Understand Serverless Agent Drivers

The Serverless Agent Driver captures system calls invocations through userspace-level instrumentation.

Serverless Agent Components

The Serverless Workload Agent image includes several applications and libraries that are embedded within the Docker image of the application to be secured.

The key components are:

instrument | sidecar: Depending on the deployment strategy, the container entrypoint calls either instrument or sidecar, which is responsible for running pdig and the agent.
pdig: The driver that traces the user application and generates events for the agent.
agentino: An agent responsible for several tasks, including gathering events from pdig, connecting to the collector, and performing policy matching.

Driver Overview

When embedding the Workload Agent into the Docker image of the application to be secured, you modify the entrypoint to execute the Sysdig instrumentation. The entrypoint is responsible for starting both agentino and pdig.

Since serverless platforms prevent host-level access, the pdig driver must operate within the same context as the user application to perform userspace-level instrumentation.

On the other hand, you can deploy the agent either within the same workload container or in a separate sidecar container, depending on the deployment strategy required for the use case.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.