Configure Rapid Response

Rapid Response is a feature in Sysdig Secure that allows advanced users to remotely access and execute commands on a host from the Event stream.

To enable Rapid Response:

For more details, see Rapid Response.

Configure Rapid Response

You can enable and configure Rapid Response with the following parameters in the shield chart values.yaml configuration file, under the features.respond.rapid_response section:

PropertyDescriptionTypeRequiredDefaultExample
enabledDefine whether to enable the featurebooleanNofalse
passwordDefines the password to authenticate from the Sysdig UI.stringYes, if the feature is enabled. Otherwise, no.

Enable Response Tools

You can configure the Shield Chart to enable Response tools which extend Host Shield’s default capabilities:

Extend the Container Image

Extend the Host Shield container image to provision additional tools to the workload:

  1. Create a custom Dockerfile.

  2. Add any tool you want to respond to the Dockerfile. In this example, we add kubectl:

    FROM quay.io/sysdig/agent-slim:latest

RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
    chmod +x kubectl && \
    mv ./kubectl /usr/local/bin/kubectl

  3. Build the image and host it in a registry of your preference

  4. Customize the shield chart to use it. Use host.image.registry, host.image.repository and host.image.shield_name to customize it.

    Note that the repository will be used to pull the agent-kmodule image as well. You can customize its name via host.image.kmodule_name. For information on available chart parameters and their specifications, see the Shield Chart.

Once you have provisioned additional tools for the workload, they will be available when needed later on.

Extend the Cluster Permissions

To execute actions on the Kubernetes control plane, provide the Host Shield role with additional permissions. There are two alternative ways to achieve this:

  • You can provide additional permissions via a custom ClusterRole, to be assigned to the Host Shield’s Service Account (default: shield-host) through a dedicated ClusterRoleBinding. For instance, here we’re adding the possibility to execute, attach, and portforward, as well as the possibility to modify networking rules:
Expand
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: shield-host-rr
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  - pods/attach
  - pods/portforward
  verbs:
  - create
  - get
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: shield-host-rr
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: shield-host-rr
subjects:
- kind: ServiceAccount
  name: sysdig-shield-host
  namespace: sysdig
  • You can provision the Host Shield with a ServiceAccount of your preference, provisioned separately. You can proceed this way by setting host.rbac.create to false, as you will provide the ServiceAccount and host.rbac.service_account_name to the ServiceAccount name. Equivalently to the above:
Expand
apiVersion: v1
kind: ServiceAccount
metadata:
  name: shield-host-rr
  namespace: sysdig
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: shield-host-rr
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - replicationcontrollers
  - services
  - endpoints
  - events
  - limitranges
  - namespaces
  - nodes
  - nodes/metrics
  - nodes/proxy
  - resourcequotas
  - persistentvolumes
  - persistentvolumeclaims
  - configmaps
  - pods/log
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - ""
  resources:
  - pods/exec
  - pods/attach
  - pods/portforward
  verbs:
  - create
  - get
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  - ingresses
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - /metrics
  verbs:
  - get
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: shield-host-rr
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: shield-host-rr
subjects:
- kind: ServiceAccount
  name: shield-host-rr
  namespace: sysdig