diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
index a334ec1e3..d8441fb73 100644
--- a/charts/agent/Chart.yaml
+++ b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
- https://app.sysdigcloud.com/#/settings/user
- https://github.com/draios/sysdig
type: application
-version: 1.17.2
+version: 1.17.3
diff --git a/charts/agent/README.md b/charts/agent/README.md
index 79a1dd535..676753754 100644
--- a/charts/agent/README.md
+++ b/charts/agent/README.md
@@ -85,91 +85,87 @@ For example, to enable Prometheus metrics scraping:
The following table lists the configurable parameters of the Sysdig chart and their default values.
-| Parameter | Description | Default |
-|---------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
-| `global.clusterConfig.name` | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag. | `quay.io` |
-| `global.sysdig.accessKey` | Specify your Sysdig Agent Access Key. | Either `accessKey` or `accessKeySecret` is required |
-| `global.sysdig.accessKeySecret` | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry. | Either `accessKey` or `accessKeySecret` is required |
-| `global.sysdig.region` | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | `"us1"` |
-| `global.proxy.httpProxy` | Sets `http_proxy` on the `agent` container. | `""` |
-| `global.proxy.httpsProxy` | Sets `https_proxy` on the `agent` container. | `""` |
-| `global.proxy.noProxy` | Sets `no_proxy` on the `agent` container. | `""` |
-| `global.gke.autopilot` | If true, overrides the agent configuration to run on GKE Autopilot clusters. | `false` |
-| `global.image.pullSecrets` | Global pull secrets. | [] |
-| `global.image.pullPolicy` | Global pull policy. | `IfNotPresent` |
-| `namespace` | Overrides the global namespace setting and release namespace for components. | `""` |
-| `image.registry` | Sysdig Agent image registry. | `quay.io` |
-| `image.repository` | Sets the image repository to pull the agent image from. | `sysdig/agent` |
-| `image.tag` | Specifies the image tag to pull from the repository. | `12.16.0` |
-| `image.digest` | Specifies the image digest to pull from the repository. | ` ` |
-| `image.pullPolicy` | Specifies the Image pull policy. | `IfNotPresent` |
-| `image.pullSecrets` | Specifies the image pull secrets. | `nil` |
-| `resourceProfile` | Specifies the Sysdig Agent resource profile. | `small` |
-| `resources.requests.cpu` | Specifies the CPU requested to run in a node | ` ` |
-| `resources.requests.memory` | Specifies the memory requested to run in a node. | ` ` |
-| `resources.limits.cpu` | Specifies the CPU limit. | ` ` |
-| `resources.limits.memory` | Specifies the memory limit. | ` ` |
-| `collectorSettings.collectorHost` | Specifies the IP address or hostname of the collector. | ` ` |
-| `collectorSettings.collectorPort` | Specifies the port number for the TCP connection of the collector service. | `6443` |
-| `collectorSettings.ssl` | Specifies whether the collector accepts SSL. | `true` |
-| `collectorSettings.sslVerifyCertificate` | Set this parameter to `false` if you don't want to verify SSL certificate. | `true` |
-| `gke.autopilot` | If true, overrides the agent configuration to run on GKE Autopilot clusters. | `false` |
-| `gke.autopilot.createPriorityClass` | If true, required PriorityClass will be created to ensure that the agent pods are scheduled in GKE Autopilot. The parameter uses the name provided by the `priorityClassName` parameter. | `false` |
-| `gke.ephemeralStorage` | Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters. | `500Mi` |
-| `rbac.create` | If true, RBAC resources will be created and used. | `true` |
-| `scc.create` | Creates OpenShift's Security Context constraint. | `true` |
-| `psp.create` | Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | `true` |
-| `serviceAccount.create` | Creates serviceAccount. | `true` |
-| `serviceAccount.name` | Use this value as serviceAccountName. | ` ` |
-| `createPriorityClass` | Specify whether or not to create a priority class for the agent. | `false` |
-| `priorityClassName` | Sets the priority class for the agent daemonset. | `""` |
-| `priorityClassValue` | Sets the priority class value for the agent daemonset. | `10` |
-| `daemonset.deploy` | Deploys the agent daemonset. | `true` |
-| `daemonset.env` | Specifies the environment variables for the agent container. Provide as map of `VAR: val` | `{}` |
-| `daemonset.updateStrategy.type` | Specifies the updateStrategy for updating the daemonset. | `RollingUpdate` |
-| `daemonset.updateStrategy.rollingUpdate.maxUnavailable` | The maximum number of pods that can be unavailable during the update process | |
-| `daemonset.updateStrategy.rollingUpdate.maxSurge` | The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update | |
-| `daemonset.nodeSelector` | Specifies the Node Selector. | `{}` |
-| `daemonset.arch` | Specifies the allowed architectures for scheduling. | `[ amd64, arm64, s390x ]` |
-| `daemonset.os` | Specifies the allowed operating systems for scheduling. | `[ linux ]` |
-| `daemonset.affinity` | Specifies node affinities. Overrides `daemonset.arch` and `daemonset.os` values. | `{}` |
-| `daemonset.annotations` | Specifies the custom annotations for daemonset. | `{}` |
-| `daemonset.labels` | Specifies the custom labels for daemonset as a multi-line templated string map or as YAML. | |
-| `daemonset.probes.initialDelay` | Specifies the initial delay for the deamonset readiness probe. | `90` |
-| `daemonset.probes.periodDelay` | Specifies the period delay for the daemonset readiness probe. | `3` |
-| `daemonset.kmodule.env` | Sets the environment variables for the kernel module image builder. Provide as map of `VAR: val` | `{}` |
-| `slim.enabled` | Uses the slim based Sysdig Agent image. | `true` |
-| `slim.image.repository` | Specifies the slim agent image repository. | `sysdig/agent-slim` |
-| `slim.kmoduleImage.repository` | Specifies the repository to pull the kernel module image builder from. | `sysdig/agent-kmodule` |
-| `slim.kmoduleImage.digest` | Specifies the image digest to pull. | ` ` |
-| `slim.resources.requests.cpu` | Specifies the CPU requested for building the kernel module. | `250m` |
-| `slim.resources.requests.memory` | Specifies the memory requested for building the kernel module. | `348Mi` |
-| `slim.resources.limits.cpu` | Specifies the CPU limit for building the kernel module | `1000m` |
-| `slim.resources.limits.memory` | Specifies the memory limit for building the kernel module. | `512Mi` |
-| `ebpf.enabled` | Enables eBPF support for Sysdig instead of `sysdig-probe` kernel module. | `false` |
-| `ebpf.kind` | Define which eBPF driver to use, can be `legacy_ebpf` or `universal_ebpf` | `legacy_ebpf` |
-| `clusterName` | Sets a unique cluster name which is used to identify events with the `kubernetes.cluster.name` tag. Overrides `global.clusterConfig.name`. | ` ` |
-| `sysdig.accessKey` | Your Sysdig Agent Access Key. Overrides `global.sysdig.accessKey` | Either `accessKey` or `existingAccessKeySecret` is required |
-| `sysdig.existingAccessKeySecret` | Specifies the name of a Kubernetes secret containing an `access-key ` entry. Overrides `global.sysdig.existingAccessKeySecret` | Either `accessKey` or `existingAccessKeySecret` is required |
-| `sysdig.disableCaptures` | Disables capture functionality. See https://docs.sysdig.com/en/disable-captures.html. | `false` |
-| `sysdig.settings` | Provides additional settings that are given in the `dragent.yaml`file. | `{}` |
-| `logPriority` | Sets both agent console and file logging priorities. Possible values are: `"info"`, `"debug"`. Mutually exclusive with `sysdig.settings.log`. | ` ` |
-| `localForwarder.enabled` | Enable the Agent Local Forwarder | `false` |
-| `localForwarder.transmitMessageTypes` | Message types to forward from the Agent to the Agent Local Forwarder | `[POLICY_EVENTS, SECURE_AUDIT]` |
-| `localForwarder.integrations` | List of configurations for how and where the Agent Local Forwarder should forward messages | `[]` |
-| `secure.enabled` | Enables Sysdig Secure. | `true` |
-| `monitor.enabled` | Enables Sysdig Monitor. | `true` |
-| `auditLog.enabled` | Enables Kubernetes audit log support for Sysdig Secure. | `false` |
