Skip to content

Commit 5610e59

Browse files
redhatrisesredhatrises
authored
Merge pull request #258 from cs-pvyas/falcon-image-analyzer-helm-fix
CS falcon iar helm updates
2 parents 403ebf7 + 8f45060 commit 5610e59

File tree

6 files changed

+127
-57
lines changed

6 files changed

+127
-57
lines changed

helm-charts/falcon-image-analyzer/Chart.yaml

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
apiVersion: v2
22
name: falcon-image-analyzer
3-
description: A Helm chart for Kubernetes
3+
description: A Helm chart for Falcon Image Analyzer
44

55
# A chart can be either an 'application' or a 'library' chart.
66
#
@@ -15,10 +15,10 @@ type: application
1515
# This is the chart version. This version number should be incremented each time you make changes
1616
# to the chart and its templates, including the app version.
1717
# Versions are expected to follow Semantic Versioning (https://semver.org/)
18-
version: 1.0.0
18+
version: 1.1.0
1919

2020
# This is the version number of the application being deployed. This version number should be
2121
# incremented each time you make changes to the application. Versions are not expected to
2222
# follow Semantic Versioning. They should reflect the version the application is using.
2323
# It is recommended to use it with quotes.
24-
appVersion: "1.0.0"
24+
appVersion: "1.1.0"

helm-charts/falcon-image-analyzer/README.md

+65-20
Original file line numberDiff line numberDiff line change
@@ -39,29 +39,31 @@ helm repo update
3939

4040
The following tables list the Falcon sensor configurable parameters and their default values.
4141

42-
| Parameter | Description | Default |
43-
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
44-
| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false |
45-
| `deployment.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false |
46-
| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
47-
| `image.tag` | Image tag version | None |
48-
| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false |
49-
| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` |
50-
| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false |
51-
| `crowdstrikeConfig.clusterName` | Cluster name | None |
52-
| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false |
53-
| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None |
54-
| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None |
55-
| `crowdstrikeConfig.cid` | Customer ID (CID) | None |
56-
| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None |
57-
| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None |
58-
| `crowdstrikeConfig.agentRunmode` | Agent run mode `watcher` or `socket` for Kubernetes. Set this along with `deployment.enabled` and `daemonset.enabled` respectively | None |
59-
| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None |
60-
| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |
61-
| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |
42+
| Parameter | Description | Default |
43+
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
44+
| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. | false |
45+
| `deployment.enabled` | Set to `true` if running in Socket Mode i.e. Both CANNOT be true . This causes the IAR to run in `socket` mode | false |
46+
| `privateRegistries.credentials` | Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2 | "" |
47+
| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
48+
| `image.tag` | Image tag version | None |
49+
| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false |
50+
| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` |
51+
| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false |
52+
| `crowdstrikeConfig.clusterName` | Cluster name | None |
53+
| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false |
54+
| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None |
55+
| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None |
56+
| `crowdstrikeConfig.cid` | Customer ID (CID) | None |
57+
| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None |
58+
| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None |
59+
| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None |
60+
| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `daemonset.enabled` = `true` | None |
61+
| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with ONLY TO BE USED with `daemonset.enabled` = `true` | None |
6262

6363
## Installing on Kubernetes cluster nodes
6464

65+
66+
6567
### Deployment considerations
6668

6769
For a successful deployment, you will want to ensure that:
@@ -83,6 +85,49 @@ kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/au
8385
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged
8486
```
8587

88+
### IAM Roles ( EKS or Partially Managed using EC2 Instances)
89+
- For the IAR to detect cloud as AWS it should be able to retrieve sts token to assume role to retrieve ECR Tokens.
90+
There are 2 options for that . If your EKS cluster us using the kiam or kube2iam admission controller, add annotations
91+
for the IAR service account in the values.yaml as stated below, before installing. Make sure the roles have trust-relationship to allow
92+
the serviceaccount in the `falcon-image-analyzer` namespace
93+
```
94+
serviceAccount:
95+
# Annotations to add to the service account
96+
annotations:
97+
iam.amazonaws.com/role: role-name-with-s2sassume-role-permission
98+
```
99+
100+
101+
- For the EKS Cluster using the OIDC providers add the annotation as below.Make sure the roles have trust-relationship to allow
102+
the serviceaccount in the `falcon-image-analyzer` namespace
103+
104+
```
105+
serviceAccount:
106+
# Annotations to add to the service account
107+
annotations:
108+
eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/my-role
109+
```
110+
111+
### Authentication for Private Registries
112+
- If you are using ECR or cloud based Private Registries then assigning the IAM role to the iar service-account in `falcon-image-analyzer` namespace should be enough
113+
114+
- If you are using a 3rd party private registry such as jfrog artifactory, etc then use the below param in the values.yaml
115+
```
116+
privateRegistries:
117+
credentials: ""
118+
```
119+
to provide the comma separated registry secrets of the form `"namsepace1:secretname1,namespace:secret2"`
120+
each secret should be of type docker-registry for each of the private registry that is used.
121+
for e.g. a docker-registry secret can be created as below
122+
```
123+
kubectl create secret docker-registry regcred \
124+
--docker-server=my-artifactory.jfrog.io \
125+
--docker-username=read-only \
126+
--docker-password=my-super-secret-pass \
127+
--docker-email=johndoe@example.com -n my-app-ns
128+
```
129+
use the above secret as `"my-app-ns:regcred"`
130+
86131
### Install CrowdStrike Falcon Helm chart on Kubernetes nodes
87132

88133
Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR:

helm-charts/falcon-image-analyzer/templates/_helpers.tpl

+15-4
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,17 @@ Create chart name and version as used by the chart label.
3030
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
3131
{{- end }}
3232

33+
{{/*
34+
agentRunmode definition
35+
*/}}
36+
{{- define "falcon-image-analyzer.agentrunmode" -}}
37+
{{- if .Values.daemonset.enabled }}
38+
{{- printf "socket" }}
39+
{{- else if .Values.deployment.enabled }}
40+
{{- printf "watcher" }}
41+
{{- end }}
42+
{{- end }}
43+
3344
{{/*
3445
Common labels
3546
*/}}
@@ -62,7 +73,7 @@ Create the name of the service account to use
6273
{{- end }}
6374

6475
{{- define "falcon-image-analyzer.securityContext" -}}
65-
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" -}}
76+
{{- if .Values.daemonset.enabled -}}
6677
privileged: {{ .Values.securityContext.privileged | default true }}
6778
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
6879
runAsUser: {{ .Values.securityContext.runAsUser | default 0 }}
@@ -73,7 +84,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
7384
{{- define "falcon-image-analyzer.volumeMounts" -}}
7485
{{- if lt (len .Values.volumeMounts) 2 -}}
7586
{{- .Values.volumeMounts | toYaml }}
76-
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
87+
{{- if .Values.daemonset.enabled }}
7788
- name: var-run
7889
mountPath: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
7990
{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
@@ -95,7 +106,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
95106
{{- define "falcon-image-analyzer.volumes" -}}
96107
{{- if lt (len .Values.volumes) 2 -}}
97108
{{- .Values.volumes | toYaml }}
98-
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
109+
{{- if .Values.daemonset.enabled }}
99110
- name: var-run
100111
hostPath:
101112
path: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
@@ -125,7 +136,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
125136
{{- end }}
126137

127138
{{- define "falcon-image-analyzer.agentRuntimeSocket" -}}
128-
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
139+
{{- if .Values.daemonset.enabled }}
129140
{{- if not .Values.crowdstrikeConfig.agentRuntimeSocket }}
130141
{{- if eq .Values.crowdstrikeConfig.agentRuntime "docker" }}
131142
{{- printf "%s" "unix:///run/docker.sock" }}

helm-charts/falcon-image-analyzer/templates/configmap.yaml

+3-2
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,11 @@ data:
99
IS_KUBERNETES: {{ .Values.isKubernetes | quote }}
1010
AGENT_CID: {{ .Values.crowdstrikeConfig.cid | quote }}
1111
AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }}
12+
AGENT_REGISTRY_CREDENTIALS: {{ .Values.privateRegistries.credentials | quote }}
1213
AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | quote }}
13-
AGENT_RUNMODE: {{ .Values.crowdstrikeConfig.agentRunmode | quote }}
14+
AGENT_RUNMODE: {{ include "falcon-image-analyzer.agentrunmode" . | quote }}
1415
AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }}
15-
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
16+
{{- if .Values.daemonset.enabled }}
1617
AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }}
1718
AGENT_RUNTIME_SOCKET: {{ include "falcon-image-analyzer.agentRuntimeSocket" . | quote }}
1819
{{- end }}

0 commit comments

Comments
 (0)