Skip to content

Commit

Permalink
feat(container-pull): add fcs type for iac image pull (#325)
Browse files Browse the repository at this point in the history 
* feat: initial fcs type added

* chore: add fcs scopes after rebase

* docs: update docs + docstrings for fcs inclusion
  • Loading branch information
@carlosmmatos
carlosmmatos authored Jun 20, 2024
1 parent 7928620 commit fa332de
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 6 deletions.
5 changes: 3 additions & 2 deletions bash/containers/falcon-container-sensor-pull/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ Optional Flags:
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent] (Default: falcon-container)
-t, --type <SENSOR_TYPE> Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs] (Default: falcon-container)
--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
Expand Down Expand Up @@ -110,7 +110,7 @@ Help Options:
| `-c`, `--copy <REGISTRY/NAMESPACE>` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace` |
| `-v`, `--version <SENSOR_VERSION>` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry |
| `-p`, `--platform <SENSOR_PLATFORM>` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry |
| `-t`, `--type <SENSOR_TYPE>` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`] ([see more details below](#sensor-types)) |
| `-t`, `--type <SENSOR_TYPE>` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`, `fcs`] ([see more details below](#sensor-types)) |
| `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. |
| `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools |
| `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. |
Expand Down Expand Up @@ -141,6 +141,7 @@ The following sensor types are available to download:
| `falcon-snapshot` | The Falcon Snapshot scanner |
| `falcon-imageanalyzer` | The Falcon Image Assessment at Runtime |
| `kpagent` | The Falcon Kubernetes Protection Agent |
| `fcs` | The Falcon Cloud Security CLI tool |

### Examples

Expand Down
17 changes: 13 additions & 4 deletions bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Optional Flags:
-c, --copy <REGISTRY/NAMESPACE> Registry to copy the image to, e.g., myregistry.com/mynamespace
-v, --version <SENSOR_VERSION> Specify sensor version to retrieve from the registry
-p, --platform <SENSOR_PLATFORM> Specify sensor platform to retrieve, e.g., x86_64, aarch64
-t, --type <SENSOR_TYPE> Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent] (Default: falcon-container)
-t, --type <SENSOR_TYPE> Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs] (Default: falcon-container)
--runtime <RUNTIME> Use a different container runtime [docker, podman, skopeo] (Default: docker)
--dump-credentials Print registry credentials to stdout to copy/paste into container tools
Expand Down Expand Up @@ -244,7 +244,7 @@ format_tags() {
local all_tags=$1

case "${SENSOR_TYPE}" in
"kpagent" | "falcon-snapshot" | "falcon-imageanalyzer")
"kpagent" | "falcon-snapshot" | "falcon-imageanalyzer" | "fcs")
echo "$all_tags" |
sed -n 's/.*"tags" : \[\(.*\)\].*/\1/p' |
tr -d '"' | tr ',' '\n' |
Expand Down Expand Up @@ -390,6 +390,9 @@ display_api_scopes() {
falcon-snapshot)
echo "Sensor Download [read], Snapshot Scanner Image Download [read]"
;;
fcs)
echo "Sensor Download [read], Infrastructure as Code [read]"
;;
*)
die "Unknown sensor type: ${sensor_type}"
;;
Expand Down Expand Up @@ -434,10 +437,10 @@ fi

# Check if SENSOR_TYPE is set to a valid value
case "${SENSOR_TYPE}" in
falcon-container | falcon-sensor | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent) ;;
falcon-container | falcon-sensor | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs) ;;
*) die """
Unrecognized sensor type: ${SENSOR_TYPE}
Valid values are [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent]""" ;;
Valid values are [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs]""" ;;
esac

#Check all mandatory variables set
Expand Down Expand Up @@ -565,6 +568,12 @@ elif [ "${SENSOR_TYPE}" = "kpagent" ]; then
repository_name="kpagent"
registry_type="kubernetes-protection"
registry_opts="kubernetes_protection"
elif [ "${SENSOR_TYPE}" = "fcs" ]; then
# overrides for FCS
ART_USERNAME="fh-$cs_falcon_cid"
IMAGE_NAME="fcs"
repository_name="$BUILD_STAGE/cs-fcs"
registry_type="iac"
fi

#Set Docker token using the BEARER token captured earlier
Expand Down

0 comments on commit fa332de

Please sign in to comment.