diff --git a/README.md b/README.md index 15bcc09..71a1617 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,9 @@ A collection of projects supporting GCP integration ## Contents * Falcon Integration Gateway -- Security Command Center (SCC) Backend - * [Deployment Guide to GKE (using marketplace)](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/docs/listings/gke/UserGuide.md), [Market place listing](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-scc) + * [Deployment Guide to GKE (using marketplace)](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/docs/listings/gke/UserGuide.md), [Marketplace listing](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-scc) * [Deployment Guide to GKE (manual)](https://github.com/CrowdStrike/falcon-integration-gateway/tree/main/docs/gke) * [Developer Instructions](https://github.com/CrowdStrike/falcon-integration-gateway/tree/main/fig/backends/gcp) - * Falcon Integration Gateway -- Chronicle Backend - * [Developer Instructions](https://github.com/CrowdStrike/falcon-integration-gateway/tree/main/fig/backends/chronicle) - * [Deployment Guide to GKE (using marketplace)](https://github.com/CrowdStrike/falcon-integration-gateway/blob/main/docs/listings/gke-chronicle/UserGuide.md), [Market place listing](https://console.cloud.google.com/marketplace/product/crowdstrike-saas/falcon-integration-gateway-chronicle) - * [Deployment Guide to Kubernetes (manual)](https://github.com/CrowdStrike/falcon-integration-gateway/tree/main/docs/chronicle) - * Container Security - * [Falcon Container Security Documents](container) * VM Sensor Deployment * [Google VM Manager (OS Policy)](https://github.com/CrowdStrike/gcp-vm-manager-os-policy) * Cloud Storage Security diff --git a/container/README.md b/container/README.md deleted file mode 100644 index da6f891..0000000 --- a/container/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# CrowdStrike Container Security - -[![CrowdStrike Container Security](./assets/youtube.png)](http://www.youtube.com/watch?v=4F1MtmgIvus "CrowdStrike Container Security") - -## Runtime Protection -To protect container and Kubernetes workloads choose between the following approaches. Either install traditional Falcon Container Sensor for Linux on each node of your cluster, or set-up Falcon Container Sensor to be deployed as a sidecar to each of your pods. - -Note: In Kubernetes clusters where kernel module loading is supported by the worker node OS, we recommend using Falcon sensor for Linux to secure both worker nodes and containers with a single sensor. - - * CrowdStrike Falcon Container Sensor - * [Implementation Guide for GKE](gke-implementation-guide.md) - * [Terraform for demoing Container Sensor in GKE](falcon-container-terraform) - -## Additional Resources - - CrowdStrike Container Security: [Product Page](https://www.crowdstrike.com/products/cloud-security/falcon-cloud-workload-protection/container-security/) - - So You Think Your Containers Are Secure? Four Steps to Ensure a Secure Container Deployment: [Blog Post](https://www.crowdstrike.com/blog/four-steps-to-ensure-a-secure-containter-deployment/) - - Container Security With CrowdStrike: [Blog Post](https://www.crowdstrike.com/blog/tech-center/container-security/) - - To learn more about Falcon Container Sensor for Linux: [Deployment Guide](https://falcon.crowdstrike.com/support/documentation/146/falcon-container-sensor-for-linux), [Release Notes](https://falcon.crowdstrike.com/support/news/release-notes-falcon-container-sensor-for-linux) diff --git a/container/assets/youtube.png b/container/assets/youtube.png deleted file mode 100644 index da13ac5..0000000 Binary files a/container/assets/youtube.png and /dev/null differ diff --git a/container/falcon-container-terraform/.gitignore b/container/falcon-container-terraform/.gitignore deleted file mode 100644 index 7a3e2fd..0000000 --- a/container/falcon-container-terraform/.gitignore +++ /dev/null @@ -1,29 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* diff --git a/container/falcon-container-terraform/.terraform.lock.hcl b/container/falcon-container-terraform/.terraform.lock.hcl deleted file mode 100755 index eef8240..0000000 --- a/container/falcon-container-terraform/.terraform.lock.hcl +++ /dev/null @@ -1,37 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "3.52.0" - constraints = "3.52.0" - hashes = [ - "h1:+r2711CMnrdJgVLo9e034qPaVJmmEqYdt2JBycP6uaU=", - "zh:3eb1d20994faed4c5087502d42b72f8d3d41591dbf7cd7b9e692d8d142a88890", - "zh:60443b4ddb3cbeba4adf357512917751a11d7058d4d1bb0244364126a44693c0", - "zh:81dc9796db1418c934c4e16ff9f8dbe263d18fecd15bd2a5a79d2cb9a599694f", - "zh:8c06d94c67ed9014ed083972577e567fdb59547c6f813f49decdc3d4948aa4f3", - "zh:8fd3f6127ba3749527eed2316bac478ab4ef40566e570c4532970cd79f1b9a64", - "zh:8ff736289397d1b8181c00ef84c6a40440ab7dd95638152dc6b58f02f1c80384", - "zh:ce1127a8b9f037d5f980070fdaa0d3976333687216194b922b2e747b9eee2cab", - "zh:cea4c432c9257575d72ebee2228da9cdf4831358ff844772ce3454d60a19dc7a", - "zh:f2407ae95bcc30660930b2f317d2aa251af7961ed7562f817b34b5c25223c2e3", - "zh:f3603917de36faa1e45358605c80db722bb920f8b91a7425a6358b6406740397", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/container/falcon-container-terraform/README.md b/container/falcon-container-terraform/README.md deleted file mode 100644 index f20aab9..0000000 --- a/container/falcon-container-terraform/README.md +++ /dev/null @@ -1,70 +0,0 @@ -# Terraform to demo Falcon Container Runtime Protection - -[![Open in Cloud Shell](https://img.shields.io/badge/Google%20Cloud%20Shell-Clone-5391FE?style=for-the-badge&logo=gnu-bash&logoColor=white)](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/crowdstrike/cloud-gcp&shellonly=true) - -This