Embed Workload Agent in an Image

Integrate the Sysdig Workload Agent into an existing container image to improve container security.

Embed the Workload Agent in your container image

The following steps are generic and apply to any Dockerfile.

For this example, we will use the falcosecurity/event-generator image as the original workload to secure. This sample image is designed to generate secure events for testing purposes.

Given the original Dockerfile:

FROM falcosecurity/event-generator:latest
ENTRYPOINT ["/bin/event-generator"]
CMD ["run", "syscall", "--all", "--loop"]

The resulting Dockerfile will be:

+FROM quay.io/sysdig/workload-agent:latest AS workload-agent

 FROM falcosecurity/event-generator:latest
+COPY --from=workload-agent /opt/draios /opt/draios

+ENTRYPOINT ["/opt/draios/bin/instrument", "/bin/event-generator"]
 CMD ["run", "syscall", "--all", "--loop"]

In detail:

The Sysdig Workload Agent is added as a separate layer, and then copied into the image file system under /opt/draios.
The Sysdig application /opt/draios/bin/instrument is prepended to the original ENTRYPOINT to secure the original workload application at runtime.

The secured container image is now ready to be built and pushed to your registry.

Deploy the secured image

The secured container image can be deployed like the original, with the additional Sysdig environment variables required for the Workload Agent to connect to the Sysdig Collector:

SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT (SaaS Regions and IP Ranges).
SYSDIG_ACCESS_KEY (Sysdig Access Key).

These variables should be provided to the container in the deployment configuration, either as plain environment variables or secrets.

Legacy Orchestrator Agent support

Starting from version 5.3, the Sysdig Workload Agent can connect directly to the Sysdig Collector, no longer requiring the Sysdig Orchestrator Agent.

If using the Orchestrator Agent, set the following environment variables in the secured container:

SYSDIG_ORCHESTRATOR and SYSDIG_ORCHESTRATOR_PORT, instead of SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT.
SYSDIG_ACCESS_KEY is not required.

Next Steps

After the deployment is complete:

The workload agent will appear on the Sysdig Agent page in the Integrations Data Sources feed.
Security-related events will be visible in the Sysdig Secure Events feed, provided that Runtime Policies matching the syscalls made by the workload are enabled.
- For falcosecurity/event-generator used in this sample, events can be triggered by enabling the Managed Policy Sysdig Runtime Notable Events.
- Workloads making syscalls that do not match the enabled Runtime Policies will not generate security events.

Optionally, you can perform Advanced Configuration Steps.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.