Installation

Creating a Service Account for the Cloud Connector

Cloud Connector needs to be able to access the GCP audit logs to apply the rules. It only needs the roles/logging.viewer permission.

This can be done using the gcloud tool:

$ gcloud iam service-accounts create cloud-connector --description "Service account used by Sysdig Cloud Connector" --display-name "cloud-connector"
$ gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:cloud-connector@PROJECT_ID.iam.gserviceaccount.com --role 'roles/logging.viewer'
$ gcloud iam service-accounts keys create $HOME/cloud-connector-key.json --iam-account cloud-connector@PROJECT_ID.iam.gserviceaccount.com

Make sure you replace the PROJECT_ID string by GCP the project id you are going to secure.

Deploying with the Helm Chart

There are several options to deploy the Cloud Connector, but for this guide we choose a K8s based deployment using the Helm Chart.

First, make sure we create a namespace dedicated to the cloud-connector

$ kubectl create ns cloud-connector

Then, add the Sysdig Helm Charts repository:

$ helm repo add sysdig https://charts.sysdig.com

And finally, deploy the Cloud Connector:

$ helm install -n cloud-connector cloud-connector -f values.yaml sysdig/cloud-connector

Creating the values.yaml file

Sysdig Cloud Connector offers a ton of different use cases, like deploying it on K8s, or to secure a GCP project or an AWS account, by just tweaking the configuration.

In this example we are going to focus on monitoring a GCP project:

sysdig:
  secureApiToken: YYY # The Sysdig Secure API Key: Will be required if you are loading the rules directly from Sysdig Secure

gcpCredentials: |-
  {
    "type": "service_account",
    "project_id": "PROJECT_DI",
    "private_key_id": "",
    "private_key": "",
    "client_email": "cloud-connector@PROJECT_ID.iam.gserviceaccount.com",
    "client_id": "",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloud-connector%40PROJECT_ID.iam.gserviceaccount.com"
  }

rules:
  - directory:
      path: /rules

ingestors:
  - auditlog:
      project: PROJECT_ID
      interval: 2m

Let’s review the parameters:

You have more details about the configuration in the YAML Configuration Reference.

And the Helm Chart’s values.yaml Reference if you want to check other parameters you can tweak.

And in the Sysdig Secure Event Feed:

Alert on Sysdig Secure


Please visit any of the following sections for more information: