Managing the Workload Protection agent in a Satellite cluster by using a HELM chart

You can use a Helm chart to install, upgrade, and delete a Workload Protection components on your Satellite clusters.

Before you begin

Install the IBM Cloud CLI (ibmcloud), Kubernetes Service plug-in (ibmcloud oc), and IBM Cloud Container Registry plug-in (ibmcloud cr).
Install the latest release of the version 3 Helm CLI on your local machine.

Helm 3.6 or later is required.

Helm is a Kubernetes package manager that uses Helm charts to define, install, and upgrade complex Kubernetes apps in your cluster. Helm charts package the specifications to generate YAML files for Kubernetes resources that build your app. These Kubernetes resources are automatically applied in your cluster and assigned to a version by Helm. You can also use Helm to specify and package your own app and let Helm generate the YAML files for your Kubernetes resources.
Install the Red Hat OpenShift (oc) and Kubernetes (kubectl) CLIs.
Check that you have access and permissions to deploy the Workload Protection agent on the cluster.
Verify the ibm-observe namespace is available in your cluster. The agent is deployed in this namespace. A project is a namespace in a cluster.

You can run the following command to create the namespace: oc adm new-project --node-selector='' ibm-observe
Get your Workload Protection ingest endpoint. This endpoint is different than the one being created in the next step. Access your Satellite location, then select Link endpoints and System endpoints. Copy the system endpoint starting with satellite-sysdig- that is pointing to ingest.private.<region>.monitoring.cloud.ibm.com. You can use this endpoint later as INGESTION_SATELLITE_ENDPOINT.

Before deploying the Workload Protection components, create a Satellite link endpoint for the Workload Protection private API endpoint.

Create Workload Protection Satellite link endpoint

Create an HTTPS Satellite Link by using the console or CLI in order to connect securely to Workload Protection private endpoints.

Get your Workload Protection private endpoint. For example, if your Workload Protection instance is in us-east your endpoint would be private.us-east.security-compliance-secure.cloud.ibm.com.
Access Satellite Locations dashboard. Link endpoints and click Create an endpoint.
Select Cloud to create an endpoint for a service, server, or app that runs outside of the location.
Enter an endpoint name, the destination domain name (FQDN) that should be the Workload Protection private endpoint that is defined in step 1 and destination port 443.
Select the HTTPS protocol.
Click Create. Wait a few minutes for the Satellite Link connector component to assign a port to your endpoint.
In the table row for your endpoint, copy the hostname for your Satellite Link connector and the port for your endpoint in the Address field. You need to use it in the following steps.

You use this endpoint in the following steps as API_ENDPOINT.

Deploy an agent

Complete the following steps to deploy an agent by using Helm:

Step 1. Set up the cluster context

Log in to the account. If you have a federated account, include the --sso option.
```
ibmcloud login [-g <resource_group>] [--sso]
```
Download and add the kubeconfig configuration file for your cluster to your existing kubeconfig in ~/.kube/config or the last file in the KUBECONFIG environment variable.
```
ibmcloud oc cluster config --cluster <cluster_name_or_ID>
```
In your browser, navigate to the address of your Master URL and append /console. For example, https://c0.containers.cloud.ibm.com:23652/console.
From the Red Hat OpenShift web console menu bar, click your profile IAM#user.name@email.com > Copy Login Command. Display and copy the oc login token command into your command line to authenticate via the CLI.
Verify that the oc commands run properly with your cluster by checking the version.
```
oc version
```
Your output should look similar to this example:
```
Client Version: v4.11.0
Kubernetes Version: v1.25.8.2
```

Step 2. Set up the Sysdig Helm repository

Add the Workload Protection Helm repository to your Helm instance.

Complete the following steps:

Set the cluster context.

ibmcloud ks cluster config --cluster <CLUSTER_NAME>

Add the Helm repository.

helm repo add sysdig https://charts.sysdig.com

If you get the following error:

helm repo add sysdig https://charts.sysdig.com    --debug
Error: context deadline exceeded
helm.go:84: [debug] context deadline exceeded

Run the following command and retry adding the Helm repository.

rm $HOME/Library/Preferences/helm/repositories.lock

Update the repos to retrieve the latest versions of all Helm charts.
```
helm repo update
```
List the Helm charts that are currently available for the Sysdig repo.
```
helm search repo sysdig
```
Verify that the Helm chart sysdig/sysdig-deploy is listed.

Step 3. Create the Helm values file

Define a yaml file and include the values to deploy the Workload Protection components that you plan to deploy. For example, name the file agent-values-monitor-secure.yaml.