-| `auditLog.auditServerUrl` | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. | `0.0.0.0` |
-| `auditLog.auditServerPort` | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. | `7765` |
-| `auditLog.dynamicBackend.enabled` | Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. | `false` |
-| `tolerations` | Specifies the tolerations for scheduling. | node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule
|
-| `leaderelection.enable` | Enables the agent leader election algorithm. | `false` |
-| `prometheus.file` | Specifies the file to configure promscrape. | `false` |
-| `prometheus.yaml` | Configures the Prometheus metric collection. Performs relabelling and filtering. | ` ` |
-| `extraVolumes.volumes` | Specifies the additional volumes to mount in the sysdig agent to pass new secrets or configmaps | `[]` |
-| `extraVolumes.mounts` | Specifies the mount points for additional volumes | `[]` |
-| `extraSecrets` | Allows passing extra secrets that can be mounted via extraVolumes | `[]` |
-| `proxy.httpProxy` | Sets `http_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
-| `proxy.httpsProxy` | Sets `https_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
-| `proxy.noProxy` | Sets `no_proxy` on the agent container. Overrides the proxy setting from `global.proxy`. | `""` |
+| Parameter | Description | Default |
+|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
+| global.clusterConfig.name | Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag | "" |
+| global.sysdig.accessKey | Specify your Sysdig Agent Access Key | "" |
+| global.sysdig.accessKeySecret | An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry | "" |
+| global.sysdig.region | The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"` | "us1" |
+| global.gke.autopilot | true here enables the deployment on gke autopilot clusters | false |
+| global.gke.ephemeralStorage | Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters | "500Mi" |
+| global.image.pullSecrets | Global pull secrets | [] |
+| global.image.pullPolicy | Global pull policy | IfNotPresent |
+| namespace | Overrides the global namespace setting and release namespace for components | "" |
+| image.overrideValue | This is a hack to support RELATED_IMAGE_ feature in Helm based Operators As long as I don't want to people to use this, I will keep it undocumented | null |
+| image.registry | Sysdig Agent image registry | quay.io |
+| image.repository | Sets the image repository to pull the agent image from | sysdig/agent |
+| image.tag | Specifies the desired image tag | 12.18.0 |
+| image.pullPolicy | Specifies the Image pull policy | [] |
+| image.pullSecrets | Specifies the image pull secrets | [] |
+| resourceProfile | Specify a predefined resource profile. Options are `small`, `medium`, or `large`. | small |
+| resources.requests.cpu | Specifies the CPU requested to run per pod | "" |
+| resources.requests.memory | Specifies the memory requested to run per pod | "" |
+| resources.limits.cpu | Specifies the CPU limit per pod | "" |
+| resources.limits.memory | Specifies the memory limit per pod | "" |
+| gke.autopilot | true here enables the deployment on gke autopilot clusters | false |
+| gke.createPriorityClass | If true, required PriorityClass will be created to ensure that the agent pods are scheduled in GKE Autopilot. The parameter uses the name provided by the `priorityClassName` parameter | false |
+| gke.ephemeralStorage | Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters | "500Mi" |
+| rbac.create | true here enables creation of rbac resources | true |
+| scc.create | true here enables creation of Security Context Constraints in Openshift | true |
+| psp.create | true here enables creation of Pod Security Policy to allow the agent run with the required permissions | true |
+| serviceAccount.create | Create and use serviceAccount resources | true |
+| serviceAccount.name | Use this value as serviceAccountName | null |
+| daemonset.deploy | | true |
+| daemonset.updateStrategy.type | You can also customize maxUnavailable, maxSurge or minReadySeconds if you need it | RollingUpdate |
+| daemonset.updateStrategy.rollingUpdate.maxSurge | The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update | "" |
+| daemonset.updateStrategy.rollingUpdate.maxUnavailable | The maximum number of pods that can be unavailable during the update process | "" |
+| daemonset.env | # Extra environment variables that will be pass onto deployment pods | {} |
+| daemonset.nodeSelector | Specifies the desired Node Selector. | {} |
+| daemonset.affinity | Specifies node affinities. Overrides daemonset.arch and daemonset.os values. | {} |
+| daemonset.annotations | Allow the DaemonSet to set annotations | {} |
+| daemonset.labels | Allow the DaemonSet to set labels | {} |
+| daemonset.probes.initialDelay | Specifies the initial delay for the daemonset readiness probe | 90 |
+| daemonset.probes.periodDelay | Specifies the period delay for the daemonset readiness probe | 3 |
+| daemonset.kmodule.env | Sets the environment variables for the kernel module image builder container | {} |
+| proxy.httpProxy | Sets `http_proxy` on the agent container. Overrides the proxy setting from `global.proxy` | null |
+| proxy.httpsProxy | Sets `https_proxy` on the agent container. Overrides the proxy setting from `global.proxy` | null |
+| proxy.noProxy | Sets `no_proxy` on the agent container. Overrides the proxy setting from `global.proxy` | null |
+| timezone | Set daemonset timezone | null |
+| createPriorityClass | Create the priorityClass defined below | false |
+| priorityClassName | Set daemonset priorityClassName | null |
+| priorityClassValue | Set daemonset priorityClassValue | 10 |
+| ebpf.enabled | Enable eBPF support for Sysdig Agent | false |
+| ebpf.kind | Define the kind of eBPF driver that will be used by the agent. Can be `legacy_ebpf` or `universal_ebpf` | legacy_ebpf |
+| slim.enabled | Uses a slim version of the Sysdig Agent | true |
+| slim.image.repository | Specifies the slim agent image repository | sysdig/agent-slim |
+| slim.kmoduleImage.repository | Specifies the repository to pull the kernel module image builder from | sysdig/agent-kmodule |
+| slim.kmoduleImage.digest | Specifies the image digest to pull | null |
+| slim.resources.requests.cpu | Specifies the CPU requested for building the kernel module | 250m |
+| slim.resources.requests.memory | Specifies the memory requested for building the kernel module | 348Mi |
+| slim.resources.limits.cpu | Specifies the CPU limit for building the kernel module | 1000m |
+| slim.resources.limits.memory | Specifies the memory limit for building the kernel module | 512Mi |
+| collectorSettings.collectorHost | Specifies the IP address or hostname of the collector. | null |
+| collectorSettings.collectorPort | Specifies the port number for the TCP connection of the collector service | null |
+| collectorSettings.ssl | Specifies whether the collector accepts SSL | true |
+| collectorSettings.sslVerifyCertificate | Set this parameter to `false` if you don't want to verify SSL certificate | null |
+| clusterName | Setting a cluster name allows you to filter events from this cluster using kubernetes.cluster.name | "" |
+| sysdig.accessKey | Required: You need your Sysdig Agent access key before running agents, either specifying 'accessKey' here, or using 'existingAccessKeySecret' | "" |
+| sysdig.existingAccessKeySecret | Alternatively, specify the name of a Kubernetes secret containing an 'access-key' entry | "" |
+| sysdig.disableCaptures | Disable capture functionality (see https://docs.sysdig.com/en/disable-captures.html) | false |
+| sysdig.settings | Advanced settings. Any option in here will be directly translated into dragent.yaml in the Configmap | {} |
+| secure.enabled | true here enables Sysdig Secure: container run-time security & forensics | true |
+| monitor.enabled | true here enables Sysdig Monitor components | true |
+| auditLog.enabled | true here activates the K8s Audit Log feature for Sysdig Secure | true |
+| auditLog.auditServerUrl | Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events | 0.0.0.0 |
