Merge pull request #10 from redhatrises/node_values

Update helm templates to configure and apply deamonset for nodes only

README.md

@@ -25,6 +25,14 @@ To ensure a successful deployment, you will want to ensure that:
 1. Only deploying to Kubernetes nodes are supported at this time.
 1. You need to have cluster admin privileges and be able to deploy daemonsets to
    nodes
+1. When deploying the Falcon Linux Sensor as a container to Kubernetes nodes, it
+   is a requirement that the Falcon Sensor run as a privileged container so that
+   the Sensor can properly work with the kernel. If this is unacceptable, you can
+   install the Falcon Linux Sensor (still runs with privileges) using an RPM or
+   DEB package on the nodes themselves. This assumes that you have the capability
+   to actually install RPM or DEB packages on the nodes. If you do not have this
+   capability and you want to protect the nodes, you have to install using a
+   privileged container.
 1. CrowdStrike's Helm Operator is a project, not a product, and released to the
    community as a way to automate sensor deployment to kubernetes clusters. The
    upstream repository for this project is
@@ -52,18 +60,19 @@ helm install --set falcon.cid=<Your_CrowdStrike_CID> falcon-helm ./helm-charts/f
 You can use multiple `--set` arguments for configuring the Falcon Helm Chart
 according to your environment. See the [values yaml file for more configuration options](helm-charts/falcon-sensor/values.yaml).
 
-Alternatively, instead of using multiple `--set` arguments, you can create a yaml
-file that customizes the default Helm Chart configurations.
+Alternatively, instead of using multiple `--set` arguments, you can create a
+yaml file that customizes the default Helm Chart configurations.
 
-For example changing the default image repository using a yaml customization
-file called `custom_repo.yaml`:
+For example, changing the default Kubernetes node image repository using a yaml
+customization file called `custom_repo.yaml`:
 
 1. Create `custom_repo.yaml`:
    ```
    falcon:
      cid: <Your_CrowdStrike_CID>
-   image:
-     repository: <Your_Registry>/falcon-sensor
+   node:
+     image:
+       repository: <Your_Registry>/falcon-sensor
    ```
 
 2. Run the `helm install` command specifying using `custom_repo.yaml`:

helm-charts/falcon-sensor/Chart.yaml

@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.2.0
+appVersion: 0.3.0
 
 
 keywords:

helm-charts/falcon-sensor/templates/daemonset.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.node.enabled }}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -8,30 +9,30 @@ metadata:
     chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     heritage: {{ .Release.Service | quote }}
     release: {{ .Release.Name | quote }}
-    {{- if .Values.daemonset.labels }}
-    {{- range $key, $value := .Values.daemonset.labels }}
+    {{- if .Values.node.daemonset.labels }}
+    {{- range $key, $value := .Values.node.daemonset.labels }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
     {{- end }}
-  {{- if .Values.daemonset.annotations }}
+  {{- if .Values.node.daemonset.annotations }}
   annotations:
-    {{- range $key, $value := .Values.daemonset.annotations }}
+    {{- range $key, $value := .Values.node.daemonset.annotations }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-  namespace: {{ .Values.namespace }}
+  namespace: {{ .Values.node.namespace }}
 spec:
   selector:
     matchLabels:
       name: {{ include "falcon-sensor.fullname" . }}
       app: {{ include "falcon-sensor.fullname" . }}
       release: {{ .Release.Name | quote }}
   updateStrategy:
-    type: {{ .Values.daemonset.updateStrategy }}
+    type: {{ .Values.node.daemonset.updateStrategy }}
   template:
     metadata:
       annotations:
-        {{- range $key, $value := .Values.podAnnotations }}
+        {{- range $key, $value := .Values.node.podAnnotations }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
       labels:
@@ -40,8 +41,8 @@ spec:
         chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
         heritage: {{ .Release.Service | quote }}
         release: {{ .Release.Name | quote }}
-        {{- if .Values.daemonset.labels }}
-        {{- range $key, $value := .Values.daemonset.labels }}
+        {{- if .Values.node.daemonset.labels }}
+        {{- range $key, $value := .Values.node.daemonset.labels }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
         {{- end }}
@@ -52,9 +53,8 @@ spec:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
       initContainers:
-
       # This init container creates empty falconstore file so that when
-      # it's mounted into the sensor-container, k8s would just use it
+      # it's mounted into the sensor-node-container, k8s would just use it
       # rather than creating a directory.  Mounting falconstore file as
       # a file volume ensures that AID is preserved across container
       # restarts.
@@ -64,11 +64,10 @@ spec:
         volumeMounts:
           - name: falconstore-dir
             mountPath: /tmp/CrowdStrike
-
       containers:
-      - name: sensor-container
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      - name: falcon-node-sensor
+        image: "{{ .Values.node.image.repository }}:{{ .Values.node.image.tag }}"
+        imagePullPolicy: "{{ .Values.node.image.pullPolicy }}"
         volumeMounts:
         - name: dev
           mountPath: /dev
@@ -80,21 +79,19 @@ spec:
           mountPath: /var/log
         - name: falconstore
           mountPath: /opt/CrowdStrike/falconstore
-
-        securityContext: {{ toYaml ( .Values.daemonset.securityContext ) | nindent 10 }}
+        securityContext: {{ toYaml ( .Values.node.daemonset.securityContext ) | nindent 10 }}
         envFrom:
         - configMapRef:
             name: {{ include "falcon-sensor.fullname" . }}-config
-
-      # This spits out logs from sensor-container to stdout so that they
+      # This spits out logs from sensor-node-container to stdout so that they
       # are routed through k8s log driver.
       - name: log
         image: busybox
         args: [/bin/sh, -c, 'tail -n1 -f /var/log/falcon-sensor.log']
         volumeMounts:
         - name: var-log
           mountPath: /var/log
-
+          readOnly: True
       volumes:
         - name: dev
           hostPath:
@@ -113,8 +110,8 @@ spec:
         - name: falconstore-dir
           hostPath:
             path: /tmp/CrowdStrike
-
-      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
+      terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
+{{- end }}

