Configuration Library

The Sysdig configuration library lists all the major configurations supported by Sysdig agent components. This document is evolving and will be updated as new configurations are added to the product.

General Agent Configuration

The configuration parameters outlined in this section apply to both Sysdig Monitor and Sysdig Secure.

Agent Privileges

The parameter to modify Sysdig Agent privileges to enhance the security of your deployments. For more information, see Manage Agent Privileges

Helm: securityContext.privileged Default: securityContext.privileged: true

Cluster

Identifier for the Kubernetes cluster where you install the agent. For more information, see Agent Configuration.

dragent.yaml : k8s_cluster_name

Helm: global.clusterConfig.name

For example, ec2_cluster.

Access Key

See Sysdig Agent Access Keys to learn how to retrieve the agent keys.

dragent.yaml : customerid

Helm: global.sysdig.accessKey

Secret

The name of a Kubernetes secret containing an access-key entry.

This configuration does not exist in the dragent.yaml.

Helm: global.sysdig.accessKeySecret

Region

The SaaS region where the agent is installed. See Regions and IP Ranges for more information.

This configuration does not exist in the dragent.yaml.

Helm: global.sysdig.region

Possible values include: us1, us2, us3, us4, eu1, au1, and custom.

Global Tags

Sets the global tags which can override agent tags. See Quick Install Sysdig Agent for more information.

dragent.yaml: tags Helm: global.sysdig.tags

Agent Tags

The list of tags to identify the host where the agent is installed. See Quick Install Sysdig Agent for more information.

dragent.yaml: tags Helm: global.sysdig.tags

For example: role:webserver, location:europe, role:webserver.

Proxy

Allows the agent to communicate with Sysdig collector through a http_proxy. See Enable HTTP Proxy for Agents for more information.

dragent.yaml: http_proxy Helm: global.proxy.httpProxy

HTTP Proxy Host

The host IP of the proxy server.

dragent.yaml: http_proxy.proxy_host

HTTP Proxy Port

See Enable HTTP Proxy for Agents for more information.

dragent.yaml: http_proxy.proxy_port, http_proxy.proxy_user, http_proxy.proxy_password, http_proxy.ssl, http_proxy.ssl_verify_certificate, http_proxy.ca_certificate.

Collector

Enter the hostname or IP address of the Sysdig collector service. Note that when used within dragent.yaml, must be lowercase collector.

See On-Premises Installation for more information.

Helm: collectorSettings.collectorHost

Collector Port

On-prem only. The port used by the Sysdig collector service.

Port: 6443

eBPF

This configuration does not exist in the dragent.yaml.

In Helm:

Set ebpf.enabled to true to enable the agent Universal eBPF or the current eBPF driver. The default is false.
Set ebpf.kind to universal_ebpf to enable the Universal eBPF driver. Set to legacy_ebpf to enable the eBPF driver.
Note ebpf.enabled must also be set to true for this configuration to work.

FIPS Compliance

Starting v13.6.0, Sysdig Agent is available fully FIPS-compliant. To use the FIPS-compliant Sysdig Agent, use the following images and packages.

Helm Installation

Set the following configurations to specify the FIPS-compliant images:

agent.slim.image.repository = sysdig/agent-slim-fips
agent.slim.kmoduleImage.repository = sysdig/agent-kmodule-fips

Container Installations

Use the following images:

Package-Based Installations (deb, rpm)

Driver	FIPS-Compliant Packages
kmod (compatibility mode)	draios-agent-fips
kmod (recommended)	draios-agent-kmodule-fips
legacy_ebpf	draios-agent-legacy-ebpf-fips
universal_ebpf	draios-agent-slim-fips

Considerations

Previously, a FIPS mode was available that could be enabled within the standard Agent. However, for full FIPS compliance, we recommend transitioning to the new FIPS-compliant images and packages.

The app_checks support is currently not supported when the agent is running in FIPS mode or in with the new FIPS images and packages.

OpenSSL Library Location

dragent.yaml: openssl_lib

Agent version 12.16.x and older: Required when fips_mode is set to true. Path to the directory containing user-provided OpenSSL v1.1.1 shared library files: libcrypto.so.1, and libssl.so.1. User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting fips_mode to true.

Agent version 12.17.0 and newer:

Optional: Path to the directory containing user-provided OpenSSL v3.x shared library files: libcrypto.so.3, and libssl.so.3. User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting fips_mode to true.

By default, the agent uses bundled OpenSSL shared libraries.

OpenSSL Configuration File Location

dragent.yaml: openssl_conf

Agent version 13.0 and newer:

Required when openssl_lib is used to point the agent to a custom OpenSSL v3.x library. If fips_mode is set to true, the configuration file specified by openssl_conf must contain the properties specified in the “Making all applications use the FIPS module by default” section of fips_module(7) man page. If the OPENSSL_CONF environment variable is also set, it will take precedence over the openssl_conf value.

By default, the agent uses OpenSSL configuration files included with its bundled libraries.

Instance Metadata Service (IMDS)

dragent.yaml: imds_version

Optional: Enables token-based communication with the Amazon Web Service (AWS) metadata service IMDSv2.

The default is 1.

However, the agent internally upgrades the IMDS version to IMDSv2 when the IMDSv1 API call returns a “Not Authorized” error. You can ignore the INFO level message stating to change the configuration to 2.

Learn More

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.