From 0cf316693a23b1bf19f36ecc6baccf187589eb34 Mon Sep 17 00:00:00 2001 From: JonBruchim Date: Wed, 4 Dec 2024 10:11:06 +0200 Subject: [PATCH] added resources and verbs for the cluster role --- helm-charts/falcon-sensor/README.md | 3 ++- .../falcon-sensor/templates/clusterrole.yaml | 18 +++++++++++++++++- .../templates/clusterrolebinding.yaml | 2 +- helm-charts/falcon-sensor/values.yaml | 3 +++ 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md index 9346620b..26baac19 100644 --- a/helm-charts/falcon-sensor/README.md +++ b/helm-charts/falcon-sensor/README.md @@ -127,7 +127,8 @@ The following tables lists the more common configurable parameters of the chart | `node.image.pullSecrets` | Pull secrets for private registry | None (Conflicts with node.image.registryConfigJSON) | | `node.image.registryConfigJSON` | base64 encoded docker config json for the pull secret | None (Conflicts with node.image.pullSecrets) | | `node.daemonset.resources` | Configure Node sensor resource requests and limits (eBPF mode only) | None (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory.

:warning: **Warning**:
If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!
| -| `falcon.cid` | CrowdStrike Customer ID (CID) | None (Required) | +| `node.disableCDP` | Disables the Cloud Data Protection module | `false` | +| `falcon.cid` | CrowdStrike Customer ID (CID) | None (Required) | | `falcon.cid` and `node.image.repository` are required values. diff --git a/helm-charts/falcon-sensor/templates/clusterrole.yaml b/helm-charts/falcon-sensor/templates/clusterrole.yaml index 0cbd2116..ef2718c2 100644 --- a/helm-charts/falcon-sensor/templates/clusterrole.yaml +++ b/helm-charts/falcon-sensor/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.container.enabled }} +{{- if or .Values.container.enabled .Values.node.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -16,6 +16,22 @@ rules: - "" resources: - secrets + {{- if and .Values.node.enabled (not .Values.node.disableCDP) }} + - pods + - services + - nodes + - daemonsets + - replicasets + - deployments + - jobs + - ingresses + - cronjobs + - persistentvolumes + {{- end }} verbs: - get + {{- if and .Values.node.enabled (not .Values.node.disableCDP) }} + - watch + - list + {{- end }} {{- end }} diff --git a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml index 77ff998f..604ccdd6 100644 --- a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml +++ b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.container.enabled }} +{{- if or .Values.container.enabled .Values.node.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml index 975737c2..19f0e079 100644 --- a/helm-charts/falcon-sensor/values.yaml +++ b/helm-charts/falcon-sensor/values.yaml @@ -104,6 +104,9 @@ node: postDelete: enabled: true + # When enabled, Cloud data protection module is enabled + disableCDP: false + container: # When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks enabled: false