helm-charts/falcon-sensor/values.yaml

@@ -2,44 +2,49 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-daemonset:
-  # Annotations to apply to the daemonset
-  annotations: {}
-
-  # additionals labels
-  labels: {}
-
-  updateStrategy: RollingUpdate
-
-  # Various pod security context settings. Bear in mind that many of these have an impact
-  # on the Falcon Sensor working correctly.
-  #
-  # - User that the container will execute as. Typically necessary to run as root (0).
-  # - Runs the Falcon Sensor containers as privileged containers. Typically not
-  #   necessarily unless running within environments such as OpenShift.
-  securityContext:
-    runAsUser: 0
-    privileged: true
-    readOnlyRootFilesystem: false
-    allowPrivilegeEscalation: true
-
-image:
-  repository: falcon-sensor
-  pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
-
-# Override various naming aspects of this chart
-# Only edit these if you know what you're doing
-nameOverride: ""
-fullnameOverride: ""
-
-podAnnotations: {}
-
-namespace: default
-
-# How long to wait for Filebeat pods to stop gracefully
-terminationGracePeriod: 30
+node:
+  # When enabled, Helm chart deploys the Falcon Senors to Kubernetes nodes
+  enabled: true
+
+  daemonset:
+    # Annotations to apply to the daemonset
+    annotations: {}
+
+    # additionals labels
+    labels: {}
+
+    updateStrategy: RollingUpdate
+
+    # Various pod security context settings. Bear in mind that many of these have an impact
+    # on the Falcon Sensor working correctly.
+    #
+    # - User that the container will execute as. Typically necessary to run as root (0).
+    # - Runs the Falcon Sensor containers as privileged containers. This is required when
+    #   running the Falcon Linux Sensor on Kubernetes nodes to properly run in the node's
+    #   kernel and to actually protect the node..
+    securityContext:
+      runAsUser: 0
+      privileged: true
+      readOnlyRootFilesystem: false
+      allowPrivilegeEscalation: true
+
+  image:
+    repository: falcon-node-sensor
+    pullPolicy: Always
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: "latest"
+
+  # Override various naming aspects of this chart
+  # Only edit these if you know what you're doing
+  nameOverride: ""
+  fullnameOverride: ""
+
+  podAnnotations: {}
+
+  namespace: default
+
+  # How long to wait for Falcon pods to stop gracefully
+  terminationGracePeriod: 10
 
 falcon:
   cid: