diff --git a/README.md b/README.md index ba8f06eb..8ec5a575 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,14 @@ To ensure a successful deployment, you will want to ensure that: 1. Only deploying to Kubernetes nodes are supported at this time. 1. You need to have cluster admin privileges and be able to deploy daemonsets to nodes +1. When deploying the Falcon Linux Sensor as a container to Kubernetes nodes, it + is a requirement that the Falcon Sensor run as a privileged container so that + the Sensor can properly work with the kernel. If this is unacceptable, you can + install the Falcon Linux Sensor (still runs with privileges) using an RPM or + DEB package on the nodes themselves. This assumes that you have the capability + to actually install RPM or DEB packages on the nodes. If you do not have this + capability and you want to protect the nodes, you have to install using a + privileged container. 1. CrowdStrike's Helm Operator is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is @@ -52,18 +60,19 @@ helm install --set falcon.cid= falcon-helm ./helm-charts/f You can use multiple `--set` arguments for configuring the Falcon Helm Chart according to your environment. See the [values yaml file for more configuration options](helm-charts/falcon-sensor/values.yaml). -Alternatively, instead of using multiple `--set` arguments, you can create a yaml -file that customizes the default Helm Chart configurations. +Alternatively, instead of using multiple `--set` arguments, you can create a +yaml file that customizes the default Helm Chart configurations. -For example changing the default image repository using a yaml customization -file called `custom_repo.yaml`: +For example, changing the default Kubernetes node image repository using a yaml +customization file called `custom_repo.yaml`: 1. Create `custom_repo.yaml`: ``` falcon: cid: - image: - repository: /falcon-sensor + node: + image: + repository: /falcon-sensor ``` 2. Run the `helm install` command specifying using `custom_repo.yaml`: diff --git a/helm-charts/falcon-sensor/Chart.yaml b/helm-charts/falcon-sensor/Chart.yaml index 9b048784..82e1a2fd 100644 --- a/helm-charts/falcon-sensor/Chart.yaml +++ b/helm-charts/falcon-sensor/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.0 +appVersion: 0.3.0 keywords: diff --git a/helm-charts/falcon-sensor/templates/daemonset.yaml b/helm-charts/falcon-sensor/templates/daemonset.yaml index 9d2a237c..b2642104 100644 --- a/helm-charts/falcon-sensor/templates/daemonset.yaml +++ b/helm-charts/falcon-sensor/templates/daemonset.yaml @@ -1,3 +1,4 @@ +{{- if .Values.node.enabled }} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -8,18 +9,18 @@ metadata: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} - {{- if .Values.daemonset.labels }} - {{- range $key, $value := .Values.daemonset.labels }} + {{- if .Values.node.daemonset.labels }} + {{- range $key, $value := .Values.node.daemonset.labels }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - {{- if .Values.daemonset.annotations }} + {{- if .Values.node.daemonset.annotations }} annotations: - {{- range $key, $value := .Values.daemonset.annotations }} + {{- range $key, $value := .Values.node.daemonset.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} - namespace: {{ .Values.namespace }} + namespace: {{ .Values.node.namespace }} spec: selector: matchLabels: @@ -27,11 +28,11 @@ spec: app: {{ include "falcon-sensor.fullname" . }} release: {{ .Release.Name | quote }} updateStrategy: - type: {{ .Values.daemonset.updateStrategy }} + type: {{ .Values.node.daemonset.updateStrategy }} template: metadata: annotations: - {{- range $key, $value := .Values.podAnnotations }} + {{- range $key, $value := .Values.node.podAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} labels: @@ -40,8 +41,8 @@ spec: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" heritage: {{ .Release.Service | quote }} release: {{ .Release.Name | quote }} - {{- if .Values.daemonset.labels }} - {{- range $key, $value := .Values.daemonset.labels }} + {{- if .Values.node.daemonset.labels }} + {{- range $key, $value := .Values.node.daemonset.labels }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} @@ -52,9 +53,8 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule initContainers: - # This init container creates empty falconstore file so that when - # it's mounted into the sensor-container, k8s would just use it + # it's mounted into the sensor-node-container, k8s would just use it # rather than creating a directory. Mounting falconstore file as # a file volume ensures that AID is preserved across container # restarts. @@ -64,11 +64,10 @@ spec: volumeMounts: - name: falconstore-dir mountPath: /tmp/CrowdStrike - containers: - - name: sensor-container - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: "{{ .Values.image.pullPolicy }}" + - name: falcon-node-sensor + image: "{{ .Values.node.image.repository }}:{{ .Values.node.image.tag }}" + imagePullPolicy: "{{ .Values.node.image.pullPolicy }}" volumeMounts: - name: dev mountPath: /dev @@ -80,13 +79,11 @@ spec: mountPath: /var/log - name: falconstore mountPath: /opt/CrowdStrike/falconstore - - securityContext: {{ toYaml ( .Values.daemonset.securityContext ) | nindent 10 }} + securityContext: {{ toYaml ( .Values.node.daemonset.securityContext ) | nindent 10 }} envFrom: - configMapRef: name: {{ include "falcon-sensor.fullname" . }}-config - - # This spits out logs from sensor-container to stdout so that they + # This spits out logs from sensor-node-container to stdout so that they # are routed through k8s log driver. - name: log image: busybox @@ -94,7 +91,7 @@ spec: volumeMounts: - name: var-log mountPath: /var/log - + readOnly: True volumes: - name: dev hostPath: @@ -113,8 +110,8 @@ spec: - name: falconstore-dir hostPath: path: /tmp/CrowdStrike - - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }} hostNetwork: true hostPID: true hostIPC: true +{{- end }} diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml index 82ed2823..20e27d49 100644 --- a/helm-charts/falcon-sensor/values.yaml +++ b/helm-charts/falcon-sensor/values.yaml @@ -2,44 +2,49 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -daemonset: - # Annotations to apply to the daemonset - annotations: {} - - # additionals labels - labels: {} - - updateStrategy: RollingUpdate - - # Various pod security context settings. Bear in mind that many of these have an impact - # on the Falcon Sensor working correctly. - # - # - User that the container will execute as. Typically necessary to run as root (0). - # - Runs the Falcon Sensor containers as privileged containers. Typically not - # necessarily unless running within environments such as OpenShift. - securityContext: - runAsUser: 0 - privileged: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: true - -image: - repository: falcon-sensor - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - tag: "latest" - -# Override various naming aspects of this chart -# Only edit these if you know what you're doing -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} - -namespace: default - -# How long to wait for Filebeat pods to stop gracefully -terminationGracePeriod: 30 +node: + # When enabled, Helm chart deploys the Falcon Senors to Kubernetes nodes + enabled: true + + daemonset: + # Annotations to apply to the daemonset + annotations: {} + + # additionals labels + labels: {} + + updateStrategy: RollingUpdate + + # Various pod security context settings. Bear in mind that many of these have an impact + # on the Falcon Sensor working correctly. + # + # - User that the container will execute as. Typically necessary to run as root (0). + # - Runs the Falcon Sensor containers as privileged containers. This is required when + # running the Falcon Linux Sensor on Kubernetes nodes to properly run in the node's + # kernel and to actually protect the node.. + securityContext: + runAsUser: 0 + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + + image: + repository: falcon-node-sensor + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "latest" + + # Override various naming aspects of this chart + # Only edit these if you know what you're doing + nameOverride: "" + fullnameOverride: "" + + podAnnotations: {} + + namespace: default + + # How long to wait for Falcon pods to stop gracefully + terminationGracePeriod: 10 falcon: cid: