Skip to content

Commit

Permalink
Merge pull request #258 from cs-pvyas/falcon-image-analyzer-helm-fix
Browse files Browse the repository at this point in the history 
CS falcon iar helm updates
  • Loading branch information
@redhatrises
redhatrises authored Feb 5, 2024
2 parents 403ebf7 + 8f45060 commit 5610e59
Show file tree
Hide file tree
Showing 6 changed files with 127 additions and 57 deletions.
6 changes: 3 additions & 3 deletions helm-charts/falcon-image-analyzer/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: falcon-image-analyzer
description: A Helm chart for Kubernetes
description: A Helm chart for Falcon Image Analyzer

# A chart can be either an 'application' or a 'library' chart.
#
Expand All @@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.0.0
version: 1.1.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.0"
appVersion: "1.1.0"
85 changes: 65 additions & 20 deletions helm-charts/falcon-image-analyzer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,29 +39,31 @@ helm repo update

The following tables list the Falcon sensor configurable parameters and their default values.

| Parameter | Description | Default |
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false |
| `deployment.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false |
| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
| `image.tag` | Image tag version | None |
| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false |
| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` |
| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false |
| `crowdstrikeConfig.clusterName` | Cluster name | None |
| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false |
| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None |
| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None |
| `crowdstrikeConfig.cid` | Customer ID (CID) | None |
| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None |
| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None |
| `crowdstrikeConfig.agentRunmode` | Agent run mode `watcher` or `socket` for Kubernetes. Set this along with `deployment.enabled` and `daemonset.enabled` respectively | None |
| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None |
| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |
| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |
| Parameter | Description | Default |
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. | false |
| `deployment.enabled` | Set to `true` if running in Socket Mode i.e. Both CANNOT be true . This causes the IAR to run in `socket` mode | false |
| `privateRegistries.credentials` | Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2 | "" |
| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
| `image.tag` | Image tag version | None |
| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false |
| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` |
| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false |
| `crowdstrikeConfig.clusterName` | Cluster name | None |
| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false |
| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None |
| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None |
| `crowdstrikeConfig.cid` | Customer ID (CID) | None |
| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None |
| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None |
| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None |
| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `daemonset.enabled` = `true` | None |
| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with ONLY TO BE USED with `daemonset.enabled` = `true` | None |

## Installing on Kubernetes cluster nodes



### Deployment considerations

For a successful deployment, you will want to ensure that:
Expand All @@ -83,6 +85,49 @@ kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/au
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged
```

### IAM Roles ( EKS or Partially Managed using EC2 Instances)
- For the IAR to detect cloud as AWS it should be able to retrieve sts token to assume role to retrieve ECR Tokens.
There are 2 options for that . If your EKS cluster us using the kiam or kube2iam admission controller, add annotations
for the IAR service account in the values.yaml as stated below, before installing. Make sure the roles have trust-relationship to allow
the serviceaccount in the `falcon-image-analyzer` namespace
```
serviceAccount:
# Annotations to add to the service account
annotations:
iam.amazonaws.com/role: role-name-with-s2sassume-role-permission
```


- For the EKS Cluster using the OIDC providers add the annotation as below.Make sure the roles have trust-relationship to allow
the serviceaccount in the `falcon-image-analyzer` namespace

```
serviceAccount:
# Annotations to add to the service account
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-role
```

### Authentication for Private Registries
- If you are using ECR or cloud based Private Registries then assigning the IAM role to the iar service-account in `falcon-image-analyzer` namespace should be enough

- If you are using a 3rd party private registry such as jfrog artifactory, etc then use the below param in the values.yaml
```
privateRegistries:
credentials: ""
```
to provide the comma separated registry secrets of the form `"namsepace1:secretname1,namespace:secret2"`
each secret should be of type docker-registry for each of the private registry that is used.
for e.g. a docker-registry secret can be created as below
```
kubectl create secret docker-registry regcred \
--docker-server=my-artifactory.jfrog.io \
--docker-username=read-only \
--docker-password=my-super-secret-pass \
--docker-email=johndoe@example.com -n my-app-ns
```
use the above secret as `"my-app-ns:regcred"`

### Install CrowdStrike Falcon Helm chart on Kubernetes nodes

Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR:
Expand Down
19 changes: 15 additions & 4 deletions helm-charts/falcon-image-analyzer/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,17 @@ Create chart name and version as used by the chart label.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
agentRunmode definition
*/}}
{{- define "falcon-image-analyzer.agentrunmode" -}}
{{- if .Values.daemonset.enabled }}
{{- printf "socket" }}
{{- else if .Values.deployment.enabled }}
{{- printf "watcher" }}
{{- end }}
{{- end }}

{{/*
Common labels
*/}}
Expand Down Expand Up @@ -62,7 +73,7 @@ Create the name of the service account to use
{{- end }}

{{- define "falcon-image-analyzer.securityContext" -}}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" -}}
{{- if .Values.daemonset.enabled -}}
privileged: {{ .Values.securityContext.privileged | default true }}
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
runAsUser: {{ .Values.securityContext.runAsUser | default 0 }}
Expand All @@ -73,7 +84,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
{{- define "falcon-image-analyzer.volumeMounts" -}}
{{- if lt (len .Values.volumeMounts) 2 -}}
{{- .Values.volumeMounts | toYaml }}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
{{- if .Values.daemonset.enabled }}
- name: var-run
mountPath: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
Expand All @@ -95,7 +106,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
{{- define "falcon-image-analyzer.volumes" -}}
{{- if lt (len .Values.volumes) 2 -}}
{{- .Values.volumes | toYaml }}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
{{- if .Values.daemonset.enabled }}
- name: var-run
hostPath:
path: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
Expand Down Expand Up @@ -125,7 +136,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
{{- end }}

{{- define "falcon-image-analyzer.agentRuntimeSocket" -}}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
{{- if .Values.daemonset.enabled }}
{{- if not .Values.crowdstrikeConfig.agentRuntimeSocket }}
{{- if eq .Values.crowdstrikeConfig.agentRuntime "docker" }}
{{- printf "%s" "unix:///run/docker.sock" }}
Expand Down
5 changes: 3 additions & 2 deletions helm-charts/falcon-image-analyzer/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ data:
IS_KUBERNETES: {{ .Values.isKubernetes | quote }}
AGENT_CID: {{ .Values.crowdstrikeConfig.cid | quote }}
AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }}
AGENT_REGISTRY_CREDENTIALS: {{ .Values.privateRegistries.credentials | quote }}
AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | quote }}
AGENT_RUNMODE: {{ .Values.crowdstrikeConfig.agentRunmode | quote }}
AGENT_RUNMODE: {{ include "falcon-image-analyzer.agentrunmode" . | quote }}
AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
{{- if .Values.daemonset.enabled }}
AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }}
AGENT_RUNTIME_SOCKET: {{ include "falcon-image-analyzer.agentRuntimeSocket" . | quote }}
{{- end }}
Expand Down
Loading

0 comments on commit 5610e59

Please sign in to comment.