Docs/Agent Deployment

Agent Deployment

Deploy the TigerGate eBPF agent for real-time runtime security monitoring and compliance evidence collection

Prerequisites

Before deploying the agent, ensure you have a TigerGate account and have obtained your agent token from the dashboard.

Kubernetes Deployment

Deploy the TigerGate agent as a DaemonSet to monitor all nodes in your cluster.

Option 1: kubectl apply

# Create namespace
kubectl create namespace tigergate
# Create secret with your token
kubectl create secret generic tigergate-token \
  --from-literal=token=YOUR_TOKEN \
  -n tigergate
# Deploy the agent
kubectl apply -f https://install.tigergate.dev/agent.yaml

Option 2: Helm Chart

# Add TigerGate Helm repository
helm repo add tigergate https://charts.tigergate.dev
# Install the agent
helm install tigergate-agent tigergate/agent \
  --set token=YOUR_TOKEN \
  --namespace tigergate \
  --create-namespace

Verify Installation

kubectl get pods -n tigergate
# Expected output: tigergate-agent-xxxxx Running on each node

Docker Deployment

Run the TigerGate agent as a privileged container for host monitoring.

docker run -d \
  --name tigergate-agent \
  --privileged \
  --pid=host \
  --net=host \
  -v /sys:/sys:ro \
  -v /proc:/proc:ro \
  -e TIGERGATE_TOKEN=YOUR_TOKEN \
  -e TIGERGATE_COLLECTOR_URL=https://collector.tigergate.dev \
  tigergate/agent:latest

Docker Compose

services:
  tigergate-agent:
    image: tigergate/agent:latest
    privileged: true
    pid: host
    network_mode: host
    volumes:
      - /sys:/sys:ro
      - /proc:/proc:ro
    environment:
      - TIGERGATE_TOKEN=YOUR_TOKEN
      - TIGERGATE_COLLECTOR_URL=https://collector.tigergate.dev
    restart: unless-stopped

AWS ECS Deployment

Add the TigerGate agent as a sidecar container in your ECS task definitions.

{
  "containerDefinitions": [
    {
      "name": "tigergate-agent",
      "image": "tigergate/agent:latest",
      "essential": false,
      "privileged": true,
      "linuxParameters": {
        "capabilities": {
          "add": ["SYS_ADMIN", "SYS_PTRACE", "NET_ADMIN"]
        }
      },
      "environment": [
        {
          "name": "TIGERGATE_TOKEN",
          "value": "YOUR_TOKEN"
        },
        {
          "name": "TIGERGATE_COLLECTOR_URL",
          "value": "https://collector.tigergate.dev"
        }
      ],
      "mountPoints": [
        {
          "sourceVolume": "sys",
          "containerPath": "/sys",
          "readOnly": true
        }
      ],
      "memory": 128,
      "cpu": 64
    }
  ],
  "volumes": [
    {
      "name": "sys",
      "host": {
        "sourcePath": "/sys"
      }
    }
  ]
}

Bare Metal / VM Deployment

Install the TigerGate agent as a systemd service on Linux servers.

# Download and install the agent
curl -sSL https://install.tigergate.dev/install.sh | sudo bash
# Configure the agent
sudo tigergate-agent configure --token YOUR_TOKEN
# Start the service
sudo systemctl enable --now tigergate-agent

Manual Installation

# Download binary
wget https://releases.tigergate.dev/agent/latest/linux-amd64/tigergate-agent
# Make executable
chmod +x tigergate-agent && sudo mv tigergate-agent /usr/local/bin/
# Create systemd service
sudo tigergate-agent install --token YOUR_TOKEN

Configuration Options

Environment VariableDescriptionDefault
TIGERGATE_TOKENAgent authentication token (required)-
TIGERGATE_COLLECTOR_URLTelemetry collector endpointhttps://collector.tigergate.dev
TIGERGATE_MODEEnforcement mode: audit or enforceaudit
TIGERGATE_LOG_LEVELLog verbosity: debug, info, warn, errorinfo
TIGERGATE_POLICY_SYNC_INTERVALPolicy sync interval in seconds30

Next Steps