Install Agent on Kubernetes

For users deploying the Sysdig Agent on Kubernetes, Sysdig currently supports only installation using the Helm package manager. This page describes the installation for Sysdig Monitor.

Sysdig offers the sysdig-deploy helm chart to provide you with a streamlined, repeatable deployment process that is easy to manage and scale.

For information on installing Sysdig Secure see, Install Sysdig Secure in Kubernetes.

Prerequisites

For more information on agent configuration, see Configure Sysdig Agent.

Installation

  1. Log in to Sysdig Monitor as an administrator.

  2. Select Integrations > Sysdig Agent.

  3. Click +Add Account and select Kubernetes Cluster.

    The Helm installation method is recommended.

  4. As prompted by the screen, enter the name of your Kubernetes cluster.

    The Wizard will auto-populate a code snippet with the cluster name, along with the autodetected Sysdig Monitor endpoint and the agent access key.

  5. Copy and run the Helm commands.

    The command uses the sysdig-deploy chart to install the Sysdig Agent.

    You can also use a values.yaml to install the agent.

         helm repo add sysdig https://charts.sysdig.com
         helm repo update
         helm install sysdig-agent --namespace sysdig-agent --create-namespace \
            --set global.sysdig.accessKey=<ACCESS_KEY> \
            --set global.sysdig.region=<SAAS_REGION> \
            --set nodeAnalyzer.enabled=false \
            --set global.clusterConfig.name=<CLUSTER_NAME> \
            sysdig/sysdig-deploy
    
         
       ## create a values.yaml file with the following:
    
       global:
         sysdig:
           accessKey: <ACCESS_KEY>
           region: <SAAS_REGION>
         clusterConfig:
           name: <CLUSTER_NAME>
       nodeAnalyzer:
         enabled: false
    
       ## Install by running the following:
    
       helm repo add sysdig https://charts.sysdig.com
       helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml
    
        

Pod Security Admission

If you’re enforcing PSA, add the privileged policy to the sysdig-agent namespace:

kubectl label --overwrite ns sysdig-agent pod-security.kubernetes.io/enforce=privileged

Options

The command above has the following options:

  • --namespace sysdig-agent: Specifies that the agent should be installed in the sysdig-agent namespace.

  • --set global.sysdig.accessKey=<ACCESS_KEY>: Specifies the Sysdig access key to use when connecting to the Sysdig backend. Replace <ACCESS_KEY> with your actual access key.

  • --set global.sysdig.region=<SAAS_REGION>: Specifies the Sysdig region to use. Replace <SAAS_REGION> with the region where your Sysdig account is located.

    For example, us1 for US East (Virginia), us2 for US West AWS , and au1 for AP Australia. See Regions and IP Ranges for more information.

  • --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false: Disables the Node Analyzer component. This is used by Secure users only.

  • --set global.clusterConfig.name=<CLUSTER_NAME>: Specifies the name of your Kubernetes cluster. Replace <CLUSTER_NAME> with your actual Kubernetes cluster name.

After running these commands, the Sysdig agent should be installed and running on your Kubernetes cluster, and starts sending data to the Sysdig backend.

Platform-Specific Options

  • If you are using Openshift, GKE Standard, OKE, or MKE, enable eBPF with the following option:

    --set agent.ebpf.enabled=true

  • If you are using GKE autopilot, enable the following option:

    --set agent.gke.autopilot=true

Additional Options

For additional configuration options, including on-premises and proxy connection, seesysdig-deploy.

Configure Prometheus

promscrape is the component responsible to collect Prometheus metrics from the Sysdig Agent. It is based on Prometheus and accepts the same configuration format. This file contains relabelling rules and filters to remove certain metrics or add some configurations to the collection. For example, add the following to the prometheus.yaml file:

global:
  scrape_interval: 15s
  evaluation_interval: 15s
scrape_configs:
  - job_name: 'prometheus' # config for federation
    honor_labels: true
    metrics_path: '/federate'
    metric_relabel_configs:
      - regex: 'kubernetes_pod_name'
        action: labeldrop
    params:
      'match[]':
        - '{sysdig="true"}'
    sysdig_sd_configs:
      - tags:
          namespace: monitoring
          deployment: prometheus-server

sysdig_sd_configs selects the targets obtained by Sysdig Agents to apply the rules in the job.

For information on setting up default integrations to collect Prometheus metrics from cloud-native applications, see Configure Default Integrations.

For more information on filtering rules, see Enable Prometheus Native Service Discovery .

For additional configuration options, including on-premises and proxy connection, see sysdig-deploy.

Add Additional Volumes

To pass a new ConfigMaps or secrets used for authentication, you can mount additional secrets, ConfigMaps, or volumes to Sysdig Agent. This is typically useful while authenticating Prometheus endpoints.

For example, you can add the following configuration to your value.yaml :

agent:
  extraVolumes:
    volumes:
      - name: repo-new-cm
        configMap:
          name: my-cm
          optional: true
      - name: repo-new-secret
          secret:
          secretName: my-secret
    mounts:
      - mountPath: mount-path
        name: repo-new-cm
      - mountPath: mount-path
        name: repo-new-secret

The same applies to the kmodule container under daemonset.kmodule. In some specific cases , such as SLES15 on Rancher, the proper ld-linux-* library is under the host /lib64 so the kernel module build fails. To handle this, add a specific volume mount /lib64 to /host/usr/lib64. For example:

agent:
  daemonset:
    kmodule:
      extraVolumes:
        volumes:
          - name: lib64-vol
            hostPath:
              path: /lib64
        mounts:
          - mountPath: /host/usr/lib64
            name: lib64-vol

Add Additional Secrets

You can create additional secrets to use, for example, for Prometheus basic authentication. The values are opaque-type secrets and must be in base64 encoded. For example:

agent:
  extraSecrets:
    - name: repo-new-secret
      data:
        repo-new-key1: <your-password>
        repo-new-key2: <your-password>

Uninstall Sysdig Agent

If the agent was installed in a Kubernetes environment, remove it by using the standard Kubernetes commands.