Install and Configure Admission Controller
Prerequisites
Sysdig Secure SaaS
Sysdig Shield installed. See Install Shield on Kubernetes.
Ensure Admission Controller is enabled for your account. If it isn’t, contact Sysdig Support.
Installation
The Admission Controller is installed as part of the Sysdig Shield deployment. To enable Admission Controller, deploy or upgrade the shield
Helm chart with the following parameters:
helm upgrade --install --atomic --create-namespace \
--namespace sysdig \
--set cluster_config.name=ac-cluster \
--set sysdig_endpoint.region=<SaaS Region Code> \
--set sysdig_endpoint.access_key=<your-access-key> \
--set features.admission_control.enabled=true \
--set features.admission_control.container_vulnerability_management.enabled=true \
--set features.admission_control.posture.enabled=true \
shield sysdig/shield
Verification
After deployment, confirm the Admission Controller is correctly installed and operational:
1. Check Pod Health
kubectl get pods -n sysdig | grep admission
You should see one or more pods with Running status, typically named like sysdig-admission-controller-*
.
2. Confirm Webhooks Registered
kubectl get validatingwebhookconfigurations | grep sysdig
Look for a webhook configuration named sysdig-admission-controller
. For more detail:
kubectl describe validatingwebhookconfigurations sysdig-admission-controller
The Sysdig Admission Controller should now be enabled and you can now configure policies and actions to block deployments using Vulnerability Policies or Posture Policies.
Advanced Configurations
Enable Dry Run Mode
Dry Run mode lets you test the Admission Controller configuration without enforcing policies. This helps you verify that your Admission Controller and related Vulnerability Policies or Posture Policies work as expected before triggering Warning or Failure actions.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: true
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: true
Vulnerability-only Configuration
Enable the Vulnerability-only configuration for the Admission Controller if you only want to check your deployments against the Vulnerability Admission Policies.
Ensure the individual cluster or resources are within the scope of the defined policies.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: false
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: false
Posture-only Configuration
Enable the Posture-only configuration for the Admission Controller if you only want to check created resources against the Posture Admission Policies.
Ensure the clusters or resources are within the scope of the defined policy.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: true
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: false
posture:
# Enable the posture feature on the admission control
enabled: true
Exclude Namespaces
To exclude specific namespaces from evaluation, add them to the Admission Controller exclusion list. The controller will skip these namespaces entirely, even if your Vulnerability Policies or Posture Policies normally include them.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: false
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: ["kube-system", "sysdig", "example-app"]
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: true
Change the Failure Policy
The Sysdig Admission Controller supports the standard Kubernetes failurePolicy
configuration, which determines how the API server handles errors from the Admission Controller.
Fail
With this configuration, if the Admission Controller encounters an error or is unreachable, the API server will reject the admission request. This is the default behavior, ensuring that no unverified or potentially unsafe objects are created.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Fail
# Enable the dry run mode
dry_run: true
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: true
Ignore
With this configuration, if the admission controller encounters an error or is unreachable, the API server will allow the admission request to proceed. This can help avoid disruptions if the webhook is temporarily unavailable but may allow unverified objects.
Pass the following configuration settings to the shield
chart:
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: true
# The timeout for the admission control feature
timeout: 10
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: true
For more details, see the Kubernetes documentation on failurePolicy
.
Set the Request Timeout
Kubernetes API servers enforce a maximum timeout of 30 seconds for all admission webhook calls. If a webhook does not respond within this window, the API server treats the call as a timeout and applies the webhook’s failure_policy
(Fail
or Ignore
) to determine whether to accept or reject the admission request.
Key Points:
- The maximum value for
timeout
is 30 seconds. - If
timeout
is not set, the default is 10 seconds. - The API server will never wait longer than 30 seconds, even if a higher value is configured.
- If the webhook does not respond in time, the API server applies the configured
failure_policy
in the Sysdig Shield chart.
To achieve this and increase your Validating Webhook timeouts the following configuration can be passed to the Sysdig Shield chart:
By configuring a longer timeout you may impact your deployment and kubectl
command execution times if the Validating Webhook is not returned in a timely fashion.
features:
admission_control:
# Enable the admission control feature
enabled: true
# The policy to apply when a request is denied
failure_policy: Ignore
# Enable the dry run mode
dry_run: true
# The timeout for the admission control feature
timeout: 30
# The port that will be used to expose admission control endpoints
http_port: 8443
# The list of namespaces that will be excluded from the admission control
excluded_namespaces: []
container_vulnerability_management:
# Enable the container vulnerability management feature on the admission control
enabled: true
posture:
# Enable the posture feature on the admission control
enabled: true
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.