset:

    # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent

The agents will be deployed and you can see Getting Started to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started