Cloud Run Service

The Sysdig Serverless Workload Agent provides runtime detection and policy enforcement for serverless workloads on Google Cloud Platform (GCP) Cloud Run. It uses Falco to ensure the security and compliance of the workloads.

Prerequisites

Refer to the following prerequisites for both Sysdig and GCP Cloud Run.

Sysdig

  • A Sysdig Secure account and the Agent Access Key

  • The endpoint of the Sysdig Collector for your region

  • Network access to the Sysdig Collector from the deployed Workload Agent.

    The Sysdig Workload Agent requires outbound traffic permissions on port 6443 to communicate with the Sysdig Collector.

GCP Cloud Run

  • Instance-based billing (previously called CPU Always Allocated) selected in your Service definition.

  • Second-generation execution environment selected in your Service definition.

Deploy the Sysdig Workload Agent

The Serverless Workload Agent consists of two primary components:

  • Instrumentation: Monitors the workload application, operating within the same container alongside it.

  • Agent: Analyzes the syscall data collected by the Instrumentation, performs policy matching, and communicates with the Sysdig collector.

The Instrumentation always resides within the same container as the workload application it monitors. The Agent, however, can be deployed in one of two configurations:

  • Embedded within the same container as the workload application, sharing the same CPU and memory resources. This approach has minimal deployment impact, only requiring extra environment variables in the workload container.

  • As a sidecar container, enabling independent configuration of its CPU and memory resources separate from the workload container. This setup requires additional configuration in the workload service.

Instrument the Workload Image

The first step is instrumenting the workload image with the Serverless Workload Agent, regardless of the chosen deployment strategy. This ensures the Sysdig applications are included in the workload container image.

This example uses sysdiglabs/security-playground as the original workload to secure. It is a sample application that offers endpoints for triggering security events.

Given the original Dockerfile:

FROM python:3.9-slim

RUN pip install --upgrade pipenv

WORKDIR /app
COPY . .
RUN pipenv install --system --deploy

EXPOSE 8080

ENTRYPOINT ["./entrypoint.sh"]

It can be instrumented as follows:

+FROM quay.io/sysdig/workload-agent:latest AS workload-agent

FROM python:3.9-slim

RUN pip install --upgrade pipenv

WORKDIR /app
COPY . .
RUN pipenv install --system --deploy

+COPY --from=workload-agent /opt/draios /opt/draios

EXPOSE 8080

+ENTRYPOINT ["/opt/draios/bin/instrument", "./entrypoint.sh"]

In detail:

  • The Sysdig Workload Agent is added as a separate layer and then copied into the image file system under /opt/draios.
  • The Sysdig application /opt/draios/bin/instrument is prepended to the original ENTRYPOINT to secure the original workload application at runtime.

The instrumented container image is now ready to be built and deployed.

Embedded Deployment

After instrumenting your workload image, you can deploy it just like the original.

Make sure to provide the workload container with the following additional environment variables:

  • SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT: Used to reach the Sysdig Collector for your region
  • SYSDIG_ACCESS_KEY: The Agent Access Key to authenticate with the Sysdig backend.
  • SYSDIG_WORKLOAD_ID: The identifier for each instrumented container, must be unique at the service level.

Sidecar Deployment

After instrumenting your workload image, you will need to:

  1. Add an in-memory volume to the service.
  2. Provide the instrumented workload container with additional environment variables and mount points.
  3. Add a sidecar container running the Sysdig Workload Agent.

In detail:

  1. Add an in-memory empty-dir volume to the service with the following configuration:

    • name: sysdig
    • size limit: 512Mi

  2. Provide the instrumented workload container with:

    • An additional environment variable:
      • SYSDIG_SIDECAR: force.
    • A volume mount for the sysdig volume at /opt/draios/run.

  3. Add a sidecar container to the service running the Sysdig Workload Agent, and provide it with:

    • The following additional environment variables:
      • SYSDIG_COLLECTOR and SYSDIG_COLLECTOR_PORT: Used to reach the Sysdig Collector for your region
      • SYSDIG_ACCESS_KEY: The Agent Access Key to authenticate with the Sysdig backend
      • SYSDIG_WORKLOAD_ID: The identifier for each instrumented container, must be unique at the service level
      • SYSDIG_SIDECAR: force
    • A volume mount for the sysdig volume at /opt/draios/run.