Add notes about privileges and update sensor name to reflect nodes

CrowdStrike · Feb 4, 2021 · 0498345 · 0498345
1 parent f5e50f7
commit 0498345
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -25,6 +25,14 @@ To ensure a successful deployment, you will want to ensure that:
 1. Only deploying to Kubernetes nodes are supported at this time.
 1. You need to have cluster admin privileges and be able to deploy daemonsets to
    nodes
+1. When deploying the Falcon Linux Sensor as a container to Kubernetes nodes, it
+   is a requirement that the Falcon Sensor run as a privileged container so that
+   the Sensor can properly work with the kernel. If this is unacceptable, you can
+   install the Falcon Linux Sensor (still runs with privileges) using an RPM or
+   DEB package on the nodes themselves. This assumes that you have the capability
+   to actually install RPM or DEB packages on the nodes. If you do not have this
+   capability and you want to protect the nodes, you have to install using a
+   privileged container.
 1. CrowdStrike's Helm Operator is a project, not a product, and released to the
    community as a way to automate sensor deployment to kubernetes clusters. The
    upstream repository for this project is

diff --git a/helm-charts/falcon-sensor/templates/daemonset.yaml b/helm-charts/falcon-sensor/templates/daemonset.yaml
@@ -65,7 +65,7 @@ spec:
           - name: falconstore-dir
             mountPath: /tmp/CrowdStrike
       containers:
-      - name: sensor-node-container
+      - name: falcon-node-sensor
         image: "{{ .Values.node.image.repository }}:{{ .Values.node.image.tag }}"
         imagePullPolicy: "{{ .Values.node.image.pullPolicy }}"
         volumeMounts:
@@ -91,6 +91,7 @@ spec:
         volumeMounts:
         - name: var-log
           mountPath: /var/log
+          readOnly: True
       volumes:
         - name: dev
           hostPath:

diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
@@ -19,16 +19,17 @@ node:
     # on the Falcon Sensor working correctly.
     #
     # - User that the container will execute as. Typically necessary to run as root (0).
-    # - Runs the Falcon Sensor containers as privileged containers. Typically not
-    #   necessarily unless running within environments such as OpenShift.
+    # - Runs the Falcon Sensor containers as privileged containers. This is required when
+    #   running the Falcon Linux Sensor on Kubernetes nodes to properly run in the node's
+    #   kernel and to actually protect the node..
     securityContext:
       runAsUser: 0
       privileged: true
       readOnlyRootFilesystem: false
       allowPrivilegeEscalation: true
 
   image:
-    repository: falcon-sensor
+    repository: falcon-node-sensor
     pullPolicy: Always
     # Overrides the image tag whose default is the chart appVersion.
     tag: "latest"