|
1 | | -# CrowdStrike Falcon Image Analyzer Helm Chart |
| 1 | +# CrowdStrike Falcon Image Analyzer (IAR Image Assessment at Runtime) Helm Chart |
2 | 2 |
|
3 | 3 | [Falcon](https://www.crowdstrike.com/) is the [CrowdStrike](https://www.crowdstrike.com/) |
4 | 4 | platform purpose-built to stop breaches via a unified set of cloud-delivered |
@@ -43,33 +43,125 @@ helm repo update |
43 | 43 |
|
44 | 44 | The following tables list the Falcon sensor configurable parameters and their default values. |
45 | 45 |
|
46 | | -| Parameter | Description | Default | |
47 | | -|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------| |
48 | | -| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. | false | |
49 | | -| `deployment.enabled` | Set to `true` if running in Socket Mode i.e. Both CANNOT be true . This causes the IAR to run in `socket` mode | false | |
50 | | -| `privateRegistries.credentials` | Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2 | "" | |
51 | | -| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` | |
52 | | -| `image.tag` | Image tag version | None | |
53 | | -| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false | |
54 | | -| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` | |
55 | | -| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false | |
56 | | -| `crowdstrikeConfig.clusterName` | Cluster name | None | |
57 | | -| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false | |
58 | | -| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None | |
59 | | -| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None | |
60 | | -| `crowdstrikeConfig.cid` | Customer ID (CID) | None | |
61 | | -| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None | |
62 | | -| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None | |
63 | | -| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None | |
64 | | -| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `daemonset.enabled` = `true` | None | |
65 | | -| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with ONLY TO BE USED with `daemonset.enabled` = `true` | None | |
66 | | - |
67 | | - |
68 | | -Note : |
| 46 | +| Parameter | Description | Default | |
| 47 | +|:-----------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------| |
| 48 | +| `deployment.enabled` required | Set to `true` if running in Watcher Mode i.e. | false | |
| 49 | +| `daemsonset.enabled` required | Set to `true` if running in Socket Mode i.e. Both CANNOT be true . This causes the IAR to run in `socket` mode | false | |
| 50 | +| `privateRegistries.credentials` optional | Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2 | "" | |
| 51 | +| `image.repo` required | IAR image repo name | `[CROWDSTREIKE_IMAGE_REGISTRY]/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` | |
| 52 | +| `image.tag` required | Image tag version | None | |
| 53 | +| `image.registryConfigJSON` optional | iar private registry secret in docker config format | None | |
| 54 | +| `azure.enabled` optional | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false | |
| 55 | +| `azure.azureConfig` optional | Azure config file path | `/etc/kubernetes/azure.json` | |
| 56 | +| `gcp.enabled` optional | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false | |
| 57 | +| `crowdstrikeConfig.clusterName` required | Cluster name | None | |
| 58 | +| `crowdstrikeConfig.enableDebug` optional | Set to `true` for debug level log verbosity. | false | |
| 59 | +| `crowdstrikeConfig.clientID` required | CrowdStrike Falcon OAuth API Client ID | None | |
| 60 | +| `crowdstrikeConfig.clientSecret` required | CrowdStrike Falcon OAuth API Client secret | None | |
| 61 | +| `crowdstrikeConfig.cid` required | Customer ID (CID) | None | |
| 62 | +| `crowdstrikeConfig.dockerAPIToken` optional | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `[CROWDSTREIKE_IMAGE_REGISTRY] described below` | None | |
| 63 | +| `crowdstrikeConfig.existingSecret` optional | Existing secret ref name of the customer Kubernetes cluster | None | |
| 64 | +| `crowdstrikeConfig.agentRegion` required | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None | |
| 65 | +| `crowdstrikeConfig.agentRuntime` required ( if daemonset ) | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `daemonset.enabled` = `true` | None | |
| 66 | +| `crowdstrikeConfig.agentRuntimeSocket` optional | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with ONLY TO BE USED with `daemonset.enabled` = `true` | None | |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +The `[CROWDSTREIKE_IMAGE_REGISTRY]` can be replaced with below registries based on the environment ( `agentRegion` ) |
| 71 | + |
| 72 | +- `us-1 or us-2 or eu-1` = `registry.crowdstrike.com` |
| 73 | +- `gov-1` = `registry.laggar.gcw.crowdstrike.com` |
| 74 | +- `gov-2` = `registry.us-gov-2.crowdstrike.mil` |
| 75 | + |
| 76 | +Note: |
69 | 77 | - |
70 | 78 | - Please set either `daemonset.enabled` OR `deployment.enabled` |
| 79 | + |
71 | 80 | - For deployment the replica count is set to **1** always. this is because IAR is not a load balanced service i.e. increasing replicas will not divide the work but rather duplicate creating unncessary resource consumption. |