terraform demo - * creates single GKE cluster - * creates single GCP instance for managing the cluster - * enables container registry (GCR) - * enables secrets manager - * stores falcon credentials in GCP secrets manager - * downloads Falcon Container sensor - * pushes Falcon Container sensor to GCR - * deploys Falcon Container sensor to the cluster - * deploys vulnerable.example.com application - -User then may - * Show that container workload (vulnerable.example.com) appears in Falcon Console (under Hosts, or Containers Dashboard) - * Visit vulnerable.example.com application and exploit it through the web interface - * Show detections in Falcon Console - -### Prerequsites - - Get access to GCP - - Have Containers enabled in Falcon console (CWP subscription) - -### Usage - - - Open your GCP cloud shell: https://shell.cloud.google.com/?hl=en_US&fromcloudshell=true&show=terminal - - Verify that your active GCP project in uppper left corner is correct - - Verify that your identity in upper right corner is correct) - - Paste the following to your cloud shell -``` -bash -c 'source <(curl -s https://raw.githubusercontent.com/crowdstrike/cloud-gcp/main/container/falcon-container-terraform/run)' -``` - -### Tear Down - -``` -cd ~/falcon-container-terraform; terraform destroy -``` - -### Developer guide - - - Spin up the demo - ``` - terraform init - terraform apply - ``` - - - Get access to the admin VM that manages the GKE - ``` - terraform output admin_access - ``` - or directly - ``` - $(terraform output admin_access | tr -d '"') - ``` - - - Get access to the vulnerable.example.command - ``` - terraform output vulnerable-example-com - ``` - - - Tear down the demo - ``` - terraform destroy - ``` - -### Known limitations - - - This is early version. Please report or even fix issues. diff --git a/container/falcon-container-terraform/gcr.tf b/container/falcon-container-terraform/gcr.tf deleted file mode 100644 index 4f1a5a4..0000000 --- a/container/falcon-container-terraform/gcr.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "google_container_registry" "registry" { - project = var.project_id -} diff --git a/container/falcon-container-terraform/gke-admin-vm.sh.tpl b/container/falcon-container-terraform/gke-admin-vm.sh.tpl deleted file mode 100644 index 70ae3ea..0000000 --- a/container/falcon-container-terraform/gke-admin-vm.sh.tpl +++ /dev/null @@ -1,159 +0,0 @@ -#!/bin/bash - -export HOME=/root - -main(){ - set -x - install_deps - - fetch_falcon_secrets_from_gcp - download_falcon_sensor - push_falcon_sensor_to_gcr - - deploy_falcon_container_sensor - deploy_vulnerable_app - set +x - wait_for_vulnerable_app -} - -deploy_falcon_container_sensor(){ - injector_file="/yaml/injector.yaml" - docker run --rm --entrypoint installer "$FALCON_IMAGE_URI" -cid "$CID" -image "$FALCON_IMAGE_URI" > "$injector_file" - - configure_gke_access - kubectl apply -f "$injector_file" - - kubectl wait --for=condition=ready pod -n falcon-system -l app=injector -} - -wait_for_vulnerable_app(){ - echo "Waiting for GKE load balancer to assign public IP to vulnerable.example.com" - while [ -z "$(get_vulnerable_app_ip)" ]; do - sleep 5 - done; -} - -get_vulnerable_app_ip(){ - kubectl get service vulnerable-example-com -o yaml -o=jsonpath="{.status.loadBalancer.ingress[*].ip}" -} - -deploy_vulnerable_app(){ - kubectl apply -f /yaml/vulnerable.example.yaml -} - -export CLOUDSDK_CORE_DISABLE_PROMPTS=1 -export DEBIAN_FRONTEND=noninteractive - -configure_gke_access(){ - while ! gcloud container clusters get-credentials "${CLUSTER_NAME}" --zone "${GCP_ZONE}"; do - sleep 7 - done -} - -push_falcon_sensor_to_gcr(){ - FALCON_IMAGE_URI="gcr.io/${GCP_PROJECT}/falcon-sensor:latest" - docker tag "falcon-sensor:$local_tag" "$FALCON_IMAGE_URI" - while ! docker push "$FALCON_IMAGE_URI"; do - sleep 10 - gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io - done -} - -download_falcon_sensor(){ - tmpdir=$(mktemp -d) - pushd "$tmpdir" > /dev/null - falcon_sensor_download --os-name=Container - local_tag=$(cat ./falcon-sensor-* | docker load -q | grep 'Loaded image: falcon-sensor:' | sed 's/^.*Loaded image: falcon-sensor://g') - popd > /dev/null - rm -rf "$tmpdir" -} - -fetch_falcon_secrets_from_gcp(){ - set +x - FALCON_CLIENT_ID=$(gcloud secrets versions access latest --secret="${tenant}-FALCON_CLIENT_ID") - FALCON_CLIENT_SECRET=$(gcloud secrets versions access latest --secret="${tenant}-FALCON_CLIENT_SECRET") - FALCON_CLOUD=$(gcloud secrets versions access latest --secret="${tenant}-FALCON_CLOUD") - CID=$(gcloud secrets versions access latest --secret="${tenant}-FALCON_CID") - export FALCON_CLIENT_ID - export FALCON_CLIENT_SECRET - export FALCON_CLOUD - export CID - set -x -} - -install_deps(){ - snap install docker - snap install kubectl --classic - - gofalcon_version=0.2.2 - pkg=gofalcon-$gofalcon_version-1.x86_64.deb - wget -q -O $pkg https://github.com/CrowdStrike/gofalcon/releases/download/v$gofalcon_version/$pkg - apt install ./$pkg > /dev/null - - mkdir -p /yaml - wget -q -O /yaml/vulnerable.example.yaml https://raw.githubusercontent.com/crowdstrike/vulnapp/main/vulnerable.example.yaml -} - -progname=$(basename "$0") - -die(){ - echo "$progname: fatal error: $*" - exit 1 -} - -err_handler() { - echo "Error on line $1" -} - -trap 'err_handler $LINENO' ERR - - -MOTD=/etc/motd -LIVE_LOG=$MOTD.log - -( - echo "--------------------------------------------------------------------------------------------" - echo "Welcome to the admin instance for your gke demo cluster. Installation log follows" - echo "--------------------------------------------------------------------------------------------" -) > $LIVE_LOG -echo 'ps aux | grep -v grep | grep -q google_metadata_script_runner.startup && tail -n 1000 -f '$LIVE_LOG >> /etc/bash.bashrc -: > $MOTD - -set -e -o pipefail - -main "$@" >> $LIVE_LOG 2>&1 - -detection_uri(){ - aid=$( - kubectl exec deploy/vulnerable.example.com -c falcon-container -- \ - falconctl -g --aid | awk -F '"' '{print $2}') - echo "https://falcon.crowdstrike.com/activity/detections/?filter=device_id:%27$aid%27&groupBy=none" -} - -( - echo "--------------------------------------------------------------------------------------------" - echo "Demo initialisation completed" - echo "--------------------------------------------------------------------------------------------" - echo "vulnerable.example.com is available at http://$(get_vulnerable_app_ip)/" - echo "detections will appear at $(detection_uri)" - echo "--------------------------------------------------------------------------------------------" - echo "Useful commands:" - echo " # to get all running pods on the cluster" - echo " sudo kubectl get pods --all-namespaces" - echo " # to get Falcon agent/host ID of vulnerable.example.com" - echo " sudo kubectl exec deploy/vulnerable.example.com -c crowdstrike-falcon-container -- falconctl -g --aid" - echo " # to view Falcon injector logs" - echo " sudo kubectl logs -n falcon-system deploy/injector" - echo " # to uninstall the vulnerable.example.com" - echo " sudo kubectl delete -f /yaml/vulnerable.example.yaml" - echo " # to uninstall the falcon container protection" - echo " sudo kubectl delete -f /yaml/injector.yaml" - echo "--------------------------------------------------------------------------------------------" -) >> $LIVE_LOG - -mv $LIVE_LOG $MOTD - -for pid in $(ps aux | grep tail.-n.1000.-f./etc/motd | awk '{print $2}'); do - kill "$pid" -done - diff --git a/container/falcon-container-terraform/gke-admin-vm.tf b/container/falcon-container-terraform/gke-admin-vm.tf deleted file mode 100644 index 7b97fa5..0000000 --- a/container/falcon-container-terraform/gke-admin-vm.tf +++ /dev/null @@ -1,54 +0,0 @@ -resource "google_compute_instance" "vm_instance" { - name = "${var.tenant}-demo-admin-vm" - machine_type = "f1-micro" - zone = var.zone - - boot_disk { - initialize_params { - image = "ubuntu-os-cloud/ubuntu-2004-lts" - } - } - - network_interface { - # A default network is created for all GCP projects - network = "default" - access_config {} - } - - metadata_startup_script = data.template_file.gke-admin-vm.rendered - - service_account { - # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. - email = google_service_account.gke-admin-vm.email - scopes = ["cloud-platform"] - } -} - -resource "google_service_account" "gke-admin-vm" { - account_id = "${var.tenant}-demo-admin-vm" - display_name = "Service Account for GKE Admin VM" -} - -resource "google_project_iam_binding" "gke-admin-vm-admins-clusters" { - role = "roles/container.admin" - members = [ - "serviceAccount:${google_service_account.gke-admin-vm.email}" - ] -} - -resource "google_project_iam_binding" "gke-admin-vm-pushes-images" { - role = "roles/storage.admin" - members = [ - "serviceAccount:${google_service_account.gke-admin-vm.email}" - ] -} - -data "template_file" "gke-admin-vm" { - template = file("gke-admin-vm.sh.tpl") - vars = { - GCP_PROJECT = var.project_id - GCP_ZONE = var.zone - CLUSTER_NAME = "${var.tenant}-demo" - tenant = var.tenant - } -} diff --git a/container/falcon-container-terraform/gke.tf b/container/falcon-container-terraform/gke.tf deleted file mode 100644 index 8b8ac7b..0000000 --- a/container/falcon-container-terraform/gke.tf +++ /dev/null @@ -1,10 +0,0 @@ -# GKE cluster -resource "google_container_cluster" "primary" { - name = "${var.tenant}-demo" - location = var.zone - - initial_node_count = 1 - - network = google_compute_network.vpc.name - subnetwork = google_compute_subnetwork.subnet.name -} diff --git a/container/falcon-container-terraform/main.tf b/container/falcon-container-terraform/main.tf deleted file mode 100644 index 5c2fb3c..0000000 --- a/container/falcon-container-terraform/main.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "project_id" { - description = "GCP Project ID (project needs to exist already) (Alternatively, set env variable TF_VAR_project_id)" -} - -variable "region" { - description = "region" -} - -variable "zone" { - description = "zone" -} - -variable "tenant" { - description = "Please provide your nickname. The nickname will be used to name resources created by this demo. So the resource names don't clash with your co-workers." -} - -provider "google" { - project = var.project_id - region = var.region -} - -resource "google_project_service" "container" { - project = var.project_id - service = "container.googleapis.com" - disable_on_destroy = false -} - -resource "google_project_service" "containerregistry" { - project = var.project_id - service = "containerregistry.googleapis.com" - disable_on_destroy = false -} - diff --git a/container/falcon-container-terraform/outputs.tf b/container/falcon-container-terraform/outputs.tf deleted file mode 100644 index 9d99e09..0000000 --- a/container/falcon-container-terraform/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -output "admin_access" { - value = "gcloud beta compute ssh --zone ${var.zone} ${google_compute_instance.vm_instance.name} --project ${var.project_id}" - description = "Get access to the vm that manages the cluster" -} - -output "admin_access_web" { - value = "https://console.cloud.google.com/compute/instancesDetail/zones/${var.zone}/instances/${google_compute_instance.vm_instance.name}?project=${var.project_id}" -} - -output "vulnerable-example-com" { - value = "https://console.cloud.google.com/kubernetes/deployment/${var.zone}/${google_container_cluster.primary.name}/default/vulnerable.example.com/overview?project=${var.project_id}" - description = "Link to vulnerable.example.com deployment. May take a few moments to come up" -} diff --git a/container/falcon-container-terraform/run b/container/falcon-container-terraform/run deleted file mode 100755 index 05bd878..0000000 --- a/container/falcon-container-terraform/run +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash - -# ------- -# How to use this: -# 1) Open your GCP cloud shell: https://shell.cloud.google.com/?hl=en_US&fromcloudshell=true&show=terminal -# 2) Verify that your active GCP project in uppper left corner is correct -# 3) Verify that your identity in upper right corner is correct) -# 4) Paste the following to your cloud shell -# -# bash -c 'source <(curl -s https://raw.githubusercontent.com/crowdstrike/cloud-gcp/main/falcon-container-terraform/run)' -# -# - -# Workaround https://github.com/hashicorp/terraform-provider-google/issues/6782 - sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 > /dev/null - export APIS="googleapis.com www.googleapis.com storage.googleapis.com iam.googleapis.com container.googleapis.com cloudresourcemanager.googleapis.com" - for name in $APIS - do - ipv4=$(getent ahostsv4 "$name" | head -n 1 | awk '{ print $1 }') - grep -q "$name" /etc/hosts || ([ -n "$ipv4" ] && sudo sh -c "echo '$ipv4 $name' >> /etc/hosts") - done -# Workaround end - - -set -e -o pipefail - -if [ -z "$(gcloud config get-value project 2> /dev/null)" ]; then - project_ids=$(gcloud projects list --format json | jq -r '.[].projectId') - project_count=$(wc -w <<< "$project_ids") - if [ "$project_count" == "1" ]; then - gcloud config set project "$project_ids" - else - gcloud projects list - echo "Multiple pre-existing GCP projects found. Please select project using the following command before re-trying" - echo " gcloud config set project VALUE" - exit 1 - fi -fi -export TF_VAR_project_id=$(gcloud config get-value project 2> /dev/null) -gcloud services enable containerregistry.googleapis.com - - -[ -d ~/cloud-gcp ] || (cd "$HOME" && git clone --depth 1 https://github.com/crowdstrike/cloud-gcp) -[ -d ~/falcon-container-terraform ] || (ln -s $HOME/cloud-gcp/container/falcon-container-terraform $HOME/falcon-container-terraform) -cd ~/falcon-container-terraform -terraform init - - -terraform apply - -cat <<__END__ - - _ _ - (_) | Your kubernetes cluster, -__ ____ _ _| |_ Your admin vm, -\ \ /\ / / _\` | | __| Your Falcon Container Sensor, - \ V V / (_| | | |_ and Your vulnerable application, - \_/\_/ \__,_|_|\__| are all comming up. - - -__END__ -sleep 10 - -ssh_key=$HOME/.ssh/container_lab_ssh_key -if ! [ -f "$ssh_key" ]; then - ssh-keygen -t rsa -b 1024 -N '' -f "$ssh_key" - gcloud compute config-ssh --ssh-key-file="$ssh_key" -fi -$(terraform output admin_access | tr -d '"') - -echo "--------------------------------------------------" -echo "To destroy the demo environment please run" -echo "cd ~/falcon-container-terraform; terraform destroy" diff --git a/container/falcon-container-terraform/secrets.tf b/container/falcon-container-terraform/secrets.tf deleted file mode 100644 index 0c68fcf..0000000 --- a/container/falcon-container-terraform/secrets.tf +++ /dev/null @@ -1,112 +0,0 @@ -variable "falcon_client_id" { - description = "CrowdStrike Falcon / OAuth2 API / Client ID (needs only permissions to download falcon container sensor) (Alternatively, set env variable TF_VAR_falcon_client_id)" - sensitive = true -} - -variable "falcon_client_secret" { - description = "CrowdStrike Falcon / OAuth2 API / Client Secret (needs only permissions to download falcon container sensor) (Alternatively, set env variable TF_VAR_falcon_client_secret)" - sensitive = true -} - -variable "falcon_cloud" { - description = "Falcon cloud region abbreviation (us-1, us-2, eu-1, us-gov-1) (Alternatively, set env variable TF_VAR_falcon_cloud)" - validation { - condition = (var.falcon_cloud == "us-1" || var.falcon_cloud == "us-2" || var.falcon_cloud == "eu-1" || var.falcon_cloud == "us-gov-1") - error_message = "Variable falcon_cloud must be set to one of: us-1, us-2, eu-1, us-gov-1." - } -} - -variable "falcon_cid" { - description = "CrowdStrike Falcon CID (full cid string) (Alternatively, set env variable TF_VAR_falcon_cid)" - sensitive = true -} - - -resource "google_project_service" "secretmanager" { - provider = google - service = "secretmanager.googleapis.com" - disable_on_destroy = false -} - -resource "google_secret_manager_secret" "FALCON_CLIENT_ID" { - secret_id = "${var.tenant}-FALCON_CLIENT_ID" - - replication { - automatic = true - } - - depends_on = [google_project_service.secretmanager] -} - -resource "google_secret_manager_secret" "FALCON_CLIENT_SECRET" { - secret_id = "${var.tenant}-FALCON_CLIENT_SECRET" - - replication { - automatic = true - } - - depends_on = [google_project_service.secretmanager] -} - -resource "google_secret_manager_secret" "FALCON_CLOUD" { - secret_id = "${var.tenant}-FALCON_CLOUD" - - replication { - automatic = true - } - - depends_on = [google_project_service.secretmanager] -} - -resource "google_secret_manager_secret" "FALCON_CID" { - secret_id = "${var.tenant}-FALCON_CID" - - replication { - automatic = true - } - - depends_on = [google_project_service.secretmanager] -} - -resource "google_secret_manager_secret_version" "FALCON_CLIENT_ID" { - secret = google_secret_manager_secret.FALCON_CLIENT_ID.id - secret_data = var.falcon_client_id -} - -resource "google_secret_manager_secret_version" "FALCON_CLIENT_SECRET" { - secret = google_secret_manager_secret.FALCON_CLIENT_SECRET.id - secret_data = var.falcon_client_secret -} - -resource "google_secret_manager_secret_version" "FALCON_CLOUD" { - secret = google_secret_manager_secret.FALCON_CLOUD.id - secret_data = var.falcon_cloud -} -resource "google_secret_manager_secret_version" "FALCON_CID" { - secret = google_secret_manager_secret.FALCON_CID.id - secret_data = var.falcon_cid -} - -resource "google_secret_manager_secret_iam_member" "gke-admin-reads-falcon-client-id" { - secret_id = google_secret_manager_secret.FALCON_CLIENT_ID.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.gke-admin-vm.email}" -} - -resource "google_secret_manager_secret_iam_member" "gke-admin-reads-falcon-client-secret" { - secret_id = google_secret_manager_secret.FALCON_CLIENT_SECRET.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.gke-admin-vm.email}" -} - -resource "google_secret_manager_secret_iam_member" "gke-admin-reads-falcon-cloud" { - secret_id = google_secret_manager_secret.FALCON_CLOUD.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.gke-admin-vm.email}" -} - -resource "google_secret_manager_secret_iam_member" "gke-admin-reads-falcon-cid" { - secret_id = google_secret_manager_secret.FALCON_CID.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.gke-admin-vm.email}" -} diff --git a/container/falcon-container-terraform/terraform.tfvars b/container/falcon-container-terraform/terraform.tfvars deleted file mode 100644 index 2615912..0000000 --- a/container/falcon-container-terraform/terraform.tfvars +++ /dev/null @@ -1,18 +0,0 @@ -# PLEASE change the following variables - -# project_id = - - -# Do not store secrets here Use environment variables instead -# Example: export TF_VAR_falcon_client_id="ASDF123" - -# falcon_client_id = "" -# falcon_client_secret = "" -# falcon_client_secret = "" -# falcon_cid = "" - - - -# Some sane defaults, no need to edit these -region = "us-central1" -zone = "us-central1-c" diff --git a/container/falcon-container-terraform/versions.tf b/container/falcon-container-terraform/versions.tf deleted file mode 100644 index c88d464..0000000 --- a/container/falcon-container-terraform/versions.tf +++ /dev/null @@ -1,11 +0,0 @@ -terraform { - required_providers { - google = { - source = "hashicorp/google" - version = "3.52.0" - } - } - - required_version = "~> 1.0" -} - diff --git a/container/falcon-container-terraform/vpc.tf b/container/falcon-container-terraform/vpc.tf deleted file mode 100644 index 834926f..0000000 --- a/container/falcon-container-terraform/vpc.tf +++ /dev/null @@ -1,13 +0,0 @@ -# VPC -resource "google_compute_network" "vpc" { - name = "${var.tenant}-demo-vpc" - auto_create_subnetworks = "false" -} - -# Subnet -resource "google_compute_subnetwork" "subnet" { - name = "${var.tenant}-demo-subnet" - region = var.region - network = google_compute_network.vpc.name - ip_cidr_range = "10.10.0.0/24" -} diff --git a/container/gke-implementation-guide.md b/container/gke-implementation-guide.md deleted file mode 100644 index 0878862..0000000 --- a/container/gke-implementation-guide.md +++ /dev/null @@ -1,351 +0,0 @@ -# Implementation Guide for CrowdStrike Falcon Container Sensor in Google Kubernetes Engine (GKE) - -This guide works through creation of new GKE cluster, deployment of Falcon Container Sensor, and demonstration of detection capabilities of Falcon Container Workload Protection. - -Time needed to follow this guide: 45 minutes. - -## Alternatives - -This guide describes manual deployment method. There are two other alternative methods of installation available - - - installation using [Falcon Operator](https://github.com/CrowdStrike/falcon-operator/) - Falcon Operator allows you to deploy the sensor only using two commands: one to deploy the operator, second one to deploy the sensor. If your organisation has already adopted concept of kubernetes operators OR if you are just trying to install on a throw away cluster, we recommend going this route. Mainly for its ease. - - installation using [Falcon Helm](https://github.com/CrowdStrike/falcon-helm) - If you organization has adopted concept of the helm packaging system on kubernetes, you may find it easier to use falcon-helm chart to deploy the sensor. - -## Overview - -### About Google Kubernetes Engine (GKE) - -Google Kubernetes Engine ([GKE](https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview)) provides a managed environment for deploying, managing, and scaling your containerized applications using Google infrastructure. The GKE environment consists of multiple machines (specifically, [Compute](https://cloud.google.com/compute) Engine instances) grouped together to form a [cluster](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture). - -GKE clusters are powered by the [Kubernetes](https://kubernetes.io/) open source cluster management system. Kubernetes provides the mechanisms through which you interact with your cluster. You use Kubernetes commands and resources to deploy and manage your applications, perform administration tasks, set policies, and monitor the health of your deployed workloads. - -With the operations boundaries clearly drawn at the Kubernetes interface, there is no ability to install software on the worker nodes running the cluster. Therefore, traditional Falcon Kernel sensor cannot be supported and Falcon Container Sensor should be used instead. - -### About Falcon Container Sensor - -The Falcon Container sensor for Linux extends runtime security to container workloads in Kubernetes clusters that don’t allow you to deploy the kernel-based Falcon sensor for Linux. The Falcon Container sensor runs as an unprivileged container in user space with no code running in the kernel of the worker node OS. This allows it to secure Kubernetes pods in clusters where it isn’t possible to deploy the kernel-based Falcon sensor for Linux on the worker node, as with GKE where organizations don’t have access to the kernel and where privileged containers are disallowed. The Falcon Container sensor can also secure container workloads on clusters where worker node security is managed separately. - -> **Falcon Container Sensor for GKE is available as a technology preview.** - -> **Note: In Kubernetes clusters where kernel module loading is supported by the worker node OS, we recommend using Falcon sensor for Linux to secure both worker nodes and containers with a single sensor.** - -## CrowdStrike Falcon Credentials - -You will need to provide CrowdStrike API Keys and CrowdStrike cloud region during the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, krequired permissions are: - - - Falcon Images Download: Read - - Sensor Download: Read - - -## Pre-requisites - -Various command-line utilities are required for this demo. The utilities can either be installed locally or through ready-made tooling container. We recommend the use of the container. - -### Option 1: Use tooling container (recommended) - - - Install [docker](https://www.docker.com/products/docker-desktop) container runtime - - Enter the [tooling container](https://github.com/CrowdStrike/cloud-tools-image) - ``` - docker run --privileged=true -it --rm \ - -e FALCON_CLIENT_ID="$FALCON_CLIENT_ID" \ - -e FALCON_CLIENT_SECRET="$FALCON_CLIENT_SECRET" \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v ~/.config/gcloud:/root/.config/gcloud \ - quay.io/crowdstrike/cloud-tools-image - ``` - The above command creates new container runtime that contains tools needed by this guide. All the - following commands should be run inside this container. If you have previously used gcloud CLI tool, - you may already have GCloud Credentials stored on your system in `~/.config/gcloud` directory. If that is the case, - it is preferential to start the container with `-v ~/.config/gcloud:/root/.config/gcloud:ro` option. This option should be - omitted if you don't want to share your Gcloud credentials with the container. You can review your - credentials with `gcloud auth list` command. - - Example output - ``` - $ gcloud auth list - Credentialed Accounts - ACTIVE ACCOUNT - * john.doe@example.io - ``` - -### Option 2: Install command-line tools locally - -1) Install [docker](https://www.docker.com/products/docker-desktop) container runtime -2) Install [kubectl](https://cloud.google.com/kubernetes-engine/docs/quickstart#local-shell) -3) Install [gcloud](https://cloud.google.com/sdk/docs/quickstart) - - -## Deployment Configuration Steps - -### Step 1: Log-in to Google cloud using gcloud - - - Unless you have previously used `gcloud` command line tool, you will have to work through interactive log-in session. - ``` - $ gcloud init --console-only - Welcome! This command will take you through the configuration of gcloud. - - Your current configuration has been set to: [default] - - You can skip diagnostics next time by using the following flag: - gcloud init --skip-diagnostics - - Network diagnostic detects and fixes local network connection issues. - Checking network connection...done. - Reachability Check passed. - Network diagnostic passed (1/1 checks passed). - - You must log in to continue. Would you like to log in (Y/n)? y - - - ----8<---------------- - - - Your project default Compute Engine zone has been set to [us-east1-b]. - You can change it by running [gcloud config set compute/zone NAME]. - - Your project default Compute Engine region has been set to [us-east1]. - You can change it by running [gcloud config set compute/region NAME]. - - Created a default .boto configuration file at [/root/.boto]. See this file and - [https://cloud.google.com/storage/docs/gsutil/commands/config] for more - information about configuring Google Cloud Storage. - Your Google Cloud SDK is configured and ready to use! - - * Commands that require authentication will use john-doe@example.io by default - * Commands will reference project `example-integration-lab` by default - * Compute Engine commands will use region `us-east1` by default - * Compute Engine commands will use zone `us-east1-b` by default - - Run `gcloud help config` to learn how to change individual settings - - This gcloud configuration is called [default]. You can create additional configurations if you work with multiple accounts and/or projects. - Run `gcloud topic configurations` to learn more. - - Some things to try next: - - * Run `gcloud --help` to see the Cloud Platform services you can interact with. And run `gcloud help COMMAND` to get help on any gcloud command. - * Run `gcloud topic --help` to learn about advanced features of the SDK like arg files and output formatting - ``` - -### Step 2: Create GKE Cluster - - - Create new GKE cluster. It may take couple minutes before cluster is fully up and functioning. - ``` - $ gcloud container clusters create gke-cluster - WARNING: Starting with version 1.18, clusters will have shielded GKE nodes by default. - WARNING: Your Pod address range (`--cluster-ipv4-cidr`) can accommodate at most 1008 node(s). - WARNING: Starting with version 1.19, newly created clusters and node-pools will have COS_CONTAINERD as the default node image when no image type is