Install Host Shield as a Container
Migrate to the Host Shield
The Host Shield is nothing but the agent container. Starting from Sysdig Agent 13.6.1, you can enable additional features such as Host Scanning, Host Security Posture Management, and Rapid Response directly from the container configuration.
Prerequisites
- Review
- Collect the following:
- Sysdig Access Key
- Collector Address and Port for
COLLECTORandPORT - Secure API Endpoint to use for
SYSDIG_API_ENDPOINT
System Requirements
A supported distribution or Kubernetes platform
Port 6443 open for outbound traffic
The Host Shield communicates with the collector on port 6443. If you’re using a firewall, make sure to open port 6443 for outbound traffic so that the Host Shield can communicate with the collector.
Allow traffic on port
12000to communicate within the cluster for Kubernetes Security Posture Management (KSPM).
Kubernetes Platforms
The supported Kubernetes platforms are:
Kubernetes (Vanilla)
Amazon Elastic Kubernetes Service (EKS)
Note: AWS Fargate is not supported on EKS
Google Kubernetes Engine (GKE)
Google Kubernetes Engine (GKE) Autopilot
Note: GKE Autopilot is supported from version 1.32.2-gke or later.
Azure Kubernetes Service (AKS)
RedHat Openshift
IBM Kubernetes Service (IKS)
RKE Government (RKE2)
Linux Distributions
The supported Linux distributions are:
- Debian
- Ubuntu 18.04 and above
- Ubuntu (Amazon)
- CentOS 7 and above
- Alma Linux
- Rocky Linux
- Red Hat Enterprise Linux (RHEL) 7 and above
- SuSE Linux Enterprise Server*
- RHEL CoreOS (RHCOS)
- Fedora
- Fedora CoreOS
- Linux Mint
- Amazon Linux (Original)
- Amazon Linux 2 (AL2)
- Amazon Linux 2023 (AL2023)
- Amazon Bottlerocket
- Google Container Optimized OS (COS)
- Oracle Linux (UEH)
- Oracle Linux (RHCK)
- Azure Linux (CBL-Mariner)
- EulerOS
- ArchLinux
- Alpine Linux 3.20 and above
We may support additional Linux distributions depending on the feature required. For more details, Contact Sysdig Support.
CPU Architectures
The supported CPU architectures are:
- X86
- ARM
- ppc64le (IBM Power)
- s390x (zLinux)
Install the Host Shield
To install the Host Shield as a container using Docker Compose, create a docker-compose.yml file with the following content:
version: '3.8'
services:
sysdig-agent:
image: quay.io/sysdig/agent-slim:13.8.0
container_name: sysdig-host-shield
restart: always
privileged: true
network_mode: host
pid: host
shm_size: 512M
environment:
ACCESS_KEY: <ACCESS_KEY>
COLLECTOR: <COLLECTOR_URL>
COLLECTOR_PORT: <COLLECTOR_PORT>
SYSDIG_AGENT_DRIVER: # Driver for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5. 8))
ADDITIONAL_CONF: |
host_scanner:
enabled: true
host_fs_mount_path: /host
kspm_analyzer:
enabled: true
host_root: /host
features:
respond:
response_actions:
enabled: true
sysdig_api_endpoint: <SECURE_API_ENDPOINT>
volumes:
- /:/host:ro
- /sys/kernel/debug:/sys/kernel/debug:ro
- /var/run/docker.sock:/host/var/run/docker.sock
Parameter Breakdown:
ACCESS_KEY: Your Sysdig Access Key.COLLECTOR: The Sysdig collector URL for your SaaS region.COLLECTOR_PORT: The port used by the Sysdig collector.sysdig_api_endpoint: Specifies the Sysdig API URL for your SaaS region.host_scanner: Enables host vulnerability scanning.kspm_analyzer: Enables Host Security Posture Management analysis.
Deploy the Host Shield
- Save the
docker-compose.ymlfile in your working directory. - Replace the following with your actual Sysdig configuration values:
<ACCESS_KEY><COLLECTOR_URL><COLLECTOR_PORT><SECURE_API_ENDPOINT>
- Start the container:
docker compose up -d
Rapid Response
To enable Rapid Response, add the following configuration to the ADDITIONAL_CONF.
ADDITIONAL_CONF: |
rapid_response:
enabled: true
password: <RR_PASSWORD>
Later, you can use the password you define here to Start Rapid Response.
See Respond for more information.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
