IBM Cloud Docs
Managing the Workload Protection agent in a Kubernetes cluster by using a HELM chart

Managing the Workload Protection agent in a Kubernetes cluster by using a HELM chart

You can use a Helm chart to install, upgrade, and delete a Workload Protection agent on a Kubernetes cluster.

Before you begin

  • Install the IBM Cloud CLI (ibmcloud), Kubernetes Service plug-in (ibmcloud oc), and IBM Cloud Container Registry plug-in (ibmcloud cr).

  • Install the latest release of the version 3 Helm CLI on your local machine.

    Helm 3.6 or later is required.

    Helm is a Kubernetes package manager that uses Helm charts to define, install, and upgrade complex Kubernetes apps in your cluster. Helm charts package the specifications to generate YAML files for Kubernetes resources that build your app. These Kubernetes resources are automatically applied in your cluster and assigned to a version by Helm. You can also use Helm to specify and package your own app and let Helm generate the YAML files for your Kubernetes resources.

  • Check that you have access and permissions to deploy the Workload Protection agent on the cluster.

  • Verify the ibm-observe namespace is available in your cluster. The agent is deployed in this namespace.

    You can run the following command to create the namespace: kubectl create namespace ibm-observe

Deploy an agent

Complete the following steps to deploy an agent by using Helm:

Step 1. Set up the Sysdig Helm repository

Add the Workload Protection Helm repository to your Helm instance.

Complete the following steps:

  1. Set the cluster context.

    ibmcloud ks cluster config --cluster <CLUSTER_NAME>

  2. Add the Helm repository.

    helm repo add sysdig https://charts.sysdig.com

    If you get the following error:

    helm repo add sysdig https://charts.sysdig.com    --debug
Error: context deadline exceeded
helm.go:84: [debug] context deadline exceeded

    Run the following command and retry adding the Helm repository.

    rm $HOME/Library/Preferences/helm/repositories.lock

  3. Update the repos to retrieve the latest versions of all Helm charts.

    helm repo update

  4. List the Helm charts that are currently available for the Sysdig repo.

    helm search repo sysdig

  5. Verify that the Helm chart sysdig/sysdig-deploy is listed.

Step 2. Create the values yaml file

Define a yaml file and include the values to deploy the Workload Protection agent and the Secure components that you plan to deploy. For example, name the file agent-values-monitor-secure.yaml.

The following yaml is a template that you can use to configure the Workload Protection agent and the Secure components. You can customize the file by removing or commenting with # the sections that are not required for your agent deployment.

agent:
  collectorSettings:
    collectorHost: INGESTION_ENDPOINT
  sysdig:
    settings:
     host_scanner:
       enabled: true
     kspm_analyzer:
       enabled: true
     sysdig_api_endpoint: API_ENDPOINT
  extraVolumes:
    volumes:
    - name: root-vol
      hostPath:
        path: /
    - name: tmp-vol
      hostPath:
        path: /tmp
    mounts:
    - mountPath: /host
      name: root-vol
      readOnly: true
    - mountPath: /host/tmp
      name: tmp-vol
global:
  imageRegistry: icr.io/ext
  clusterConfig:
    name: CLUSTER_NAME
  sysdig:
    accessKey: SERVICE_ACCESS_KEY
    apiHost: API_ENDPOINT
nodeAnalyzer:
  enabled: false
clusterShield:
  enabled: true
  cluster_shield:
    sysdig_endpoint: 
      region: custom
    log_level: info
    features:
      admission_control:
        enabled: true
      container_vulnerability_management:
        enabled: true
      audit:
        enabled: true
      posture:
        enabled: true

Where

  • CLUSTER_NAME is the name of the cluster where you are deploying the agent.
  • SERVICE_ACCESS_KEY is the Workload Protection instance access key.
  • INGESTION_ENDPOINT is the instance's ingestion endpoint. For example, ingest.us-east.security-compliance-secure.cloud.ibm.com
  • API_ENDPOINT is the instance's API endpoint. For example, us-east.security-compliance-secure.cloud.ibm.com

Step 3. Install the Helm chart

To deploy the agent, the Secure components, or both, you must install the sysdig/sysdig-deploy chart. You can install the chart by using a variables yaml file like the one that you configured in the previous step, or you can configure the variables directly.

Run the following command to install the agent by using the helm chart and the variables yaml file:

helm install -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

For example, for the us-east region, a sample Helm values file looks as follows:

agent:
  collectorSettings:
    collectorHost: ingest.private.us-east.security-compliance-secure.cloud.ibm.com
  sysdig:
    settings:
     host_scanner:
       enabled: true
     kspm_analyzer:
       enabled: true
     sysdig_api_endpoint: private.us-east.security-compliance-secure.cloud.ibm.com
  extraVolumes:
    volumes:
    - name: root-vol
      hostPath:
        path: /
    - name: tmp-vol
      hostPath:
        path: /tmp
    mounts:
    - mountPath: /host
      name: root-vol
      readOnly: true
    - mountPath: /host/tmp
      name: tmp-vol
global:
  imageRegistry: icr.io/ext
  clusterConfig:
    name: my-cluster
  sysdig:
    accessKey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
    apiHost: private.us-east.security-compliance-secure.cloud.ibm.com
nodeAnalyzer:
  enabled: false
clusterShield:
  enabled: true
  cluster_shield:
    sysdig_endpoint: 
      region: custom
    log_level: info
    features:
      admission_control:
        enabled: true
      container_vulnerability_management:
        enabled: true
      audit:
        enabled: true
      posture:
        enabled: true

If you encounter the following error: Error: INSTALLATION FAILED: Kubernetes cluster unreachable: xxxxxx failed to refresh token: oauth2: cannot fetch token: 400 Bad Request, set your cluster context and try again.

Update an agent

To update the agent version by using Helm, complete the following steps:

  1. Update the chart.

    helm repo update

  2. Upgrade the agent.

    helm upgrade -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

With these steps, you'll upgrade your agents to the latest available version.

Remove an agent

To delete the agent by using Helm, you must uninstall the chart.

Complete the following steps:

  1. List the charts that are installed.

    helm list -n ibm-observe

    The output of the command lists charts as follows:

    NAME        	NAMESPACE  	REVISION	UPDATED                             	STATUS  	CHART              	APP VERSION
sysdig-agent	ibm-observe	1       	2023-03-24 15:02:58.408108 +0100 CET	deployed	sysdig-deploy-1.6.3

  2. Uninstall the chart.

    helm delete sysdig-agent  -n ibm-observe

    In terms of Helm, sysdig-agent is the name of the release.

    If you forget to include the namespace in the command, you get the following error: Error: uninstall: Release not loaded: sysdig-agent: release: not found.