Install Shield on Kubernetes
shield
chart to install Cluster Shield and Host Shield in your Kubernetes environment. In addition to providing instructions for new installations, this topic also guides you through migrating from previously installed Sysdig components deployed with the sysdig-deploy
chart. The shield
chart deploys the Cluster Shield as a deployment and the Host Shield as a daemonset in your Kubernetes environment.This section helps you install cluster shield using the shield chart
Prerequisites
- Helm
v3.10
and above - Your agent access key
- Sysdig Monitor Endpoint for your Sysdig SaaS region
Coverage Map
Platform | App Checks | Java Management Extensions | Prometheus | StatsD |
---|---|---|---|---|
EKS | ✅ | ✅ | ✅ | ✅ |
EKS Fargate | ✅ | ✅ | ✅ | ✅ |
GKE | ✅ | ✅ | ✅ | ✅ |
GKE Autopilot | ✅ | ✅ | ✅ | ✅ |
IKS | ✅ | ✅ | ✅ | ✅ |
Kubernetes Vanilla | ✅ | ✅ | ✅ | ✅ |
Mirantis (MKE) | ✅ | ✅ | ✅ | ✅ |
OpenShift (OCP4) | ✅ | ✅ | ✅ | ✅ |
Rancher (RKE2) | ✅ | ✅ | ✅ | ✅ |
Migrate to the Shield Chart
To migrate from previous deployments to Sysdig Shield, you must back up your deployment, uninstall the old components, and install the Sysdig Shield components with the shield
Helm chart.
- Before uninstalling, make sure to take a backup of your Sysdig deployment to preserve configurations and data.
helm get values {RELEASE_NAME} -n {NAMESPACE} > sysdig-agent-backup.yaml
- Since Host and Cluster Shield replace all the components previously deployed using the
sysdig-deploy
chart, uninstall any existing installations before proceeding. This will prevent duplicate entity errors.
To remove an existing installation, run the following command:
helm uninstall sysdig-agent --namespace sysdig-agent
If you are doing a fresh installation, you can ignore this requirement.
Install Using Helm
Configuration File
To install Host Shield and Cluster Shield, you can use the following values.yaml
file:
cluster_config:
# The name of the cluster
name: <your-cluster-name>
sysdig_endpoint:
# Sysdig Monitor instance location region
region: <your-sysdig-region>
# Access key for Sysdig Monitor instance
access_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
features:
monitor:
app_checks:
enabled: true
java_management_extensions:
enabled: true
prometheus:
enabled: true
# The content of the prometheus.yaml file
prometheus_yaml: {}
statsd:
enabled: true
kubernetes_events:
enabled: true
kube_state_metrics:
enabled: true
host:
# Driver for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5.8))
driver: universal_ebpf
Google Kubernetes Engine (GKE) Autopilot
To deploy Host Shield and Cluster Shield on GKE Autopilot, add the following configuration to your values.yaml
file:
cluster_config:
cluster_type: gke-autopilot
shield
chart 1.1.0 supports GKE Autopilot version 1.32.2-gke.1652000
and later.
Custom Registries and SHA256 in GKE Autopilot
This section explains how to work with custom registries, SHA256 digests, and the Google allow list when deploying Sysdig on GKE Autopilot. It also provides a list of approved versions and SHA256 digests.
Why This Matters
GKE Autopilot allows workloads only from approved images, verified by their SHA256 digest.
When using a custom registry, you must mirror the public image (sysdig/agent-slim) without altering the digest so it matches Google’s allow list.
Mirror public image to custom registry
To mirror the public sysdig/agent-slim
to your custom registry without altering the digest, you can use skopeo with the following command:
skopeo copy --multi-arch all --preserve-digests docker://quay.io/sysdig/agent-slim:14.1.1 docker://company-registry/sysdig/agent-slim:14.1.1
Set custom registry on Shield Chart
You can use the following table or run the command below to retrieve the proper SHA256 Digest
docker pull quay.io/sysdig/agent-slim:14.1.1
docker inspect quay.io/sysdig/agent-slim:14.1.1 --format='{{index .RepoDigests 0}}'
Then update the host.image
section in your values.yaml
:
host:
image:
registry: your_company_registry
repository: sysdig
kmodule_name: agent-kmodule
shield_name: agent-slim
tag: sha256:1111112222233333
List of Approved Versions and SHA256 Digests
This table is updated when Google adds new SHA256 digests to the allow list. There may be a delay of ~10 business days after a new Sysdig release before its SHA is approved.
Sysdig Shield Version | SHA256 Digest | Approval Date by Google |
---|---|---|
13.9.1 | sha256:14860d181a8b712c4150bb59e3ba0ff4be08959e2c45376b32c8eb7ff70461f9 | 2025-07-11 |
13.9.2 | sha256:0dcdb6d70bab60dae4bf5f70c338f2feb9daeba514f1b8ad513ed24724c2a04d | 2025-07-11 |
14.0.0 | sha256:9d668dc0d3fc3db783bdf4ce5c4755c355ff7b3b401b7d0ad4c087d05ba270f9 | 2025-07-11 |
14.0.1 | sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a570 | 2025-07-11 |
14.1.0 | sha256:2c6401018cfe3f5fcbd0713b64b096c38d47de1b5cd6c11de4691912752263fc | 2025-07-24 |
14.1.1 | sha256:36366b082d8d45dfe44d995830a1c0b0293cb9df9e55c6ab8c389e800596c743 | 2025-08-07 |
Installation
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install --atomic --create-namespace \
-n sysdig \
-f values.yaml \
shield \
sysdig/shield
Parameters:
http_proxy
: Specifies the URL for the HTTP proxy server.https_proxy
: Specifies the URL for the HTTPS proxy server.no_proxy
: A comma-separated list of hosts or domains to bypass the proxy. For example:localhost,127.0.0.1,.my-cluster.local
Additional Features
To enable the additional features, edit the values.yaml
file to use the following configuration:
Proxy Settings
If your environment requires internet access through a proxy server, you can configure proxy settings in the values.yaml
file. These settings ensure that Sysdig Host and Cluster Shield can communicate with Sysdig.
Add the following configuration under the proxy section:
proxy:
http_proxy: http://your-proxy
https_proxy: http://your-proxy
no_proxy: <comma-separated-list-of-hosts-or-domains>
Replace http://your-proxy
and the list of hosts or domains with the values appropriate to your proxy configuration.
Advanced Settings
You can use the additional_settings
section to configure advanced options, such as log levels, syscall filtering, and DNS detection. Sysdig recommends you use these settings with caution and contact Sysdig Support for guidance.
For the detailed information on configuring the shield
chart, see shield.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.