What’s new in Sysdig - February 2022

Welcome to the second iteration of What’s New in Sysdig in 2022! Before starting, once again, we wish you a happy Spring Festival, Seol-Nal, Tet Nguyen Dan, Tsagaan Sar, and Lailat al Miraj.

As our “What’s new in Sysdig” blog team grows, it has fallen to me, Mike Scholl, for the month of February! I am a Technical Account Engineer based in Bellingham, WA and a member of the Sysdig US West team since November, 2021. My technology passions include containerization, cloud architecture, and DevOps practices. On a more personal level, I’m an avid outdoors enthusiast – if my location didn’t already give that away – who loves to hike, ski, snowboard, and most importantly mountain bike. Escaping to the mountains and forests is what I like to call “my happy place.”

Now, the real reason you’re here: to talk about the new and exciting things happening here at Sysdig. This month, we at Sysdig are proud to announce a partnership with Snyk. Snyk empowers the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. With this partnership, Sysdig and Snyk bring together the industry-leading container runtime and developer security tools for the first integration that bridges developer, DevOps, and SecOps silos. For more information on our partnership, please see our Announcement.

In addition to our partnership with Snyk, we have lots of new features to cover. In Sysdig Secure, we have released a new Enhanced Unified Filter for Event Feeds which improves the filtering and search experience for Sysdig security events. In Sysdig Monitor, we’ve added new KSM metrics that enable better troubleshooting capabilities for pods, as well as the addition of PVC and kubelet Metrics so you can better monitor your PV/PVC’s in your Kubernetes environments.

Keep reading to find more details on these and other new features, as well as updates about our blogs, webinars, and tradeshows.

As always, please check out our own Release Notes for more details on product updates, and reach out to your local Sysdig champion if you have questions about anything covered here.

Sysdig Platform

Improved Usability with New Navigation

We are happy to announce a new version of the Sysdig UI for both the Monitor and Secure platforms. With new features such as new hoverable sub-menus, a collapsable main menu, and a revamped user menu, our UX team has worked hard to ensure your navigation experience in the platform is seamless and more user friendly. For additional information, please visit our Release notes for Secure and Monitor or watch a Video Walkthrough of our new UI.

Sysdig Monitor

Monitor those PVCs!

With Sysdig agent v12.2.0 or above installed, Sysdig Monitor can now monitor your Kubernetes PV/PVC’s objects. With this, we have a pre-made dashboard called PVC and Storage and a set of ready-to-use alert templates.

PVC and Storage dashboard in Sysdig monitor

This dashboard will give you a great starting point to view metrics associated with your PV/PVC’s and help correlate events and alerts associated with your Clusters and Workloads.

For more details, please reach out to your Sysdig Account team to enable PV/PVC Metrics gathering.

New Metrics from KSM!

With the latest agent release of 12.2.1, we now provide the following new troubleshooting metrics:

kube_workload_pods_status_phase
kube_workload_pods_status_reason
kube_pod_status_unschedulable
kube_pod_container_status_waiting
kube_pod_container_status_waiting_reason
kube_pod_container_status_terminated
kube_pod_container_status_terminated_reason
kube_pod_container_status_last_terminated_reason
kube_pod_container_status_ready
kube_pod_container_status_restarts_total
kube_pod_container_status_running

These metrics give more insight into Pods that enter error or a crashing status, such as CrashLoopBackOff, OOMKilled, DeadlineExceed, etc. This update also included an update to our Alerting Library to provide additional alerts to accommodate these new metrics.

We’ve also added new panels to the out-of-the-box Kubernetes Workload Status & Performance dashboard that provide context around unexpected containers that enter waiting or terminated states.

Overlay of a crashloop backoff event in a Sysdig Monitor dashboard

For more detailed information, please feel free to reach out to your Sysdig Account team or our Alerts Library.

Sysdig Secure

Welcome Unified Filtering!

The Sysdig Secure Event Feed is getting a new unified filtering experience, available now for SaaS accounts.

There are two filter options available in Sysdig Secure (SaaS): Original and Improved. Both UIs allow you to structure a filter expression in various ways. You can use Scope, Severity, Type, Attributes, and Time Span, as well free-text Search, to filter by event name or label value. You can toggle between the two interfaces at will.

