Sysdig on AWS Outpost
This repository contains instructions and tests for compatibility of Sysdig Monitor and Sysdig Secure on AWS Outpost infraestructure.
The Sysdig Secure DevOps Platform converges security and compliance with performance and capacity monitoring to create a secure DevOps workflow.
Find more information at Sysdig official website.
About AWS Outpost
AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts offers you the same AWS hardware infrastructure, services, APIs, and tools to build and run your applications on premises and in the cloud for a truly consistent hybrid experience. AWS compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools.
Find more information at AWS Outpost official website.
Essential use cases
- Image scanning
- Runtime security
- Kubernetes and container monitoring
- Application and cloud service monitoring
Advanced use cases
- Advanced troubleshooting
- Machine learning-based anomaly detection
- Threat prevention
- Incident response and forensics
- Extended compliance controls
In summary, AWS Outpost performs exactly as AWS Cloud when you deploy Sysdig.
- Elastic Kubernetes Service (EKS.5 / Kubernetes 1.14)
- Elastic Cloud Compute (EC2)
- Elastic Container Service (ECS)
See more details about prerequisites at the official documentation.
Follow these steps for installing the Sysdig Agent using the “Vanilla Kubernetes” variant, and setting up Kubernetes audit log with CloudWatch:
Visit Technical Support section on Sysdig website for assistance using Sysdig on AWS Outpost.
Diagram for an EKS installation of Sysdig using SaaS platform:
- A daemonset installs Sysdig Agent on each node of the cluster
- Kubernetes audit log events are ingested from CloudWatch
- One of the Sysdig Agents relies information to the Sysdig platform (showed as SaaS in this diagram)
For Agent: By installing as a daemonset, Kubernetes ensures that all nodes run a copy of the Sysdig agent. If a node fails, workloads will be started by Kubernetes on alternate node(s), along w/ the Sysdig agent. Similarly, as nodes are added to the cluster, the Sysdig agent will be automatically added to them. In this way, Kubernetes manages the availability and resiliency of the Sysdig agent along w/ the container workloads.
For SaaS backend: The Sysdig SaaS platform provides built-in high-availability, leveraging a distributed systems approach for redundancy of the backend components and taking advantage of cloud availability zones to ensure reliable platform access without requiring users to build or manage their own HA solution.
Note: The Sysdig + Outposts validation does not include installation of a customer self-hosted backend. It is agent only (see diagram above).
Read the official Sysdig documentation for general information about Sysdig installation and usage. You can also visit this Sysdig blog post about Amazon EKS monitoring and security with Sysdig.