The following yaml is a template that you can use to configure the Workload Protection components. You can customize the file by removing or commenting with # the sections that are not required for your agent deployment.

agent:
  collectorSettings:
    collectorHost: INGESTION_SATELLITE_ENDPOINT
    collectorPort: INGESTION_SATELLITE_ENDPOINT_PORT
  slim:
    enabled: true
global:
  clusterConfig:
    name: CLUSTER_NAME
  kspm:
    deploy: true
  sysdig:
    accessKey: SERVICE_ACCESS_KEY
    apiHost: API_ENDPOINT
nodeAnalyzer:
  secure: 
    vulnerabilityManagement:
      newEngineOnly: true
  nodeAnalyzer:
    runtimeScanner: 
      deploy: false
    benchmarkRunner:
      deploy: false
    hostScanner:
      deploy: false
    deploy: true
  natsUrl: wss://API_ENDPOINT
  sslVerifyCertificate: false
kspmCollector:
  natsUrl: wss://API_ENDPOINT
  sslVerifyCertificate: false
clusterScanner:
  enabled: true
  eveEnabled: true
  sslVerifyCertificate: false

Where:

CLUSTER_NAME is the name of the cluster where you are deploying the agent.
SERVICE_ACCESS_KEY is the Workload Protection instance access key.
INGESTION_SATELLITE_ENDPOINT is the Satellite endpoint extracted previously that points to Ingest endpoint. For example, c1bcda0323e0ef4b83aba-6b64a6ccc9c596bf59a86625d8fa2202-c111.us-east.satellite.appdomain.cloud.
INGESTION_SATELLITE_ENDPOINT_PORT is the port from the Satellite endpoint extracted previously that points to ingest endpoint. For example, 30771.
API_ENDPOINT is the Satellite endpoint extracted previously that points to Workload Protection private API endpoint. For example, c1bcda0323e0ef4b83aba-6b64a6ccc9c596bf59a86625d8fa2202-c111.us-east.satellite.appdomain.cloud:31924. In this case, both hostname and port are defined together.

Step 4. Install the Helm chart

To deploy the agent, the Workload Protection components, or both, you must install the sysdig/sysdig-deploy chart and use the variables yaml file that you configured in the previous step.

Run the following command to install the agent by using the Helm chart:

helm install -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

If you want to directly install the Workload Protection components without a Helm values file, you can run the following command setting all variables with --set.

helm install sysdig-agent sysdig/sysdig-deploy --namespace ibm-observe --create-namespace\
    --set global.sysdig.accessKey=<SERVICE_ACCESS_KEY> \
    --set global.sysdig.apiHost=<API_ENDPOINT> \
    --set agent.collectorSettings.collectorHost=<INGESTION_SATELLITE_ENDPOINT> \
    --set agent.collectorSettings.collectorPort=<INGESTION_SATELLITE_ENDPOINT_PORT> \
    --set nodeAnalyzer.natsUrl=wss://<API_ENDPOINT> \
    --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=false \
    --set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=false \
    --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
    --set nodeAnalyzer.nodeAnalyzer.sslVerifyCertificate=false \
    --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
    --set global.kspm.deploy=true \
    --set global.clusterConfig.name=<CLUSTER_NAME> \
    --set kspmCollector.natsUrl=wss://<API_ENDPOINT> \
    --set kspmCollector.sslVerifyCertificate=false \
    --set clusterScanner.enabled=true \
    --set clusterScanner.eveEnabled=true \
    --set clusterScanner.sslVerifyCertificate=true

Where:

CLUSTER_NAME is the name of the cluster where you are deploying the agent.
SERVICE_ACCESS_KEY is the Workload Protection instance access key.
INGESTION_SATELLITE_ENDPOINT is the Satellite endpoint extracted previously that points to ingest endpoint. For example, c1bcda0323e0ef4b83aba-6b64a6ccc9c596bf59a86625d8fa2202-c111.us-east.satellite.appdomain.cloud.
INGESTION_SATELLITE_ENDPOINT_PORT is the port from the Satellite endpoint extracted previously that points to the ingest endpoint. For example, 30771.
API_ENDPOINT is the Satellite endpoint extracted previously that points to Workload Protection private API endpoint. For example, c1bcda0323e0ef4b83aba-6b64a6ccc9c596bf59a86625d8fa2202-c111.us-east.satellite.appdomain.cloud:31924. In this case, both hostname and port are defined together.

Update an agent

We recommend updating the Workload Protection at least once every 2 months.

To update the agent version by using Helm, complete the following steps:

Update the chart.
```
helm repo update
```

Upgrade the agent.

helm upgrade -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

Remove an agent

To delete the agent by using Helm, you must uninstall the chart.

Complete the following steps:

List the charts that are installed.

helm list -n ibm-observe

The output of the command lists charts as follows:

NAME        	NAMESPACE  	REVISION	UPDATED                             	STATUS  	CHART              	  APP VERSION
sysdig-agent	ibm-observe	1       	2023-03-24 15:02:58.408108 +0100 CET	deployed	sysdig-deploy-1.37.10

Uninstall the chart.
```
helm delete sysdig-agent  -n ibm-observe
```
In terms of Helm, sysdig-agent is the name of the release.

If you forget to include the namespace in the command, you get the following error: Error: uninstall: Release not loaded: sysdig-agent: release: not found.