specified. - Creating cluster gke-cluster in us-east1-b... Cluster is being health-checked (master is healthy)...done. - Created [https://container.googleapis.com/v1/projects/example-integration-lab/zones/us-east1-b/clusters/gke-cluster]. - To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-east1-b/gke-cluster?project=example-integration-lab - kubeconfig entry generated for gke-cluster. - NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS - gke-cluster us-east1-b 1.17.14-gke.1600 12.345.15.12 e2-medium 1.17.14-gke.1600 3 RUNNING - ``` - - - (optional) Verify that your local kubectl utility has been configured to connect to the cluster. - ``` - $ kubectl cluster-info - Kubernetes control plane is running at https://12.345.15.12 - GLBCDefaultBackend is running at https://12.345.15.12/api/v1/namespaces/kube-system/services/default-http-backend:http/proxy - KubeDNS is running at https://12.345.15.12/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy - Metrics-server is running at https://12.345.15.12/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy - - To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. - - ``` - kubectl is command line tool that lets you control Kubernetes clusters. For configuration, kubectl looks for a file named config in the `$HOME/.kube` directory. This config was created previously by `gcloud container clusters create` command and contains login information for your newly created cluster. - -### Step 3: Create Container Repository - - - Verify you have permissions to push to the container registry - ``` - $ PROJECT=$(gcloud config get-value project) - $ PROJECT_NUMBER=$(gcloud projects list --filter="$PROJECT" --format="value(PROJECT_NUMBER)") - $ gcloud projects get-iam-policy $PROJECT \ - --flatten="bindings[].members" \ - --format='table(bindings.role)' \ - --filter="bindings.members:service-${PROJECT_NUMBER}@containerregistry.iam.gserviceaccount.com" - ROLE - roles/containerregistry.ServiceAgent - ``` - - - Configure your local docker to use `gcloud` to authenticate with Google Container Registry - ``` - $ gcloud auth configure-docker - Adding credentials for all GCR repositories. - WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using. - After update, the following will be written to your Docker config file - located at [/root/.docker/config.json]: - { - "credHelpers": { - "gcr.io": "gcloud", - "marketplace.gcr.io": "gcloud", - "eu.gcr.io": "gcloud", - "us.gcr.io": "gcloud", - "staging-k8s.gcr.io": "gcloud", - "asia.gcr.io": "gcloud" - } - } - - Do you want to continue (Y/n)? y - - Docker configuration file updated. - ``` - -### Step 4: Push the falcon sensor image to the Repository - - - Save desired image location to environment variable. The variable will be used in the sections that follow. - ``` - FALCON_IMAGE_URI="gcr.io/$PROJECT/falcon-sensor" - ``` - - - Push Falcon Container image to your newly created repository - ``` - falcon-container-sensor-push $FALCON_IMAGE_URI - ``` - -### Step 5: Install The Admission Controller - -Admission Controller is Kubernetes service that intercepts requests to the Kubernetes API server. Falcon Container Sensor hooks to this service and injects Falcon Container Sensor to any new pod deployment on the cluster. In this step we will configure and deploy the admission hook and the admission application. - - - Provide CrowdStrike Falcon Customer ID as environment variable. This CID will be later used to register newly deployed pods to CrowdStrike Falcon platform. - ``` - $ CID=1234567890ABCDEFG1234567890ABCDEF-12 - ``` - - - Install the admission controller - ``` - $ docker run --rm --entrypoint installer $FALCON_IMAGE_URI \ - -cid $CID -image $FALCON_IMAGE_URI \ - | kubectl apply -f - - namespace/falcon-system created - configmap/injector-config created - secret/injector-tls created - deployment.apps/injector created - service/injector created - mutatingwebhookconfiguration.admissionregistration.k8s.io/injector.falcon-system.svc created - ``` - - (optional) Watch the progress of a deployment - ``` - $ watch 'kubectl get pods -n falcon-system' - NAME READY STATUS RESTARTS AGE - injector-6499dbd4b5-v5gqr 1/1 Running 0 2d3h - ``` - - (optional) Run the installer without any command-line arguments to get sense of configuration options are available for the deployment. - ``` - $ docker run --rm --entrypoint installer $FALCON_IMAGE_URI - usage: - installer -cid [other arguments] - -cid string - Customer id to use - -days int - Validity of certificate in days. (default 3650) - -falconctl-env value - FALCONCTL options in key=value format. - -image string - Image URI to load (default "crowdstrike/falcon") - -mount-docker-socket - A boolean flag to mount docker socket of worker node with sensor. - -namespaces string - Comma separated namespaces with which image pull secret need to be created, applicable only with -pullsecret (default "default") - -pullpolicy string - Pull policy to be defined for sensor image pulls (default "IfNotPresent") - -pullsecret string - Secret name that is used to pull image (default "crowdstrike-falcon-pull-secret") - -pulltoken string - Secret token, stringified dockerconfig json or base64 encoded dockerconfig json, that is used with pulling image - -sensor-resources string - A valid json string or base64 encoded string of the same, which is used as k8s resources specification. - ``` - Full explanation of various configuration options and deployment scenarios is available through [Falcon Console](https://falcon.crowdstrike.com/support/documentation/146/falcon-container-sensor-for-linux#additional-installation-options). - -### Step 6: Spin-up a detection pod - - - Instruct Kubernetes cluster to start a detection application - ``` - $ kubectl apply -f ~/demo-yamls/detection-single.yaml - deployment.apps/detection-single created - ``` - - (optional) See the logs of the admission installer to ensure it is responding to the detection app start-up - ``` - $ kubectl logs -n falcon-system injector-6499dbd4b5-v5gqr - injector server starting ... - 2021/02/03 16:05:51 Handling webhook request with id 0d20df1d-8737-4bf0-bea6-fd03b48b2516 in namespace default ... - 2021/02/03 16:05:51 Webhook request with id 0d20df1d-8737-4bf0-bea6-fd03b48b2516 in namespace default handled successfully! - ``` - - (optional) Watch the deployment progress of the detection app - ``` - $ watch 'kubectl get pods' - NAME READY STATUS RESTARTS AGE - detection-single-767cd557b-267zg 2/2 Running 0 2m26s - ``` - - (optional) Ensure that the newly created pod was allocated an Agent ID (AID) from CrowdStrike Falcon platform - ``` - $ kubectl exec detection-single-767cd557b-267zg -c falcon-container -- falconctl -g --aid - aid="abcdef1234567890abcdef1234567890". - ``` - -## Uninstall Steps - - - Step 1: Uninstall the detection app - ``` - $ kubectl delete -f ~/demo-yamls/detection-single.yaml - deployment.apps "detection-single" deleted - ``` - - - Step 2: Uninstall the admission Controller - ``` - $ docker run --rm --entrypoint installer $FALCON_IMAGE_URI \ - -cid $CID -image $FALCON_IMAGE_URI \ - | kubectl delete -f - - namespace "falcon-system" deleted - configmap "injector-config" deleted - secret "injector-tls" deleted - deployment.apps "injector" deleted - service "injector" deleted - mutatingwebhookconfiguration.admissionregistration.k8s.io "injector.falcon-system.svc" deleted - ``` - - Step 3: Delete the falcon image from Google Cloud registry - ``` - $ gcloud container images delete $FALCON_IMAGE_URI - WARNING: Implicit ":latest" tag specified: gcr.io/example-integration-lab/falcon-sensor - Digests: - - gcr.io/example-integration-lab/falcon-sensor@sha256:84846fe8ca4eba69649445b73dd9c77032ac2ee39167881ca491d2f4534d4021 - Associated tags: - - latest - Tags: - - gcr.io/example-integration-lab/falcon-sensor:latest - This operation will delete the tags and images identified by the - digests above. - - Do you want to continue (Y/n)? y - - Deleted [gcr.io/example-integration-lab/falcon-sensor:latest]. - Deleted [gcr.io/example-integration-lab/falcon-sensor@sha256:84846fe8ca4eba69649445b73dd9c77032ac2ee39167881ca491d2f4534d4021]. - ``` - - - Step 4: Delete the GKE Cluster - ``` - $ gcloud container clusters delete gke-cluster - ``` - - -# Additional Resources - - To get started with Google Kubernetes Enter (GKE): [Documentation](https://cloud.google.com/kubernetes-engine) - - To get started with gcloud command-line tool: [Overview](https://cloud.google.com/sdk/gcloud) - - To learn more about Kubernetes: [Community Homepage](https://kubernetes.io/) - - To get started with `kubectl` command-line utility: [Overview of kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) - - To understand role of Kubernetes Admission Controller: [Reference Documentation](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) - - -## CrowdStrike Resources - - To learn more about CrowdStrike: [CrowdStrike website](http://crowdstrike.com/) - - To learn more about CrowdStrike Container Security product: [CrowdStrike Container Security Website](https://www.crowdstrike.com/products/cloud-security/falcon-cloud-workload-protection/container-security/), [CrowdStrike Container Security Data Sheet](https://www.crowdstrike.com/resources/data-sheets/container-security/) - - To learn more about Falcon Container Sensor for Linux: [Deployment Guide](https://falcon.crowdstrike.com/support/documentation/146/falcon-container-sensor-for-linux), [Release Notes](https://falcon.crowdstrike.com/support/news/release-notes-falcon-container-sensor-for-linux) - - -## CrowdStrike Contact Information - - For questions around product sales: [sales@crowdstrike.com](sales@crowdstrike.com) - - For questions around support: [support@crowdstrike.com](support@crowdstrike.com) - - For additional information and contact details: [https://www.crowdstrike.com/contact-us/](https://www.crowdstrike.com/contact-us/) diff --git a/container/pull-secret-override.md b/container/pull-secret-override.md deleted file mode 100644 index 7567608..0000000 --- a/container/pull-secret-override.md +++ /dev/null @@ -1,39 +0,0 @@ -# Method to override GCR pull secret for injector - -Populate $GCP_PROJECT_ID variable - -``` - GCP_PROJECT_ID=$(gcloud config get-value core/project) -``` - -Create new GCP service account - -``` - if ! gcloud iam service-accounts describe falcon-container-injector@$GCP_PROJECT_ID.iam.gserviceaccount.com > /dev/null 2>&1 ; then - gcloud iam service-accounts create falcon-container-injector - fi -``` - -Grant the newly create service account permissions to pull GCP images - -``` - gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ - --member serviceAccount:falcon-container-injector@$GCP_PROJECT_ID.iam.gserviceaccount.com \ - --role roles/storage.objectViewer -``` - -Generate a new key for the service account -``` - gcloud iam service-accounts keys create \ - --iam-account "falcon-container-injector@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ - key.json -``` - -Generate Falcon Container Pull secret -``` - mv ~/.docker/config.json{,.bac} - cat key.json | docker login --username "_json_key" --password-stdin https://gcr.io - IMAGE_PULL_TOKEN=$(cat ~/.docker/config.json | base64 -w 0) - rm ~/.docker/config.json - mv ~/.docker/config.json{.bac,} -```