Install Shield on Kubernetes

You use the shield chart to install Cluster Shield and Host Shield in your Kubernetes environment. In addition to providing instructions for new installations, this topic also guides you through migrating from previously installed Sysdig components deployed with the sysdig-deploy chart. The shield chart deploys the Cluster Shield as a deployment and the Host Shield as a daemonset in your Kubernetes environment.

This section helps you install cluster shield using the shield chart

Prerequisites

Coverage Map

PlatformApp ChecksJava Management ExtensionsPrometheusStatsD
EKS
EKS Fargate
GKE
GKE Autopilot
IKS
Kubernetes Vanilla
Mirantis (MKE)
OpenShift (OCP4)
Rancher (RKE2)

Migrate to the Shield Chart

To migrate from previous deployments to Sysdig Shield, you must back up your deployment, uninstall the old components, and install the Sysdig Shield components with the shield Helm chart.

  1. Before uninstalling, make sure to take a backup of your Sysdig deployment to preserve configurations and data.
helm get values {RELEASE_NAME} -n {NAMESPACE} > sysdig-agent-backup.yaml
  1. Since Host and Cluster Shield replace all the components previously deployed using the sysdig-deploy chart, uninstall any existing installations before proceeding. This will prevent duplicate entity errors.

To remove an existing installation, run the following command:

helm uninstall sysdig-agent --namespace sysdig-agent

If you are doing a fresh installation, you can ignore this requirement.

Install Using Helm

Configuration File

To install Host Shield and Cluster Shield, you can use the following values.yaml file:

cluster_config:
  # The name of the cluster
  name: <your-cluster-name>

sysdig_endpoint:
  # Sysdig Monitor instance location region
  region: <your-sysdig-region>
  # Access key for Sysdig Monitor instance
  access_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

features:
  monitor:
    app_checks:
      enabled: true
    java_management_extensions:
      enabled: true
    prometheus:
      enabled: true
      # The content of the prometheus.yaml file
      prometheus_yaml: {}
    statsd:
      enabled: true
    kubernetes_events:
      enabled: true
    kube_state_metrics:
      enabled: true


host:
  # Driver for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5.8))
  driver: universal_ebpf

Google Kubernetes Engine (GKE) Autopilot

To deploy Host Shield and Cluster Shield on GKE Autopilot, add the following configuration to your values.yaml file:

cluster_config:
  cluster_type: gke-autopilot

shield chart 1.1.0 supports GKE Autopilot version 1.32.2-gke.1652000 and later.

Custom Registries and SHA256 in GKE Autopilot

This section explains how to work with custom registries, SHA256 digests, and the Google allow list when deploying Sysdig on GKE Autopilot. It also provides a list of approved versions and SHA256 digests.

Why This Matters

GKE Autopilot allows workloads only from approved images, verified by their SHA256 digest.

When using a custom registry, you must mirror the public image (sysdig/agent-slim) without altering the digest so it matches Google’s allow list.

Mirror public image to custom registry

To mirror the public sysdig/agent-slim to your custom registry without altering the digest, you can use skopeo with the following command:

skopeo copy --multi-arch all --preserve-digests docker://quay.io/sysdig/agent-slim:14.1.1 docker://company-registry/sysdig/agent-slim:14.1.1

Set custom registry on Shield Chart

You can use the following table or run the command below to retrieve the proper SHA256 Digest

docker pull quay.io/sysdig/agent-slim:14.1.1
docker inspect quay.io/sysdig/agent-slim:14.1.1 --format='{{index .RepoDigests 0}}'

Then update the host.image section in your values.yaml:

host:
  image:
    registry: your_company_registry
    repository: sysdig
    kmodule_name: agent-kmodule
    shield_name: agent-slim
    tag: sha256:1111112222233333

List of Approved Versions and SHA256 Digests

This table is updated when Google adds new SHA256 digests to the allow list. There may be a delay of ~10 business days after a new Sysdig release before its SHA is approved.

Sysdig Shield VersionSHA256 DigestApproval Date by Google
13.9.1sha256:14860d181a8b712c4150bb59e3ba0ff4be08959e2c45376b32c8eb7ff70461f92025-07-11
13.9.2sha256:0dcdb6d70bab60dae4bf5f70c338f2feb9daeba514f1b8ad513ed24724c2a04d2025-07-11
14.0.0sha256:9d668dc0d3fc3db783bdf4ce5c4755c355ff7b3b401b7d0ad4c087d05ba270f92025-07-11
14.0.1sha256:b1f5bf4677632c715e9a5cde9af8d36dd66f5e79c80aadfd4b74dc5cc310a5702025-07-11
14.1.0sha256:2c6401018cfe3f5fcbd0713b64b096c38d47de1b5cd6c11de4691912752263fc2025-07-24
14.1.1sha256:36366b082d8d45dfe44d995830a1c0b0293cb9df9e55c6ab8c389e800596c7432025-08-07

Installation

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install --atomic --create-namespace \
    -n sysdig \
    -f values.yaml \
    shield \
    sysdig/shield

Parameters:

  • http_proxy: Specifies the URL for the HTTP proxy server.
  • https_proxy: Specifies the URL for the HTTPS proxy server.
  • no_proxy: A comma-separated list of hosts or domains to bypass the proxy. For example: localhost,127.0.0.1,.my-cluster.local

Additional Features

To enable the additional features, edit the values.yaml file to use the following configuration:

Proxy Settings

If your environment requires internet access through a proxy server, you can configure proxy settings in the values.yaml file. These settings ensure that Sysdig Host and Cluster Shield can communicate with Sysdig.

Add the following configuration under the proxy section:

proxy:
  http_proxy: http://your-proxy
  https_proxy: http://your-proxy
  no_proxy: <comma-separated-list-of-hosts-or-domains>

Replace http://your-proxy and the list of hosts or domains with the values appropriate to your proxy configuration.

Advanced Settings

You can use the additional_settings section to configure advanced options, such as log levels, syscall filtering, and DNS detection. Sysdig recommends you use these settings with caution and contact Sysdig Support for guidance.

For the detailed information on configuring the shield chart, see shield.