72 | 81 |
|
| 82 | +- For ease of installation and avoid complication the recommended way to install IAR creating a `config.yaml` file at some path like below |
| 83 | + |
| 84 | +For deployment |
| 85 | +``` |
| 86 | +deployment: |
| 87 | + enabled: true |
| 88 | +
|
| 89 | +
|
| 90 | +#optional. Use If in EKS / or EC2 required Roles. See Section IAM Roles fopr more details |
| 91 | +serviceAccount: |
| 92 | + # Annotations to add to the service account |
| 93 | + annotations: |
| 94 | + eks.amazonaws.com/role-arn: arn:aws:iam::532730071073:role/svc-devtest-cwpp-oidc-eks |
| 95 | +
|
| 96 | +
|
| 97 | +#optional. Use if target registries are private with secret. See section Authentication for Private Registries for more details |
| 98 | +privateRegistries |
| 99 | + credentials |
| 100 | +
|
| 101 | +image: |
| 102 | + repository: "[CROWDSTREIKE_IMAGE_REGISTRY]/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer" |
| 103 | + tag: 1.0.3 |
| 104 | +
|
| 105 | + # OPTIONAL |
| 106 | + # Value must be base64. This setting conflicts with image.pullSecret |
| 107 | + # The base64 encoded string of the docker config json for the pull secret can be |
| 108 | + # gotten through: |
| 109 | + # $ cat ~/.docker/config.json | base64 - |
| 110 | + registryConfigJSON: |
| 111 | +crowdstrikeConfig: |
| 112 | + clientID: "xxxxxxxxxxx" |
| 113 | + clientSecret: "yyyyyyyyyyyy" |
| 114 | + clusterName: my-test-cluster |
| 115 | + agentRegion: us-1 or us-2 or eu-1 or gov-1 or gov-2 |
| 116 | + cid: MYCID-XY |
| 117 | + dockerAPIToken: asdfsfsdfsfsd ( Crowdstrike Artifacotry Token for IAR Image ) |
| 118 | +
|
| 119 | +``` |
| 120 | + |
| 121 | +for daemonset |
| 122 | +``` |
| 123 | +daemonset: |
| 124 | + enabled: true |
| 125 | +
|
| 126 | +
|
| 127 | +
|
| 128 | +#optional. Use If in EKS / or EC2 required Roles. See Section IAM Roles fopr more details |
| 129 | +serviceAccount: |
| 130 | + # Annotations to add to the service account |
| 131 | + annotations: |
| 132 | + eks.amazonaws.com/role-arn: arn:aws:iam::532730071073:role/svc-devtest-cwpp-oidc-eks |
| 133 | +
|
| 134 | +
|
| 135 | +#optional. Use if target registries are private with secret. See section Authentication for Private Registries for more details |
| 136 | +privateRegistries |
| 137 | + credentials |
| 138 | +
|
| 139 | +image: |
| 140 | + repository: "[CROWDSTREIKE_IMAGE_REGISTRY]/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer" |
| 141 | + tag: 1.0.3 |
| 142 | +
|
| 143 | + # OPTIONAL |
| 144 | + # Value must be base64. This setting conflicts with image.pullSecret |
| 145 | + # The base64 encoded string of the docker config json for the pull secret can be |
| 146 | + # gotten through: |
| 147 | + # $ cat ~/.docker/config.json | base64 - |
| 148 | + registryConfigJSON: |
| 149 | +
|
| 150 | +crowdstrikeConfig: |
| 151 | + clientID: "xxxxxxxxxxx" |
| 152 | + clientSecret: "yyyyyyyyyyyy" |
| 153 | + clusterName: my-test-cluster |
| 154 | + agentRegion: us-1 or us-2 or eu-1 or gov-1 or gov-2 |
| 155 | + agentRuntime: containerd or crio or podman or docker |
| 156 | + cid: MYCID-XY |
| 157 | + dockerAPIToken: asdfsfsdfsfsd ( Crowdstrike Artifacotry Token for IAR Image ) |
| 158 | +
|
| 159 | +``` |
| 160 | + |
| 161 | +If the IAR image is already pulled in advance and pushed to another customer private registry then use that in place |
| 162 | +of `[CROWDSTREIKE_IMAGE_REGISTRY]` and the secret for that should be passed in the |
| 163 | +`image.registryConfigJSON` with explanation above and `crowdstrikeConfig.dockerAPIToken` should NOT be used |
| 164 | + |
73 | 165 | ## Installing on Kubernetes cluster nodes |
74 | 166 |
|
75 | 167 |
|
@@ -184,7 +276,7 @@ Here `falcon-image-analyzer` is the namespace of IAR and `imageanalyzer-falcon-i |
184 | 276 | ### Authentication for Private Registries |
185 | 277 | - If you are using ECR or cloud based Private Registries then assigning the IAM role to the iar service-account in `falcon-image-analyzer` namespace should be enough |
186 | 278 |
|
187 | | -- If you are using a 3rd party private registry such as jfrog artifactory, etc then use the below param in the values.yaml |
| 279 | +- If you are using a 3rd party private registry such as jfrog artifactory for running all your workload images, etc then use the below param in the values.yaml |
188 | 280 | ``` |
189 | 281 | privateRegistries: |
190 | 282 | credentials: "" |
@@ -213,15 +305,15 @@ use the above secret as `"my-app-ns:regcred,my-app-ns:regcred2"` |
213 | 305 | Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR: |
214 | 306 |
|
215 | 307 | ``` |
216 | | -helm upgrade --install -f path-to-my-values.yaml \ |
| 308 | +helm upgrade --install -f path-to-my-values.yaml \ |
217 | 309 | --create-namespace -n falcon-image-analyzer imageanalyzer crowdstrike/falcon-image-analyzer |
218 | 310 | ``` |
219 | 311 |
|
220 | 312 |
|
221 | 313 | For more details, see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository. |
222 | 314 |
|
223 | 315 | ``` |
224 | | -helm show values crowdstrike/falcon-sensor |
| 316 | +helm show values crowdstrike/falcon-image-analyzer |
225 | 317 | ``` |
226 | 318 |
|
227 | 319 | ## Uninstall Helm chart |
|
0 commit comments