March 18, 2020 By Dimitri Prosper 3 min read

Use a Terraform template to deploy a Monitoring instance with Sysdig and configure for container-based access control for metrics and dashboards.

In the “Sustainable and Scaleable Access Control with Sysdig Teams” post, the IBM Cloud Monitoring team provided a good introduction to Sysdig Teams and the value brought to disparate teams that might be sharing a Sysdig instance for their metrics and dashboards.   

This post will explore the scenario in which two separate development teams are sharing the same Monitoring instance and the same IBM Cloud Kubernetes Service, and it will demonstrate how a team can automate the process of deploying and configuring such an environment. 

Deployment scenario

Two development teams are working on a complex application that will eventually be deployed on the same Kubernetes cluster. To provide for a more elaborate example, let’s assume that each team has selected their preferred programming language—in this case, Go and Node.js. Once their applications are ready—or as they go through various iterations of it—they create a container image and publish it to a private container registry in the IBM Cloud.  

An infrastructure team is responsible for deploying the environment (i.e., Kubernetes cluster), Monitoring with Sysdig, and configuring the access levels to the metrics and dashboards. They choose to use Terraform, an Infrastructure-as-Code tool used on previous projects. All the resources and applications will be deployed in an IBM Cloud region. Identity and Access Management will be used to assign access to the Monitoring instance and restrict who can see what metrics.

Deploying and configuring the components

This repository contains all the infrastructure configuration instructions to create and configure the resources as depicted above. Here is a high-level overview of the code repository structure. Follow the instructions and use the template provided on Github:

  • The contains the instructions for setting up the Terraform provisions used for this template. 
  • The contains the instructions for creating and configuring the Monitoring with Sysdig instance. It will also create the teams and assign the filtering to limit access to metrics based on the container tags. 
  • The contains the instructions to deploy the Sysdig agent to the Kubernetes cluster. 
  • The contains the instructions to deploy the applications from the container registry to the Kubernetes cluster. 
  • The contain all of the input required by the Terraform template. Don’t modify this file, as the number of values that you need to modify is more limited. Use the config.tfvars to supply your values as described in the repository.  
  • The scripts folder contains the various shell scripts that are invoked during the run of the Terraform template. As of this writing, the Sysdig provider for Terraform does not provide resources to create teams in Sysdig Monitor, therefore the above script is used to create the Sysdig team leveraging the Sysdig REST APIs. A change is coming soon to add support for this capability in the provider and will be reflected in the repository. 

After deploying the environment, in the Monitoring instance, the Infrastructure Engineer has a complete view of all metrics from the Kubernetes cluster. 

View from the Infrastructure Engineer standpoint.

The Node.js and Go developers see the metrics that are of interest to them, respectively:

View from the Node.js Developer standpoint.

View from the Go Developer standpoint.

Getting started

To get started, try our sample code on GitHub. Instructions are provided to create and use the template. We will start with creating a Kubernetes cluster via the IBM Cloud UI or CLI and then apply the template to create the Sysdig instance and the IAM policies. We also cover how to clean up resources when you no longer need them.  

Questions and feedback 

The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters