Sysdig Install: OpenShift

Sysdig Monitor is the first and only monitoring, alerting, and troubleshooting solution designed from the ground up to provide unprecedented visibility into containerized infrastructures.

Sysdig Monitor comes with built-in, first class support for monitoring OpenShift, including the underlying Kubernetes orchestration. Once installed, the Sysdig agent container will automatically begin monitoring all of your hosts, apps, containers, and services, and will also automatically connect to the Kubernetes API to pull relevant metadata about your environment.

 

Example YAML files

Example files for this install method are available on github:

For the OpenShift please add "serviceAccount: sysdigcloud"  entry to the DaemonSet YAML file

 

Installation

Step 1: Configure a new OpenShift project

Note: Please make sure every node has kernel headers package installed
Debian-like distributions:  apt-get -y install linux-headers-$(uname -r)
RHEL-like distributions:     yum -y install kernel-devel-$(uname -r)
 

First you'll need to create a new OpenShift project for your Sysdig Monitor deployment. We suggest "sysdigcloud", but you can name it whatever you want.

oc adm new-project sysdigcloud --node-selector=""

Now, in order to allow Sysdig Monitor to pull metrics and metadata from the Kubernetes API endpoint, you need to create a serviceaccount which has access to the `privileged` scc in openshift, and also had the cluster-reader role (replace sysdigcloud as needed with your project name):

oc project sysdigcloud
oc create serviceaccount sysdigcloud
oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:sysdigcloud:sysdigcloud
oc adm policy add-scc-to-user privileged system:serviceaccount:sysdigcloud:sysdigcloud

See the OpenShift documentation on Security Context Constraints for more info.

Step 2: Deploy the Sysdig agent as a Daemon Set

The recommended way to install Sysdig across your OpenShift cluster is using a Kubernetes Daemon Set. A Daemon Set will automatically place a single Sysdig agent container on each node in your cluster. Every OpenShift project on your cluster will be monitored by this Daemon Set.

Deploy your Sysdig Daemon Set into your new project using this example sysdig.yaml file. Be sure to add your Sysdig Monitor Access Key and any other customizations needed (e.g. uncommenting and setting the "TAGS" section).

You can do the deployment directly from the the CLI:

$oc create -f sysdigcloud_daemonset.yaml​

Or from the OpenShift management console here: 

For general instructions on deploying the Sysdig agent container as a Daemon Set, see here: Sysdig Install: Kubernetes Daemon Set

 

 

Running The Agent On The Master

Best practices are to configure master nodes with schedulable=false  since you do not want all pods to run on the master.  Howerver, you may still want to run the Sysdig agent pod on your master.  To accomplish this, you should add node labels to all nodes including the masters by configuring (for example) 'app=sysdig':

oc label node --all "app=sysdig" --overwrite

Then add the nodeSelector section to your Sysdig daemonset:

   serviceAccount: sysdigcloud      #OPTIONAL - OpenShift service account for OpenShift
       nodeSelector:
       app: sysdig
     containers:
     - name: sysdig-agent
       image: sysdig/agent          


Lastly, edit your namespace:

oc edit namespace sysdigcloud
openshift.io/node-selector: app=sysdig


At this point your pods with `app=sysdig` (which are your Sysdig agents) should match all of your nodes (app=sysdig) and run in all your nodes including the masters. No other pod will run in the master but Sysdig agents.

 

Have more questions? Submit a request