Install Windows Nodes

This page describes how to install the Sysdig Host Shield on Windows nodes running Kubernetes. You use the shield chart to install the Host Shield components in your Kubernetes environment.

In addition to providing instructions for freshly installing the shield chart, this topic also guides you through migrating from previously installed Sysdig components deployed with the sysdig-deploy chart to the Host Shield and Cluster Shield components.

Prerequisites

  • Kubectl installed
  • Helm version 3.10 and later
  • Your agent access key
  • Sysdig Secure Endpoint for your Sysdig SaaS region
  • Windows Server 2019 and above
  • Administrator permissions to perform the operations

Coverage Map

PlatformThreat Detection and ResponseVulnerability ManagementPosture Management
EKS✅ (Hosts Only)
AKS✅ (Hosts Only)
GKE✅ (Hosts Only)
Openshift (OCP4)✅ (Hosts Only)

Migrate to the Shield Chart

Sysdig introduces a new chart, shield, to install Host Shield components. If you have previously installed Sysdig components in your cluster or are considering a fresh installation, use the shield chart instead of sysdig-deploy.

Since the Host Shield replace all the components previously deployed using the sysdig-deploy chart, uninstall any existing installations before proceeding. This will prevent encountering duplicate entity errors.

Before uninstalling, make sure to take a backup of your Sysdig deployment to preserve configurations and data.

helm get values {RELEASE_NAME} -n {NAMESPACE} > sysdig-agent-backup.yaml

To remove an existing installation, run the following command:

helm uninstall sysdig-agent --namespace sysdig-agent

If you are doing a fresh installation, you can ignore this requirement.

Install Using Helm

Configuration File

To install Host Shield and Cluster Shield, you can use the following values.yaml file:

cluster_config:
  # The name of the cluster
  name: <your-cluster-name>

sysdig_endpoint:
  # Sysdig Secure instance location region
  region: <your-sysdig-region>
  # Access key for Sysdig Secure instance
  access_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

features:
  kubernetes_metadata:
    # Enable Kubernetes metadata collection for the cluster
    enabled: true

  posture:
    host_posture:
      # Enable host posture assessment
      enabled: true
    cluster_posture:
      # Enable cluster posture assessment
      enabled: true

  vulnerability_management:
    host_vulnerability_management:
      # Enable host vulnerability management
      enabled: true
    container_vulnerability_management:
      # Enable container vulnerability management
      enabled: true
    in_use:
      # Enable retrieval of in-use packages
      enabled: true

  detections:
    drift_control:
      # Enable drift control detection
      enabled: true
    malware_control:
      # Enable malware control detection
      enabled: true
    ml_policies:
      # Enable machine learning policies
      enabled: true
    kubernetes_audit:
      # Enable Kubernetes audit logging
      enabled: true

  investigations:
    activity_audit:
      # Enable activity audit
      enabled: true
    live_logs:
      # Enable Kubernetes live logs
      enabled: true
    captures:
      enabled: true

host: 
  # Linux Host settings 
  driver: universal_ebpf
  # Linux Driver for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5. 8))

host_windows:
  # Windows Host settings  
  enabled: true 
  #Enable Windows Host Shield deployment

Installation

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install --atomic --create-namespace \
    -n sysdig \
    -f values.yaml \
    shield \
    sysdig/shield

Parameters:

  • http_proxy: Specifies the URL for the HTTP proxy server.
  • https_proxy: Specifies the URL for the HTTPS proxy server.
  • no_proxy: A comma-separated list of hosts or domains to bypass the proxy. For example: localhost,127.0.0.1,. my-cluster.local

Feature Management

Feature management in Sysdig Host and Cluster Shield is handled through a values.yaml configuration file, where you can enable or disable specific features like posture, vulnerability management and detection capabilities. Each feature has associated options, allowing customization to fit your environment’s security and compliance needs.

For example, you can enable host scanning with the following snippet:

features:
  vulnerability_management:
    host_vulnerability_management:
      enabled: true

This setup activates host vulnerability scanning, allowing you to identify and address potential security risks on your cluster’s nodes.

Additional Features

To enable the additional features, edit the values.yaml file to use the following configuration:

Posture Management

features:
  posture:
    host_posture:
      enabled: true

Proxy Settings

If your environment requires internet access through a proxy server, you can configure proxy settings in the values.yaml file. These settings ensure that Sysdig Host and Cluster Shield can communicate with Sysdig.

Add the following configuration under the proxy section:

proxy:
  http_proxy: http://customer-proxy
  https_proxy: http://customer-proxy
  no_proxy: <comma-separated-list-of-hosts-or-domains>

Advanced Settings

You can use the additional_settings section to configure advanced debugging options, such as log levels. It is recommended to use these settings with caution and contact Sysdig Support for guidance.

For the detailed information on configuring the shield chart, see shield.

Scan Directory Configuration

The dirs_to_scan sets the list of folders to be included in the scan.

host_windows: 
  additional_settings:
    vulnerability_management:
      host_vulnerability_management:
        enabled: true
        # The maximum size of a file considered for VM analysis
        max_file_size_bytes: 104857600
        # The maximum size for in-memory evaluation, larger files will be offloaded to disk
        max_in_memory_file_size_bytes: 26214400
        # The maximum number of (image) layers being analyzed in parallel
        max_parallel_layers: 5
        # host-scanning feature
        host:
          enabled: true
          # folders to be included in the analysis
          dirs_to_scan:
            - C:\Users

Setting Log Level

The log_level sets the minimum log level for messages displayed in the console.

host_windows:
  additional_settings:
    log_level: warn # or debug, info, warn, err