Use a Terraform template to deploy a Monitoring instance with Sysdig and configure for container-based access control for metrics and dashboards.
In the “Sustainable and Scaleable Access Control with Sysdig Teams” post, the IBM Cloud Monitoring team provided a good introduction to Sysdig Teams and the value brought to disparate teams that might be sharing a Sysdig instance for their metrics and dashboards.
This post will explore the scenario in which two separate development teams are sharing the same Monitoring instance and the same IBM Cloud Kubernetes Service, and it will demonstrate how a team can automate the process of deploying and configuring such an environment.
Deployment scenario
Two development teams are working on a complex application that will eventually be deployed on the same Kubernetes cluster. To provide for a more elaborate example, let’s assume that each team has selected their preferred programming language—in this case, Go and Node.js. Once their applications are ready—or as they go through various iterations of it—they create a container image and publish it to a private container registry in the IBM Cloud.
An infrastructure team is responsible for deploying the environment (i.e., Kubernetes cluster), Monitoring with Sysdig, and configuring the access levels to the metrics and dashboards. They choose to use Terraform, an Infrastructure-as-Code tool used on previous projects. All the resources and applications will be deployed in an IBM Cloud region. Identity and Access Management will be used to assign access to the Monitoring instance and restrict who can see what metrics.
Deploying and configuring the components
This repository contains all the infrastructure configuration instructions to create and configure the resources as depicted above. Here is a high-level overview of the code repository structure. Follow the instructions and use the template provided on Github:
The main.tf contains the instructions for setting up the Terraform provisions used for this template.
The instance_config.tf contains the instructions for creating and configuring the Monitoring with Sysdig instance. It will also create the teams and assign the filtering to limit access to metrics based on the container tags.
The agent_install.tf contains the instructions to deploy the Sysdig agent to the Kubernetes cluster.
The app_install.tf contains the instructions to deploy the applications from the container registry to the Kubernetes cluster.
The variables.tf contain all of the input required by the Terraform template. Don’t modify this file, as the number of values that you need to modify is more limited. Use the config.tfvars to supply your values as described in the repository.
The scripts folder contains the various shell scripts that are invoked during the run of the Terraform template. As of this writing, the Sysdig provider for Terraform does not provide resources to create teams in Sysdig Monitor, therefore the above script is used to create the Sysdig team leveraging the Sysdig REST APIs. A change is coming soon to add support for this capability in the provider and will be reflected in the repository.
After deploying the environment, in the Monitoring instance, the Infrastructure Engineer has a complete view of all metrics from the Kubernetes cluster.
View from the Infrastructure Engineer standpoint.
The Node.js and Go developers see the metrics that are of interest to them, respectively:
View from the Node.js Developer standpoint.
View from the Go Developer standpoint.
Getting started
To get started, try our sample code on GitHub. Instructions are provided to create and use the template. We will start with creating a Kubernetes cluster via the IBM Cloud UI or CLI and then apply the template to create the Sysdig instance and the IAM policies. We also cover how to clean up resources when you no longer need them.
Questions and feedback
The GitHub repository for this scenario has an Issues tab where you can comment on the content and code. If you have suggestions or issues, please submit your feedback.