diff --git a/helm-charts/falcon-image-analyzer/Chart.yaml b/helm-charts/falcon-image-analyzer/Chart.yaml index 438b3e3f..399c650c 100644 --- a/helm-charts/falcon-image-analyzer/Chart.yaml +++ b/helm-charts/falcon-image-analyzer/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.1.10 +version: 1.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.0.16" +appVersion: "1.0.17" diff --git a/helm-charts/falcon-image-analyzer/README.md b/helm-charts/falcon-image-analyzer/README.md index e2d9aad3..158e96ea 100644 --- a/helm-charts/falcon-image-analyzer/README.md +++ b/helm-charts/falcon-image-analyzer/README.md @@ -15,11 +15,11 @@ The Falcon Image Analyzer Helm chart has been tested to deploy on the following * SUSE Rancher K3s * Red Hat OpenShift Kubernetes -## New updates in current release (1.1.10) for iar 1.0.16 -- adding `crowdstrikeConfig.enableKlogs` flag to enable native klogs for troubleshooting -- support `autodiscovery|autodiscover|auto` values for `crowdstrikeConfig.agentRegion` field for commercial cloud customers ONLY. This will enable the IAR -to discover the customer region automatically IF the customer belongs to commercial cloud (`us-1 | us-2 | eu-1`). -**NOTE. FOR GOV customers i.e. `gov1|gov2` this is NOT Supported. Please explicitly specify the region** +## New updates in current release (1.1.11) for iar 1.0.17 +- Support for multiarch IAR. IAR now is supported on both amd64 and arm64 nodes from iar 1.0.17 onwards +- add `hostNetwork` param in values to support usage of hostnetwork +- add `dnsPolicy` param in values to support k8s DNS supported polices. no value implies `Default`. see +https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy ## Dependencies @@ -61,6 +61,8 @@ The following tables list the Falcon sensor configurable parameters and their de | `exclusions.namespace` optional ( available in falcon-imageanalyzer >= 1.0.8 and Helm Chart v >= 1.1.3) | Set the value as a comma separate list of namespaces to be excluded. all pods in that namespace(s) will be excluded | "" | | `exclusions.registry` optional ( available in falcon-imageanalyzer >= 1.0.8 and Helm Chart v >= 1.1.3) | Set the value as a comma separate list of registries to be excluded. all images in that registry(s) will be excluded | "" | | `log.output` optional ( available Helm Chart v >= 1.1.7 & falcon-imageanalyzer >= 1.0.12) | Set the value to for log output terminal. `2=stderr` and `1=stdout` | 2 ( stderr ) | +| `hostNetwork` optional ( available Helm Chart v >= 1.1.11) | Set the value to `true` to use the hostNetwork instead of pod network | `false` | +| `dnsPolicy` optional ( available Helm Chart v >= 1.1.11) | Set the value to any supported value from https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | `` no value implies `Default` | | `scanStats.enabled` optional ( available Helm Chart v >= 1.1.8 & falcon-imageanalyzer >= 1.0.13) | Set `enabled` to true for agent to send scan error and stats to cloud | false | | `crowdstrikeConfig.clusterName` required | Cluster name | None | | `crowdstrikeConfig.enableDebug` optional | Set to `true` for debug level log verbosity. | false | @@ -340,6 +342,17 @@ for e.g. a docker-registry secret can be created as below ``` use the above secret as `"my-app-ns:regcred,my-app-ns:regcred2"` +### PROXY Usage +If a customer us using proxy settings . Please make sure to add the registry domains ```myreg.some.com``` in the ```NO_PROXY```. +This is so that the IAR can connect to the registries without proxy and authenticate if needed using secrets provided or download the public free images. + +***Note that some registries domains also have other urls based on the auth challange that is sent by the registry service. Please make sure to add those as well to ```NO_PROXY``` +for e.g. for gitlab registries there exists the +- registry domain ```my-reg.gitlab.com``` +- and the other ```www.gitlab.com``` + +- The above is very registry provider specific. One needs to ensure nothing ie being blocked by Proxy + ### Pod Eviction If for some reason pod evivictions are observed in the Cluster due to exceeding ephemeral storage please set the `priorityClassName` to `system-node-critical` or `system-cluster-critical` in `config-values.yaml` and update. diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml index 6ff22074..10d50873 100644 --- a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml +++ b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml @@ -104,4 +104,10 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }} + {{- else if .Values.dnsPolicy}} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml index ce637388..745323cf 100644 --- a/helm-charts/falcon-image-analyzer/templates/deployment.yaml +++ b/helm-charts/falcon-image-analyzer/templates/deployment.yaml @@ -115,4 +115,10 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }} + {{- else if .Values.dnsPolicy}} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 78d4346c..4940ff1c 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -73,10 +73,6 @@ affinity: operator: In values: - linux - - key: kubernetes.io/arch - operator: In - values: - - amd64 priorityClassName: "" @@ -112,6 +108,15 @@ exclusions: # registry: "index.docker.io,my.private.registry,localhost,localhost:1234" registry: "" + +# set this to true will bypass the kubernetes network and use the node/host network. This is needed in some +# setups where proxy rules are strict and if we IAR to make calls especially for private registry/auth via the host. +# NOTE That setting this to true will also set the dnsPolicy: "ClusterFirstWithHostNet" +hostNetwork: false + +# Define ImageAnalyzer POD DNS Policy, defaults to "ClusterFirstWithHostNet" when hostNetwork = true +dnsPolicy: + # Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2 # each secret should be of type docker-registry for each of the private registry that is used. # for e.g. a docker-registry secret can be created as below