Deploying the agent in an outside Kubernetes or Red Hat OpenShift cluster
In addition to its ability to run in IBM Cloud, the centralized security and compliance framework that IBM Cloud® Security and Compliance Center Workload Protection provides can also be run in other clouds and on premises by using Helm charts to install the Workload Protection agent onto Kubernetes or Red Hat OpenShift clusters.
Before you begin
-
Install the latest release of the Helm CLI on your local machine. Helm version 3.6 or later is required.
Helm is a Kubernetes package manager that uses Helm charts to define, install, and upgrade complex Kubernetes apps in your cluster. Helm charts package the specifications to generate YAML files for Kubernetes resources that build your app. These Kubernetes resources are automatically applied in your cluster and assigned to a version by Helm. You can also use Helm to specify and package your own app and let Helm generate the YAML files for your Kubernetes resources.
-
Verify that you have the required access and permissions to deploy the Workload Protection agent on the cluster. On a Kubernetes cluster, you must have permission to run
kubectlcommands on the cluster. On an Red Hat OpenShift cluster, you must have permission to runoccommands. Check with the documentation of your cluster to learn more about getting the appropriate level of permissions and setting up your local machine to issue commands to the cluster. -
Verify that the
ibm-observenamespace is available in your cluster. The agent is deployed in this namespace.To create the namespace, run
kubectl create namespace ibm-observe. -
Verify that outbound traffic from your cluster to Workload Protection endpoints is allowed on ports
443and6443.
Deploying an agent
After you have a sufficient version of Helm and the permission to run commands on the cluster, you can use Helm to install, upgrade, and delete the Workload Protection agent on Kubernetes or Red Hat OpenShift.
-
Add Sysdig as a repository for Helm charts on your local machine.
helm repo add sysdig https://charts.sysdig.comIf you get the following error:
-
Update the repository references.
helm repo update -
List the Helm charts that are currently available for the Sysdig repository.
helm search repo sysdig -
Verify that the
sysdig/sysdig-deployHelm chart is listed. -
Install the Workload Protection agent. You can install by creating a
YAMLHelm values file where the values are listed and then issuing a command that references that file.To install by using a Helm values file, first create a file named
agent-values-monitor-secure.yaml. The followingYAMLis a template that you can use to configure the Workload Protection agent. You can customize the file by removing or commenting with#the sections that are not required for your agent.agent: ebpf: enabled: true kind: universal_ebpf collectorSettings: collectorHost: INGESTION_ENDPOINT sysdig: settings: host_scanner: enabled: true kspm_analyzer: enabled: true sysdig_api_endpoint: API_ENDPOINT extraVolumes: volumes: - name: root-vol hostPath: path: / - name: tmp-vol hostPath: path: /tmp mounts: - mountPath: /host name: root-vol readOnly: true - mountPath: /host/tmp name: tmp-vol global: clusterConfig: name: CLUSTER_NAME sysdig: accessKey: SERVICE_ACCESS_KEY apiHost: API_ENDPOINT nodeAnalyzer: enabled: false clusterShield: enabled: true cluster_shield: sysdig_endpoint: region: custom collector: INGESTION_ENDPOINT:6443 log_level: info features: admission_control: enabled: true container_vulnerability_management: enabled: true dry_run: false container_vulnerability_management: enabled: true audit: enabled: true posture: enabled: trueWhere:
CLUSTER_NAME- The name of the cluster where you are deploying the agent.
SERVICE_ACCESS_KEY- The Workload Protection instance access key.
INGESTION_ENDPOINT- The instance's ingestion endpoint. For example,
ingest.us-east.security-compliance-secure.cloud.ibm.com. API_ENDPOINT- The instance's API endpoint. For example,
us-east.security-compliance-secure.cloud.ibm.com.
-
Then, run the install command that references the created Helm values file:
helm install -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml
Updating an agent
To update the agent to the latest available version, complete the following steps:
-
Update the Helm repository.
helm repo update -
Upgrade the agent.
helm upgrade -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml
Removing an agent
To delete the agent by using Helm, uninstall the chart.
-
List the charts that are installed.
helm list -n ibm-observeThe output lists the installed charts:
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION sysdig-agent ibm-observe 1 2023-03-24 15:02:58.408108 +0100 CET deployed sysdig-deploy-1.6.3 -
Uninstall the chart.
helm delete sysdig-agent -n ibm-observeIn Helm,
sysdig-agentis the name of the release.