Azure Container Apps

The Sysdig Serverless Workload Agent provides runtime detection and policy enforcement for serverless workloads on Microsoft Azure Container Apps (ACA). The agent uses Falco to ensure the security and compliance of the workloads.

Prerequisites

Sysdig

  • A Sysdig Secure account and the Agent Access Key

  • The endpoint of the Sysdig Collector for your region

  • Network access to the Sysdig Collector from the deployed Workload Agent.

  • Network access to the Sysdig Collector from the deployed Workload Agent. The Workload Agent requires outbound traffic permissions on port 6443 to communicate with the Collector.

Azure Container Apps

  • The environment type must be Workload Profiles

Deploy the Sysdig Workload Agent

The Serverless Workload Agent consists of two key components packaged together:

  • An instrumentation application that monitors the workload.
  • An agent that gathers security events from the instrumentation application and transmits them to the Sysdig collector.

To deploy the Sysdig Workload Agent, embed it into the Docker image of your workload application.

Instrument the Workload Image

The instructions given here are generic and apply to any Dockerfile.

This example uses sysdiglabs/security-playground as the original workload to secure. It is a sample application that offers endpoints for triggering security events.

Given the original Dockerfile:

FROM python:3.9-slim

RUN pip install --upgrade pipenv

WORKDIR /app
COPY . .
RUN pipenv install --system --deploy

EXPOSE 8080

ENTRYPOINT ["./entrypoint.sh"]

You can instrument it as follows:

+FROM quay.io/sysdig/workload-agent:latest AS workload-agent

FROM python:3.9-slim

RUN pip install --upgrade pipenv

WORKDIR /app
COPY . .
RUN pipenv install --system --deploy

+COPY --from=workload-agent /opt/draios /opt/draios

EXPOSE 8080

+ENTRYPOINT ["/opt/draios/bin/instrument", "./entrypoint.sh"]

In detail:

  • The Sysdig Workload Agent is added as a separate layer and then copied into the image file system under /opt/draios.
  • The Sysdig application, /opt/draios/bin/instrument, is prepended to the original ENTRYPOINT to secure the original workload application at runtime.

The secured container image is now ready to be built and deployed as you would with your original image.

Deploy the Secured Image

You can deploy the secured container image like you do the original one, using the additional Sysdig environment variables that are required for the Workload Agent to connect to the Sysdig Collector:

  • SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT: Used to reach the Sysdig Collector for your region.

  • SYSDIG_ACCESS_KEY: The Agent Access Key to authenticate with the Sysdig Collector.

  • SYSDIG_WORKLOAD_ID: The identifier for each secured workload. It must be unique for each instrumented container in the revision.

Provide these variables to the container in the deployment configuration, either as plain environment variables or secrets.