Skip to content

Commit

Permalink
Merge pull request #226 from cs-pvyas/pvyas-falcon-iar-helm
Browse files Browse the repository at this point in the history 
CS Falcon Image Analyzer ( IAR ) Helm
  • Loading branch information
@redhatrises
redhatrises authored Jan 30, 2024
2 parents 39a4f51 + bbddf30 commit 403ebf7
Show file tree
Hide file tree
Showing 18 changed files with 1,029 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/helm-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
- 'helm-charts/**'
- '!helm-charts/falcon-sensor/**'
- '!helm-charts/cs-k8s-protection-agent/**'
- '!helm-charts/falcon-image-analyzer/**'
- '!helm-charts/falcon-kac/**'

jobs:
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ This repository is a collection of CrowdStrike Helm Charts. The Helm Charts deve
| [Falcon Sensor](helm-charts/falcon-sensor) | Deploys the Falcon Sensor to Kubernetes Nodes or as a Sidecar to a pod. See [the README](helm-charts/falcon-sensor/README.md) for more info. |
| [Falcon Integration Gateway](helm-charts/falcon-integration-gateway) | Deploys the Falcon Integration Gateway. See [the README](helm-charts/falcon-integration-gateway/README.md) for more info. |
| [Falcon Kubernetes Admission Controller](helm-charts/falcon-kac) | Deploy the Falcon Kubernetes Admission Controller. See [the README](helm-charts/falcon-kac/README.md) for more info. |
| [Falcon Image Analyzer](helm-charts/falcon-image-analyzer) | Deploy the Falcon Image Analyzer. See [the README](helm-charts/falcon-image-analyzer/README.md) for more info. |

## Developer Guide
If you are a developer, please read our [Developer's Guide](docs/developer_guide.md).
Expand Down
23 changes: 23 additions & 0 deletions helm-charts/falcon-image-analyzer/.helmignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
24 changes: 24 additions & 0 deletions helm-charts/falcon-image-analyzer/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v2
name: falcon-image-analyzer
description: A Helm chart for Kubernetes

# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.0.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.0"
107 changes: 107 additions & 0 deletions helm-charts/falcon-image-analyzer/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# CrowdStrike Falcon Image Analyzer Helm Chart

[Falcon](https://www.crowdstrike.com/) is the [CrowdStrike](https://www.crowdstrike.com/)
platform purpose-built to stop breaches via a unified set of cloud-delivered
technologies that prevent all types of attacks — including malware and much
more.

## Kubernetes cluster compatability

The Falcon Image Analyzer Helm chart has been tested to deploy on the following Kubernetes distributions:

* Amazon Elastic Kubernetes Service (EKS) - EKS and EKS Fargate
* Azure Kubernetes Service (AKS)
* Google Kubernetes Engine (GKE)
* SUSE Rancher K3s
* Red Hat OpenShift Kubernetes

## Dependencies

1. Requires a x86_64 Kubernetes cluster
1. Before deploying the Helm chart, you should have the `falcon-imageanalyzer` container image in your own container registry, or use CrowdStrike's registry before installing the Helm chart. See the [Deployment Considerations](#deployment-considerations) for more.
1. Helm 3.x is installed and supported by the Kubernetes vendor.

## Installation

### Add the CrowdStrike Falcon Helm repository

```
helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
```

### Update the local Helm repository cache

```
helm repo update
```

## Falcon configuration options

The following tables list the Falcon sensor configurable parameters and their default values.

| Parameter | Description | Default |
|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false |
| `deployment.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false |
| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
| `image.tag` | Image tag version | None |
| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false |
| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` |
| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false |
| `crowdstrikeConfig.clusterName` | Cluster name | None |
| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false |
| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None |
| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None |
| `crowdstrikeConfig.cid` | Customer ID (CID) | None |
| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None |
| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None |
| `crowdstrikeConfig.agentRunmode` | Agent run mode `watcher` or `socket` for Kubernetes. Set this along with `deployment.enabled` and `daemonset.enabled` respectively | None |
| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None |
| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |
| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None |

## Installing on Kubernetes cluster nodes

### Deployment considerations

For a successful deployment, you will want to ensure that:
1. By default, the Helm chart installs in the `default` namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding `--create-namespace -n falcon-image-analyzer` to your `helm install` command. The namespace can be any name that you wish to use.
1. You must be a cluster administrator to deploy Helm charts to the cluster.
1. CrowdStrike's Helm chart is a project, not a product, and released to the community as a way to automate sensor deployment to Kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm).

