Install Shield on Kubernetes

This page describes how to install the Sysdig Shield on Kubernetes.

Sysdig Shield provides runtime detection and policy enforcement for Kubernetes workloads by leveraging Falco to enhance security and compliance. The Cluster Shield collects data from the Kubernetes nodes where it is installed, sending it to the Sysdig backend while synchronizing runtime policies and rules.

For detailed installation instructions based on your node type, see:

Before installing Sysdig Shield, ensure that your system meets the following requirements."

System Requirements

  • A supported distribution or Kubernetes platform.

  • A Sysdig account and agent access key.

  • Port 6443 open for outbound traffic

    The Host Shield communicates with the collector on port 6443. If you’re using a firewall, make sure to open port 6443 for outbound traffic so that the Host Shield can communicate with the collector.

  • Allow traffic on port 12000 to communicate within the cluster for Kubernetes Security Posture Management (KSPM).

Kubernetes Platforms

  • Kubernetes (Vanilla)

  • Amazon Elastic Kubernetes Service (EKS)

    Note: AWS Fargate is not supported on EKS

  • Google Kubernetes Engine (GKE)

  • Google Kubernetes Engine (GKE) Autopilot

    Note: GKE Autopilot is supported from version 1.32.2-gke or later.

  • Azure Kubernetes Service (AKS)

  • RedHat Openshift

  • IBM Kubernetes Service (IKS)

  • RKE Government (RKE2)

Linux Distributions

  • Debian
  • Ubuntu 18.04 and above
  • Ubuntu (Amazon)
  • CentOS 7 and above
  • Alma Linux
  • Rocky Linux
  • Red Hat Enterprise Linux (RHEL) 7 and above
  • SuSE Linux Enterprise Server*
  • RHEL CoreOS (RHCOS)
  • Fedora
  • Fedora CoreOS
  • Linux Mint
  • Amazon Linux (Original)
  • Amazon Linux 2 (AL2)
  • Amazon Linux 2023 (AL2023)
  • Amazon Bottlerocket
  • Google Container Optimized OS (COS)
  • Oracle Linux (UEH)
  • Oracle Linux (RHCK)
  • Azure Linux (CBL-Mariner)
  • EulerOS
  • ArchLinux
  • Alpine Linux 3.20 and above

CPU Architectures

  • X86
  • ARM
  • ppc64le (IBM Power)
  • s390x (zLinux)

We support additional Linux distributions depending on the feature required.

Support Policy

Sysdig is committed to providing reliable and efficient support for its edge components, Cluster Shield and Host Shield, collectively known as Sysdig Shield.

Monthly Release Cadence

Sysdig updates Sysdig Shield approximately once a month. Each release may include new features, enhancements, defect fixes, performance improvements, and CVE fixes.

Versioning System

Sysdig Shield uses semantic (X.Y.Z) versioning:

  • Major Versions (X): Often include major new features or functionality changes, and may also include bug fixes and CVE fixes. Significant updates may require changes to usage or configuration.
  • Minor Versions (Y): Typically introduce new features and enhancements, expanding Sysdig Shield’s capabilities without disrupting existing configurations. May also include bug fixes and CVE fixes.
  • Hoftix Versions (Z): Primarily focus on CVE fixes and bug fixes to improve the stability of major or minor releases. You can apply them without impacting current usage or configuration. Hotfix versions are rare and are only released to address any serious issues.

Version Support

Sysdig provides support for major and minor versions of Sysdig Shield for 12 months from their release date, regardless of whether the Shield is deployed with Sysdig SaaS or Sysdig on-premises. Support includes fixes for any issues, and If an issue is resolved in a later version of Shield, you must upgrade to that version to receive the fix.

Sysdig does not provide hotfixes, bug fixes, or CVE patches for any version other than the latest release. Customers using the on-premises version of Sysdig may be required to upgrade to the latest release to address certain issues.

Customers running Shield versions older than 12 months will not receive troubleshooting support for any issues and will be requested to upgrade to the latest versions of Sysdig before any troubleshooting is done. A patch version (Z) for a major or minor release will not reset the 12 month support clock.

Customers running Shield versions older than 12 months will not receive:

  • Troubleshooting support for any issues: Upgrade to the latest versions of Sysdig to receive troubleshooting.
  • Prebuilt kernel probe binaries.
  • New detection rules (Standard or Custom).

Vulnerabilities

Sysdig promptly addresses vulnerabilities in the Sysdig Agent and Shield. CVE fixes are provided in the a release within the following target timeframes (starting when a fix is available in a released package):

  • Critical: 30 days
  • High: 30 days
  • Medium: 90 days
  • Low: 180 days

Sysdig does not provide CVE fixes as patches to older Shield releases.

Upgrade Often

Sysdig strongly recommends you upgrade Sysdig Shield at least once every 3 months to benefit from the latest enhancements, new features and CVE fixes.

End of Support

As part of our commitment to continuously improve the Sysdig platform, Sysdig may deprecate features or functionality over time.

When a feature in Shield is scheduled for deprecation, Sysdig provides 12 months advance notice before the feature is removed. This notice period is intended to give you sufficient time to evaluate, plan, and transition to recommended alternatives, when available.

For details about deprecation, see Deprecation Policy.