Install Shield on Kubernetes

This page describes how to install the Sysdig Shield on Kubernetes.

Sysdig Shield provides runtime detection and policy enforcement for Kubernetes workloads by leveraging Falco to enhance security and compliance. The Cluster Shield collects data from the Kubernetes nodes where it is installed, sending it to the Sysdig backend while synchronizing runtime policies and rules.

For detailed installation instructions based on your node type, see:

Before installing Sysdig Shield, ensure that your system meets the following requirements."

System Requirements

  • A supported distribution or Kubernetes platform.

  • A Sysdig account and agent access key.

  • Ports 443 and 6443 open for outbound traffic

    The Host Shield communicates to Sysdig APIs on port 443 and with the collector on port 6443. If you’re using a firewall, make sure to open port 443 and 6443 for outbound traffic so that the Host Shield can communicate with the Sysdig APIs and collector.

  • Allow traffic on port 12000 to communicate within the cluster (same namespace) for Kubernetes Security Posture Management (KSPM).

  • Allow traffic on port 4222 to communicate within the cluster (same namespace) for Container Vulnerability Management.

Kubernetes Platforms

  • Kubernetes (Vanilla)

  • Amazon Elastic Kubernetes Service (EKS)

    Note: AWS Fargate is not supported on EKS

  • Google Kubernetes Engine (GKE)

  • Azure Kubernetes Service (AKS)

  • RedHat Openshift

  • IBM Kubernetes Service (IKS)

  • RKE Government (RKE2)

Linux Distributions

  • Debian
  • Ubuntu 18.04 and above
  • Ubuntu (Amazon)
  • CentOS 7 and above
  • Alma Linux
  • Rocky Linux
  • Red Hat Enterprise Linux (RHEL) 7 and above
  • SuSE Linux Enterprise Server*
  • RHEL CoreOS (RHCOS)
  • Fedora
  • Fedora CoreOS
  • Linux Mint
  • Amazon Linux (Original)
  • Amazon Linux 2 (AL2)
  • Amazon Linux 2023 (AL2023)
  • Amazon Bottlerocket
  • Google Container Optimized OS (COS)
  • Oracle Linux (UEH)
  • Oracle Linux (RHCK)
  • Azure Linux (CBL-Mariner)
  • EulerOS
  • ArchLinux
  • Alpine Linux 3.20 and above

CPU Architectures

  • X86
  • ARM
  • ppc64le (IBM Power)
  • s390x (zLinux)

We support additional Linux distributions depending on the feature required.