### Pod Security Standards

Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command, and replace `my-existing-namespace` with the namespace that you have installed the falcon sensors, for example: `falcon-image-analyzer`.
```
kubectl label --overwrite ns my-existing-namespace \
pod-security.kubernetes.io/enforce=privileged
```

If you want to silence the warning and change the auditing level for the Pod Security Standard, add the following labels:
```
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged
```

### Install CrowdStrike Falcon Helm chart on Kubernetes nodes

Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR:

```
helm upgrade --install -f path-to-my-values.yaml \
--create-namespace -n falcon-image-analyzer imageanalyzer falcon-helm crowdstrike/falcon-image-analyzer
```


For more details, see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository.

```
helm show values crowdstrike/falcon-sensor
```

## Uninstall Helm chart

To uninstall, run the following command:
```
helm uninstall imageanalyzer -n falcon-image-analyzer && kubectl delete namespace falcon-image-analyzer
```
5 changes: 5 additions & 0 deletions helm-charts/falcon-image-analyzer/ci/cid-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
crowdstrikeConfig:
clusterName: "test-cluster12.test"
clientID: "abcdefABCDEF0123456789abcdefABCD"
clientSecret: "abcdefABCDEF0123456789abcdefABCDEF012345"
cid: "1234567890ABCDEF1234567890ABCDEF-12"
3 changes: 3 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
The Crowdstrike Image Analyzer Agent is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "falcon-image-analyzer.fullname" . }}. You can now check if the agent is running by running the following command:

"kubectl -n {{ .Release.Namespace}} get pods"
167 changes: 167 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "falcon-image-analyzer.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "falcon-image-analyzer.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "falcon-image-analyzer.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "falcon-image-analyzer.labels" -}}
helm.sh/chart: {{ include "falcon-image-analyzer.chart" . }}
{{ include "falcon-image-analyzer.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "falcon-image-analyzer.selectorLabels" -}}
app.kubernetes.io/name: {{ include "falcon-image-analyzer.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "falcon-image-analyzer.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "falcon-image-analyzer.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.securityContext" -}}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" -}}
privileged: {{ .Values.securityContext.privileged | default true }}
allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
runAsUser: {{ .Values.securityContext.runAsUser | default 0 }}
runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.volumeMounts" -}}
{{- if lt (len .Values.volumeMounts) 2 -}}
{{- .Values.volumeMounts | toYaml }}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
- name: var-run
mountPath: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
- name: storage
mountPath: /run/containers/storage
- name: containers
mountPath: /var/lib/containers
- name: fuse-overlay
mountPath: /usr/bin/fuse-overlayfs
- name: crio-conf
mountPath: /etc/containers
{{- end }}
{{- end }}
{{- else -}}
{{- .Values.volumeMounts | toYaml }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.volumes" -}}
{{- if lt (len .Values.volumes) 2 -}}
{{- .Values.volumes | toYaml }}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
- name: var-run
hostPath:
path: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
type: Socket
{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
- name: storage
hostPath:
path: /run/containers/storage
type: Directory
- name: containers
hostPath:
path: /var/lib/containers
type: Directory
- name: crio-conf
hostPath:
path: /etc/containers
type: Directory
- name: fuse-overlay
hostPath:
path: /usr/bin/fuse-overlayfs
type: File
{{- end }}
{{- end }}
{{- else -}}
{{- .Values.volumes | toYaml }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.agentRuntimeSocket" -}}
{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
{{- if not .Values.crowdstrikeConfig.agentRuntimeSocket }}
{{- if eq .Values.crowdstrikeConfig.agentRuntime "docker" }}
{{- printf "%s" "unix:///run/docker.sock" }}
{{- else if eq .Values.crowdstrikeConfig.agentRuntime "containerd" -}}
{{- printf "%s" "unix:///run/containerd/containerd.sock" }}
{{- else if eq .Values.crowdstrikeConfig.agentRuntime "crio" -}}
{{- printf "%s" "unix:///run/crio/crio.sock" }}
{{- else if eq .Values.crowdstrikeConfig.agentRuntime "podman" -}}
{{- printf "%s" "unix:///run/podman/podman.sock" }}
{{- end }}
{{- else -}}
{{- .Values.crowdstrikeConfig.agentRuntimeSocket }}
{{- end }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.imagePullSecret" }}
{{- with .Values.crowdstrikeConfig }}
{{- if eq .agentRegion "us-gov-1" }}
{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
{{- else if eq .agentRegion "us-gov-2" }}
{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.mil\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
{{- else }}
{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
{{- end }}
{{- end }}
{{- end }}

{{- define "falcon-image-analyzer.image" -}}
{{- if .Values.image.digest -}}
{{- if contains "sha256:" .Values.image.digest -}}
{{- printf "%s@%s" .Values.image.repository .Values.image.digest -}}
{{- else -}}
{{- printf "%s@%s:%s" .Values.image.repository "sha256" .Values.image.digest -}}
{{- end -}}
{{- else -}}
{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}}
{{- end -}}
{{- end -}}
14 changes: 14 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "falcon-image-analyzer.fullname" . }}
labels:
{{- include "falcon-image-analyzer.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "falcon-image-analyzer.fullname" . }}
17 changes: 17 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "falcon-image-analyzer.fullname" . }}
labels:
{{- include "falcon-image-analyzer.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- namespaces
verbs:
- get
- watch
- list
Loading

0 comments on commit 403ebf7

Please sign in to comment.