Managing the Workload Protection agent in Red Hat OpenShift by using a HELM chart

You can use a Helm chart to install, upgrade, and delete a Workload Protection agent on a Red Hat OpenShift cluster.

Before you begin

Install the latest release of the version 3 Helm CLI on your local machine.

Helm 3.6 or later is required.
Install the IBM Cloud CLI (ibmcloud), Kubernetes Service plug-in (ibmcloud oc), and IBM Cloud Container Registry plug-in (ibmcloud cr).
Install the Red Hat OpenShift (oc) and Kubernetes (kubectl) CLIs.
Check that you have access and permissions to deploy the Workload Protection agent on the cluster.
Verify the ibm-observe project is available in your cluster. The agent is deployed in this project.

A project is a namespace in a cluster.

You can run oc adm new-project --node-selector='' ibm-observe to create the project.

Deploy an agent

Complete the following steps to deploy an agent by using Helm:

Step 1. Set up the cluster context

Complete the following steps:

Log in to the account. If you have a federated account, include the --sso option.
```
ibmcloud login [-g <resource_group>] [--sso]
```
Download and add the kubeconfig configuration file for your cluster to your existing kubeconfig in ~/.kube/config or the last file in the KUBECONFIG environment variable.
```
ibmcloud oc cluster config --cluster <cluster_name_or_ID>
```
In your browser, navigate to the address of your Master URL and append /console. For example, https://c0.containers.cloud.ibm.com:23652/console.
From the Red Hat OpenShift web console menu bar, click your profile IAM#user.name@email.com > Copy Login Command. Display and copy the oc login token command into your command line to authenticate from the CLI.
Verify that the oc commands run properly with your cluster by checking the version.
```
oc version
```
Example output
```
Client Version: v4.11.0
Kubernetes Version: v1.25.8.2
```
If you can't perform operations that require Administrator permissions, such as listing all the worker nodes or pods in a cluster, download the TLS certificates and permission files for the cluster administrator by running the ibmcloud oc cluster config --cluster <cluster_name_or_ID> --admin command.

Step 2. Setup the Sysdig Helm repository

Add the Workload Protection Helm repository to your Helm instance.

Add the Helm repository.

helm repo add sysdig https://charts.sysdig.com

If you get the following error:

helm repo add sysdig https://charts.sysdig.com    --debug
Error: context deadline exceeded
helm.go:84: [debug] context deadline exceeded

Run the following command and retry adding the Helm repository.

rm $HOME/Library/Preferences/helm/repositories.lock

Update the repos to retrieve the latest versions of all Helm charts.
```
helm repo update
```
List the Helm charts that are currently available for the Sysdig repo.
```
helm search repo sysdig
```
Verify the Helm chart sysdig/sysdig-deploy is listed.

Step 3. Create the values yaml file

Define a yaml file and include the values to deploy the Workload Protection agent and the Secure components that you plan to deploy. For example, name the file agent-values-monitor-secure.yaml.

The following yaml is a template that you can use to configure the Workload Protection agent and the Secure components. You can customize the file by removing or commenting with # the sections that are not required for your agent deployment.

agent:
  collectorSettings:
    collectorHost: INGESTION_ENDPOINT
  sysdig:
    settings:
     host_scanner:
       enabled: true
     kspm_analyzer:
       enabled: true
     sysdig_api_endpoint: API_ENDPOINT
  extraVolumes:
    volumes:
    - name: root-vol
      hostPath:
        path: /
    - name: tmp-vol
      hostPath:
        path: /tmp
    mounts:
    - mountPath: /host
      name: root-vol
      readOnly: true
    - mountPath: /host/tmp
      name: tmp-vol
global:
  imageRegistry: icr.io/ext
  clusterConfig:
    name: CLUSTER_NAME
  sysdig:
    accessKey: SERVICE_ACCESS_KEY
    apiHost: API_ENDPOINT
nodeAnalyzer:
  enabled: false
clusterShield:
  enabled: true
  cluster_shield:
    sysdig_endpoint: 
      region: custom
    log_level: info
    features:
      admission_control:
        enabled: true
      container_vulnerability_management:
        enabled: true
      audit:
        enabled: true
      posture:
        enabled: true

Where

CLUSTER_NAME is the name of the cluster where you are deploying the agent.
SERVICE_ACCESS_KEY is the Workload Protection instance access key.
INGESTION_ENDPOINT is the instance's ingestion endpoint. For example, ingest.us-east.security-compliance-secure.cloud.ibm.com
API_ENDPOINT is the intance's API endpoint. For example, us-east.security-compliance-secure.cloud.ibm.com

Step 4. Install the helm chart

To deploy the agent, the Secure components, or both, you must install the sysdig/sysdig-deploy chart and use the variables yaml file that you configured in the previous step.

Run the following command to install the agent by using the helm chart:

helm install -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

For example, for the us-east region, a sample Helm values file looks as follows:

agent:
  collectorSettings:
    collectorHost: ingest.private.us-east.security-compliance-secure.cloud.ibm.com
  sysdig:
    settings:
     host_scanner:
       enabled: true
     kspm_analyzer:
       enabled: true
     sysdig_api_endpoint: private.us-east.security-compliance-secure.cloud.ibm.com
  extraVolumes:
    volumes:
    - name: root-vol
      hostPath:
        path: /
    - name: tmp-vol
      hostPath:
        path: /tmp
    mounts:
    - mountPath: /host
      name: root-vol
      readOnly: true
    - mountPath: /host/tmp
      name: tmp-vol
global:
  imageRegistry: icr.io/ext
  clusterConfig:
    name: my-cluster
  sysdig:
    accessKey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
    apiHost: private.us-east.security-compliance-secure.cloud.ibm.com
nodeAnalyzer:
  enabled: false
clusterShield:
  enabled: true
  cluster_shield:
    sysdig_endpoint: 
      region: custom
    log_level: info
    features:
      admission_control:
        enabled: true
      container_vulnerability_management:
        enabled: true
      audit:
        enabled: true
      posture:
        enabled: true

Where

CLUSTER_NAME is the name of the cluster where you are deploying the agent.
SERVICE_ACCESS_KEY is the Workload Protection instance access key.
INGESTION_ENDPOINT is the instance's ingestion endpoint.
API_ENDPOINT is the intance's API endpoint.

If you encounter the following error: Error: INSTALLATION FAILED: OpenShift cluster unreachable: xxxxxx failed to refresh token: oauth2: cannot fetch token: 400 Bad Request, set your cluster context and try again.

Update an agent

To update the agent version by using Helm, complete the following steps:

Update the chart.
```
helm repo update
```

Upgrade the agent.

helm upgrade -n ibm-observe sysdig-agent sysdig/sysdig-deploy -f agent-values-monitor-secure.yaml

With these steps, you'll upgrade your agents to the latest available version.

Remove an agent

To delete the agent by using Helm, you must uninstall the chart.

Complete the following steps:

List the charts that are installed.

helm list -n ibm-observe

The output of the command lists charts as follows:

NAME        	NAMESPACE  	REVISION	UPDATED                             	STATUS  	CHART              	APP VERSION
sysdig-agent	ibm-observe	1       	2023-03-24 15:02:58.408108 +0100 CET	deployed	sysdig-deploy-1.6.3

Uninstall the chart.
```
helm delete sysdig-agent  -n ibm-observe
```
In terms of Helm, sysdig-agent is the name of the release.

If you forget to include the namespace in the command, you get the following error: Error: uninstall: Release not loaded: sysdig-agent: release: not found.