Deploying the agent in an outside Kubernetes or OpenShift cluster
In addition to its ability to run in IBM Cloud, the centralized security and compliance framework that IBM Cloud® Security and Compliance Center Workload Protection provides can also be run in other clouds and on premises by using Helm charts to install the Workload Protect agent onto Kubernetes or OpenShift clusters.
Before you begin
-
Install the latest release of the version 3 Helm CLI on your local machine.
Helm 3.6 or later is required.
Helm is a Kubernetes package manager that uses Helm charts to define, install, and upgrade complex Kubernetes apps in your cluster. Helm charts package the specifications to generate YAML files for Kubernetes resources that build your app. These Kubernetes resources are automatically applied in your cluster and assigned a version by Helm. You can also use Helm to specify and package your own app and let Helm generate the YAML files for your Kubernetes resources.
-
Check that you have access and permissions to deploy the Workload Protection agent on the cluster. On a Kubernetes cluster, this means having the permission to run
kubectl
commands on the cluster. On an OpenShift cluster, this means have the permission to runoc
commands. Check with the documentation of your cluster to learn more about getting the appropriate level of permissions and setting up your local machine to be able to properly issue commands to the cluster. -
Verify the
ibm-observe
namespace is available in your cluster. The agent is deployed in this namespace.You can run the following command to create the namespace:
kubectl create namespace ibm-observe
Deploy an agent
Once you have a sufficient version of Helm and the permission to run commands on the cluster, you can use Helm to install, upgrade and delete the Workload Protection on Kubernetes or OpenShift.
-
Add Sysdig as a repository for Helm charts on your local machine:
helm repo add sysdig https://charts.sysdig.com
If you get the following error:
helm repo add sysdig https://charts.sysdig.com --debug Error: context deadline exceeded helm.go:84: [debug] context deadline exceeded
Run the following command and retry adding the Helm repository.
rm $HOME/Library/Preferences/helm/repositories.lock
-
Update the repositories references by issuing
helm repo update
. -
List the Helm charts that are currently available for the Sysdig repo.
helm search repo sysdig
-
Verify the Helm chart
sysdig/sysdig-deploy
is listed. -
Install the Workload Protection. This can be done by issuing Helm command that sets certain values (let's call this the
--set
method) or by creating a yaml Helm values file where the values are listed and then issuing a command that references that file. Either path can be used to sucessfully install the Workload Protection agent.a. To set the values when issuing the
helm
command:
helm install sysdig-agent sysdig/sysdig-deploy --namespace ibm-observe --create-namespace \
--set global.sysdig.accessKey=<SERVICE_ACCESS_KEY> \
--set agent.collectorSettings.collectorHost=<INGESTION_ENDPOINT> \
--set nodeAnalyzer.nodeAnalyzer.apiEndpoint=<API_ENDPOINT> \
--set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
--set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
--set global.kspm.deploy=true \
--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
--set global.clusterConfig.name=<CLUSTER_NAME> \
--set kspmCollector.apiEndpoint=<API_ENDPOINT>
Where:
-
CLUSTER_NAME
is the name of the cluster where you are deploying the agent. -
SERVICE_ACCESS_KEY
is the Workload Protection instance access key. -
INGESTION_ENDPOINT
is the instance's ingestion endpoint. -
API_ENDPOINT
is the intance's API endpoint.b. To install using a Helm values file, first create a file named
agent-values-monitor-secure.yaml
(or something similar). The following yaml is a template that you can use to configure the Workload Protection agent. You can customize the file by removing or commenting with#
the sections that are not required for your agent deployment.
global:
clusterConfig:
name: CLUSTER_NAME
sysdig:
accessKey: SERVICE_ACCESS_KEY
kspm:
deploy: true
agent:
image:
registry: icr.io
slim:
enabled: true
image:
repository: ext/sysdig/agent-slim
kmoduleImage:
repository: ext/sysdig/agent-kmodule
collectorSettings:
collectorHost: INGESTION_ENDPOINT
nodeAnalyzer:
secure:
vulnerabilityManagement:
newEngineOnly: true
nodeAnalyzer:
runtimeScanner:
settings:
eveEnabled: true
deploy: true
apiEndpoint: API_ENDPOINT
benchmarkRunner:
deploy: false
kspmCollector:
apiEndpoint: API_ENDPOINT
Where:
CLUSTER_NAME
is the name of the cluster where you are deploying the agent.SERVICE_ACCESS_KEY
is the Workload Protection instance access key.INGESTION_ENDPOINT
is the instance's ingestion endpoint.API_ENDPOINT
is the intance's API endpoint.
Then, run the install command referencing the created Helm values file:
helm install -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml
Update an agent
To update the agent version by using Helm, complete the following steps:
-
Update the chart.
helm repo update
-
Find the values yaml file that you used to deploy the agent and modify the
agent.image.tag
with the version of the agent that you want to deploy. -
Upgrade the agent.
helm upgrade -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml
Remove an agent
To delete the agent by using Helm, you must uninstall the chart.
Complete the following steps:
-
List the charts that are installed.
helm list -n ibm-observe
The output of the command lists charts as follows:
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION sysdig-agent ibm-observe 1 2023-03-24 15:02:58.408108 +0100 CET deployed sysdig-deploy-1.6.3
-
Uninstall the chart.
helm delete sysdig-agent -n ibm-observe
In terms of Helm,
sysdig-agent
is the name of the release.If you forget to include the namespace in the command, you get the following error:
Error: uninstall: Release not loaded: sysdig-agent: release: not found
.