Difficulty: medium
Estimated Time: 30 minutes

A Sysdig Secure Runtime Policy is a combination of rules about activities an enterprise wants to detect in an environment, the actions that should be taken if the policy rule is breached, and, potentially, the notifications or other actions that should be invoked.

Policies are made up of one or more 'rules'. Tight Falco integration with policy rules allows you to define custom trigger conditions or append to an existing list.

A list of rules is provided out of the box, and these can be imported in for use in your policies. You can scope the security policy using container, cloud and Kubernetes metadata, and all can be classified using tags and labels.

Conclusions and takeaways

During this lab we have seen how Sysdig Monitor provides deep visibility into your containerized infrastructure and out of the box allows to:

  • Explore the containerized infrastructure and a microservices application.
  • Monitor a web services application using key metrics and monitoring approaches:
    • Golden signals and application metrics monitoring
    • USE resource and container limits monitoring
    • Kubernetes orchestration and kube-state-metrics monitoring
  • Identify performance bottlenecks in the application, in this case a CPU bottleneck
  • Confirm that scaling the application can handle the required load

Sysdig Secure Policy Editor and Library

Step 1 of 10

Enable default policies

Before we start we need a system to work on linked to your Sysdig account. We have set up a Kubernetes cluster just for you.

On the right you can see the terminal of the master node, from which you can interact with the cluster using the kubectl tool, which is already configured.

For instance, you can get the details of the cluster by executing
kubectl cluster-info

You can view the nodes in the cluster with the command
kubectl get nodes

You should see 2 nodes: one master and a worker.

Check that you are admin:
kubectl auth can-i create node

In order to follow this course, you will need a Sysdig Secure account, with Administrator access privileges.

If you do not have a Sysdig Account, then you can sign up for a 30 day trial here https://sysdig.com/training-trial-signup/. You will receive an email with a link guiding you through the setup process.

The first time you log into an account you will be greeted by the initial setup wizard. This will walk you through installing your first agents.


Click 'Next' and select the ‘Kubernetes | GKE | OpenShift’ method button.


If you have an existing account, then log in to the web UI, go to your profile Settings, and in the Agent Installation tab you will find your Access Key (something like 5ca1ab1e-d3ad-beef-dea1-deba7ab1ed0c). Keep it handy, as you will need it to authorize the agent against the backend.

Agent key

Note: There is a similar formatted token called 'Sysdig Secure API Token' on the 'User Profile' page which may cause confusion. Be sure to use the correct token in the 'Agent Installation' tab.