+| auditLog.auditServerPort | Specifies the port where Sysdig Agent listens for the Kubernetes audit log events | 7765 |
+| auditLog.dynamicBackend.enabled | true here configures an AuditSink who will receive the K8s audit logs | false |
+| prometheus.file | Specifies the file to configure promscrape. | false |
+| prometheus.yaml | Configures the Prometheus metric collection. Performs relabelling and filtering | {} |
+| extraVolumes.volumes | Specifies the additional volumes to mount in the Sysdig Agent to pass new secrets or configmaps | [] |
+| extraVolumes.mounts | Specifies the mount points for additional volumes | [] |
+| extraSecrets | Allows passing extra secrets that can be mounted via extraVolumes | [] |
+| leaderelection.enable | Enables the agent leader election algorithm | false |
+| localForwarder.enabled | Enables the Agent Local Forwarder | false |
+| localForwarder.integrations | List of configurations for how and where the Agent Local Forwarder should forward messages See https://docs.sysdig.com/en/docs/sysdig-secure/secure-events/event-forwarding/ | [] |
+| logPriority | Allow direct setting of Agent log priority levels for console and file logs (info|debug) | null |
+
diff --git a/charts/agent/README.tpl b/charts/agent/README.tpl
new file mode 100644
index 000000000..b1a1e2cec
--- /dev/null
+++ b/charts/agent/README.tpl
@@ -0,0 +1,88 @@
+# Chart: {{ .Project.Name }}
+
+## Overview
+
+Use the [sysdig-deploy](../sysdig-deploy/README.md) parent chart to deploy the {{ .Project.Name }} and any other subcomponents. Do not deploy subcharts directly.
+
+To deploy the {{ .Project.Name }}, follow the installation instructions given on the Sysdig Documentation website:
+
+### Sysdig Monitor
+
+- [Installation Requirements](https://docs.sysdig.com/en/docs/installation/sysdig-monitor/install-sysdig-agent/#installation-requirements)
+- [Installation Instructions](https://docs.sysdig.com/en/docs/installation/sysdig-monitor/install-sysdig-agent/kubernetes/)
+
+### Sysdig Secure | Sysdig Secure + Sysdig Monitor
+
+- [Component Overview](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/)
+- [Installation Requirements](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/installation-requirements/sysdig-agent/)
+- [Installation Instructions](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/)
+
+### On-Premises
+
+- [Install Sysdig Agent for a Sysdig On-Premises Deployment](https://docs.sysdig.com/en/docs/installation/on-premises/)
+- [Install Sysdig Agent in an Airgapped Environment](https://docs.sysdig.com/en/docs/installation/on-premises/airgapped-installation/)
+
+## Verify the Integrity and Origin
+
+Sysdig Helm Charts are signed so you can verify the integrity and origin of each chart. To verify the chart:
+
+### Import the Public Key
+
+```console
+$ curl -o "/tmp/sysdig_public.gpg" "{{ .Repository.URL }}/public.gpg"
+$ gpg --import /tmp/sysdig_public.gpg
+```
+
+### Verify the Chart
+
+To check the integrity and the origin of the charts you can now append the `--verify` flag to the `install`, `upgrade`, and `pull` helm commands.
+
+## Configuration
+
+You can use the Helm chart to update the default agent configurations by using either of the following:
+
+- Using the key-value pair: `--set sysdig.settings.key = value`
+- `values.yaml` file
+
+### Using the Key-Value Pair
+
+Specify each parameter using the `--set key=value[,key=value]` argument to the `helm install`command.
+
+For example:
+
+```bash
+$ helm install --namespace {{ .Release.Namespace }} {{ .Release.Name }} \
+ --set {{ .Chart.ValuesExample }} \
+ {{ .Repository.Name }}/{{ .Chart.Name }}
+```
+
+### Using values.yaml
+
+The `values.yaml` file specifies the values for the agent configuration parameters. You can add the configuration to the `values.yaml` file, then use it in the `helm install` command.
+
+For example, to enable Prometheus metrics scraping:
+
+1. Add the following to the `values.yaml` file:
+
+ ```yaml
+ sysdig:
+ accessKey:
+ settings:
+ prometheus:
+ enabled: true
+ histograms: true
+ ```
+
+ **Tip**: You can use the default [values.yaml](values.yaml) file.
+
+2. Run the following:
+
+ ```
+ helm install --namespace {{ .Release.Namespace }} {{ .Release.Name }} -f values.yaml {{ .Repository.Name}}/{{ .Chart.Name }}
+ ```
+
+## Configuration Parameters
+
+The following table lists the configurable parameters of the Sysdig chart and their default values.
+
+{{ .Chart.Values }}
diff --git a/charts/agent/doc.yaml b/charts/agent/doc.yaml
new file mode 100644
index 000000000..7cfb5414f
--- /dev/null
+++ b/charts/agent/doc.yaml
@@ -0,0 +1,11 @@
+chart:
+ name: agent
+ valuesExample: 'sysdig.accessKey=,sysdig.settings.tags="role:webserver\,location:europe"'
+project:
+ name: Sysdig Agent
+release:
+ name: sysdig-agent
+ namespace: sysdig-agent
+repository:
+ name: sysdig
+ url: https://charts.sysdig.com
diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml
index 99a9fd765..4a943adac 100644
--- a/charts/agent/values.yaml
+++ b/charts/agent/values.yaml
@@ -1,17 +1,27 @@
# Default values for Sysdig Monitor and Secure Helm package.
global:
- clusterConfig: {}
+ clusterConfig:
+ # Sets a unique name to the cluster. You can then use the cluster name to identify events using the `kubernetes.cluster.name` tag
+ name: ""
sysdig:
+ # Specify your Sysdig Agent Access Key
+ accessKey: ""
+ # An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an `access-key` entry
+ accessKeySecret: ""
+ # The SaaS region for these agents. Possible values: `"us1"`, `"us2"`, `"us3"`, `"us4"`, `"eu1"`, `"au1"`, and `"custom"`
region: "us1"
- proxy: {}
+ proxy: {} # +doc-gen:ignore
gke:
# true here enables the deployment on gke autopilot clusters
autopilot: false
+ # Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters
ephemeralStorage: "500Mi"
image:
+ # Global pull secrets
pullSecrets: []
+ # Global pull policy
pullPolicy: IfNotPresent
- ssl:
+ ssl: # +doc-gen:ignore
ca:
# For outbound connections (secure backend, proxy,...)
# A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates.
@@ -42,6 +52,7 @@ global:
existingCaConfigMap: null
# Provide the filename that is defined inside the existing ConfigMap
existingCaConfigMapKeyName: null
+# Overrides the global namespace setting and release namespace for components
namespace: ""
image:
# This is a hack to support RELATED_IMAGE_ feature in Helm based
@@ -49,60 +60,37 @@ image:
#
# As long as I don't want to people to use this, I will keep it undocumented
overrideValue: null
+ # Sysdig Agent image registry
registry: quay.io
+ # Sets the image repository to pull the agent image from
repository: sysdig/agent
+ # Specifies the desired image tag
tag: 12.18.0
- # Specify a imagePullPolicy
- # Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- # ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ # Specifies the Image pull policy
pullPolicy: []
- # Optionally specify an array of imagePullSecrets.
- # Secrets must be manually created in the namespace.
- # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- #
- # pullSecrets:
- # - name: myRegistrKeySecretName
+ # Specifies the image pull secrets
+ pullSecrets: []
# Specify a predefined resource profile.
-#
-# Available options are:
-# * small
-# Defined as:
-# requests:
-# cpu: 1000m
-# memory: 1024Mi
-# limits:
-# cpu: 1000m
-# memory: 1024Mi
-#
-# * medium
-# Defined as:
-# requests:
-# cpu: 3000m
-# memory: 3072Mi
-# limits:
-# cpu: 3000m
-# memory: 3072Mi
-#
-# * large
-# Defined as:
-# requests:
-# cpu: 5000m
-# memory: 6144Mi
-# limits:
-# cpu: 5000m
-# memory: 6144Mi
+# Options are `small`, `medium`, or `large`.
resourceProfile: small
-# resources:
-# requests:
-# cpu: m
-# memory: Mi
-# limits:
-# cpu: m
-# memory: Mi
+# Allows for more fine-grained resource tuning than the resourceProfile options
+resources:
+ requests:
+ # Specifies the CPU requested to run per pod
+ cpu: ""
+ # Specifies the memory requested to run per pod
+ memory: ""
+ limits:
+ # Specifies the CPU limit per pod
+ cpu: ""
+ # Specifies the memory limit per pod
+ memory: ""
gke:
# true here enables the deployment on gke autopilot clusters
autopilot: false
+ # If true, required PriorityClass will be created to ensure that the agent pods are scheduled in GKE Autopilot. The parameter uses the name provided by the `priorityClassName` parameter
createPriorityClass: false
+ # Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters
ephemeralStorage: "500Mi"
rbac:
# true here enables creation of rbac resources
@@ -126,9 +114,14 @@ daemonset:
# You can also customize maxUnavailable, maxSurge or minReadySeconds if you
# need it
type: RollingUpdate
- rollingUpdate: {}
+ rollingUpdate:
+ # The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update
+ maxSurge: ""
+ # The maximum number of pods that can be unavailable during the update process
+ maxUnavailable: ""
## Extra environment variables that will be pass onto deployment pods
env: {}
+ # Specifies the desired Node Selector.
nodeSelector: {}
# arch and os will be used to template out a node affinity block matching everything in each list. If affinity is
# defined, these fields will be ignored
@@ -136,10 +129,10 @@ daemonset:
- amd64
- arm64
- s390x
+ # Specifies the allowed operating systems for scheduling
os:
- linux
- # Allow the DaemonSet to schedule using affinity rules
- # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+ # Specifies node affinities. Overrides daemonset.arch and daemonset.os values.
affinity: {}
# Allow the DaemonSet to set annotations
annotations: {}
@@ -147,17 +140,19 @@ daemonset:
labels: {}
# readiness probe delays
probes:
+ # Specifies the initial delay for the daemonset readiness probe
initialDelay: 90
+ # Specifies the period delay for the daemonset readiness probe
periodDelay: 3
kmodule:
+ # Sets the environment variables for the kernel module image builder container
env: {}
-# If is behind a proxy you can set the proxy server
-# This proxy settings apply for the App-Checks.
-# If you need to configure the agent to allow it to communicate with the Sysdig collector through an HTTP proxy check:
-# https://docs.sysdig.com/en/enable-http-proxy-for-agents.html
proxy:
+ # Sets `http_proxy` on the agent container. Overrides the proxy setting from `global.proxy`
httpProxy: null
+ # Sets `https_proxy` on the agent container. Overrides the proxy setting from `global.proxy`
httpsProxy: null
+ # Sets `no_proxy` on the agent container. Overrides the proxy setting from `global.proxy`
noProxy: null
# Set daemonset timezone
timezone: null
@@ -177,27 +172,38 @@ slim:
enabled: true
# The image repo to be used for slim Agents
image:
+ # Specifies the slim agent image repository
repository: sysdig/agent-slim
# When using slim the kernel module is built in other container, which
# contains the toolchain required to build the kernel module.
kmoduleImage:
+ # Specifies the repository to pull the kernel module image builder from
repository: sysdig/agent-kmodule
+ # Specifies the image digest to pull
digest: null
resources:
# Resources required by the kernel module builder image. These are some
# a sane defaults ones, but you can tweak or ask Sysdig Support for more
# info about this
requests:
+ # Specifies the CPU requested for building the kernel module
cpu: 250m
+ # Specifies the memory requested for building the kernel module
memory: 348Mi
limits:
+ # Specifies the CPU limit for building the kernel module
cpu: 1000m
+ # Specifies the memory limit for building the kernel module
memory: 512Mi
# For Sysdig On-Prem installations or for custom collector settings, set the following fields
collectorSettings:
+ # Specifies the IP address or hostname of the collector.
collectorHost: null
+ # Specifies the port number for the TCP connection of the collector service
collectorPort: null
- ssl: null
+ # Specifies whether the collector accepts SSL
+ ssl: true
+ # Set this parameter to `false` if you don't want to verify SSL certificate
sslVerifyCertificate: null
# Setting a cluster name allows you to filter events from this cluster using kubernetes.cluster.name
clusterName: ""
@@ -210,14 +216,6 @@ sysdig:
disableCaptures: false
# Advanced settings. Any option in here will be directly translated into dragent.yaml in the Configmap
settings: {}
- ### Example: Agent tags
- # tags: linux:ubuntu,dept:dev,local:nyc
- ### Example: Proxy configuration (see https://docs.sysdig.com/en/enable-http-proxy-for-agents.html)
- # ssl: false
- # http_proxy:
- # proxy_host: squid.yourdomain.com
- # proxy_port: 3128
- # ssl: false
secure:
# true here enables Sysdig Secure: container run-time security & forensics
enabled: true
@@ -227,45 +225,27 @@ monitor:
auditLog:
# true here activates the K8s Audit Log feature for Sysdig Secure
enabled: true
+ # Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events
auditServerUrl: 0.0.0.0
+ # Specifies the port where Sysdig Agent listens for the Kubernetes audit log events
auditServerPort: 7765
dynamicBackend:
# true here configures an AuditSink who will receive the K8s audit logs
enabled: false
# Promscrape prometheus.yaml not configured by default
prometheus:
+ # Specifies the file to configure promscrape.
file: false
+ # Configures the Prometheus metric collection. Performs relabelling and filtering
yaml: {}
extraVolumes:
+ # Specifies the additional volumes to mount in the Sysdig Agent to pass new secrets or configmaps
volumes: []
+ # Specifies the mount points for additional volumes
mounts: []
- # Allow passing extra volumes to the agent to mount secrets or certificates
- # to authenticate in different services.
- # Any kind of volume can be passed. Example:
- #
- # extraVolumes:
- # volumes:
- # - name: sysdig-new-cm
- # configMap:
- # name: my-cm
- # optional: true
- # - name: sysdig-new-secret
- # secret:
- # secretName: my-secret
- # mounts:
- # - mountPath: /opt/draios/cm
- # name: sysdig-new-cm
- # - mountPath: /opt/draios/secret
- # name: sysdig-new-secret
+# Allows passing extra secrets that can be mounted via extraVolumes
extraSecrets: []
-# Allow passing extra secrets that can be mounted via extraVolumes
-#
-# extraSecrets:
-# - name: sysdig-new-secret
-# data:
-# sysdig-new-password-key1: bXlwYXNzd29yZA==
-# sysdig-new-password-key2: bXlwYXNzd29yZA==
-# Allow sysdig to run on Kubernetes 1.6 masters.
+# Specifies the tolerations for scheduling
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
@@ -280,14 +260,20 @@ tolerations:
operator: Equal
value: "true"
leaderelection:
+ # Enables the agent leader election algorithm
enable: false
localForwarder:
+ # Enables the Agent Local Forwarder
enabled: false
+ # Message types to forward from the Agent to the Agent Local Forwarder
transmitMessageTypes:
- POLICY_EVENTS
- SECURE_AUDIT
+ # List of configurations for how and where the Agent Local Forwarder should forward messages
+ #
+ # See https://docs.sysdig.com/en/docs/sysdig-secure/secure-events/event-forwarding/
integrations: []
-delegatedAgentDeployment:
+delegatedAgentDeployment: # +doc-gen:ignore
# Enable a specialized installation where an Agent Deployment is installed
# in addition to the traditional DaemonSet. The DaemonSet Agents will not
# be configured to communicate with the Kubernetes API Server, but the
@@ -327,7 +313,7 @@ delegatedAgentDeployment:
type: RollingUpdate
# Allow direct setting of Agent log priority levels for console and file logs (info|debug)
logPriority: null
-ssl:
+ssl: # +doc-gen:ignore
ca:
# For outbound connections (secure backend, proxy,...)
# A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates.
@@ -358,7 +344,7 @@ ssl:
existingCaConfigMap: null
# Provide the filename that is defined inside the existing ConfigMap
existingCaConfigMapKeyName: null
-tests:
+tests: # +doc-gen:ignore
timeout: 300s
image:
repo: bitnami/kubectl