Toggle to enable improved filtering in Sysdig Secure events

Easily toggle from the original to the cleaner, enhanced version, where you will find:

Unified scopes, free text, and any other filterable/searchable attributes on a single lean bar:
- Autocomplete on keys and values.
- Autocomplete/suggest operands.
- One-click quick filtering directly from the list of displayed elements.
Saved filters in various formats– no more retyping common filter expressions:
- Favorite filters, stored per user and feature.
- Default filters, per user and feature.
- Recent filters, per user and feature.

Improved filters in Sysdig Secure events

For more details, please refer to the improved filter bar documentation page.

Falco Rules

“The Gyrfalcon” is here! Gyrfalcons are the largest of the falcon species, just like how this version of Falco has the biggest changelog ever released. Falco 0.31.0 is the latest and greatest version.

Some highlights below:

New Plugins System & AWS Cloudtrail Plugin.
Plugin SDK for Go & C++.
Syscall filtering at kernel level.
Major stability and optimization enhancements.
New syscalls, rules, and more runtime CVE coverage!

There’s so much more, and you can find all the details in the release blog post, official changelog, and Sysdig documentation.

Sysdig Agents

The latest Sysdig Agent release is v12.2.1. Below is a diff of updates since v12.2.0, which we covered in our last update.

Management for collection of metadata from individual container engines.
Policy Action “Kill” is now correctly triggered for GKE Environments.
Agents now assign correct usernames for container events.

Please refer to our v12.2.1 Release Notes for further details.

SDK, CLI and Tools

Sysdig CLI

v0.7.14 is still the latest release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.3 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

The Terraform Provider has been updated and the latest version is v0.5.32.

Changelog

Added data sources for PagerDuty and email notification channels.
Added the ability to set dashboard sharing options.
Fixed/updated docs for Fargate.

Documentation

Falco VS Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

Sysdig Cloud Connector has been updated to v0.16.0 from v0.14.2 since last month.

New Features

Expose azure.user field in event scope so that insights can categorize the events.
Adapt CIEM code to pipelined event processing.
Track usage on the backend instead of client side.
Upgrade to the latest Azure SDK.
cloud-scanner gets all images from an EKS cluster.
cloud-scanner gets all images from lambda functions.
cloud-scanner integrates the new image scanner.

Refactor

Admission Controller codebase is merged to lower maintenance costs.

Small Changes

Upgraded to Ginkgo v2.
Added instructions to write Cloud Rules.

Check the full list of changes to get all the details.

Inline Scanner

v2.4.8 is still the latest release, which was covered in our January edition.

Image Analyzer

v0.1.15 is still the latest release, which was covered in our January edition.

Bug Fixes

Updated to the latest security fixes.
Fixed support for COPY, USER, and other instructions when the image is built using buildkit.

Sysdig Secure Inline Scan for Github Actions

v3.2.0 is still the latest release, which we covered in our November edition.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.12 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations

Integration: Kubernetes API Server
Add certificate expiration metrics to Kubernetes control plane jobs
Add kube_ labels to kubelet and PVC metrics in relabeling
Metric not showing because of space the relabeling filter of the job in Kube-scheduler
Add sysdig_omit filter to Prometheus default job in agent, to support annotations to exclude pods
Add support for recommended field in alert templates groups
Add support and values for blog post to the integrations config file
Removed unnecessary joins in alert templates for nodes

Dashboards

Add banner to pod rightsizing dashboard to upgrade to 2.2.0
Add recommended field to all Kubernetes and infra related alert groups
“[Kubernetes] Workload Replicas Missmatch” changed to use “kube_workload_status_ready” metric
Typo in the alert name in Kubernetes group: Missmatching > mismatching
Filter by job instead of by container name in queries in dashboard of kube-scheduler
Fix Limit panel with request metric in Pod Rightsizing dashboard
Change banner text in Kubernetes PVC dashboard
Remove legacy metric from dashboard Pod Status and Performance
Panel in Horizontal pod autoscaler is called “New Panel”

What’s new in Sysdig – February 2022