added resources and verbs for the cluster role

CrowdStrike · Dec 12, 2024 · 6b971ad · 6b971ad
1 parent 4abe394
commit 6b971ad
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 3 deletions.
diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md
@@ -127,7 +127,8 @@ The following tables lists the more common configurable parameters of the chart
 | `node.image.pullSecrets`          | Pull secrets for private registry                                      | None       (Conflicts with node.image.registryConfigJSON)               |
 | `node.image.registryConfigJSON`   | base64 encoded docker config json for the pull secret                  | None       (Conflicts with node.image.pullSecrets)                      |
 | `node.daemonset.resources`        | Configure Node sensor resource requests and limits (eBPF mode only)    | None       (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory.<br><br><div class="warning">:warning: **Warning**:<br>If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!</div> |
-| `falcon.cid`                      | CrowdStrike Customer ID (CID)                                          | None       (Required)                                                   |
+| `node.cdpRolesEnabled`            | Enabled the Cloud Data Protection module                               | `true`                                                                  |
+| `falcon.cid`                      | CrowdStrike Customer ID (CID)                                          | None       (Required)                                                   |                                                                 |
 
 `falcon.cid` and `node.image.repository` are required values.
 

diff --git a/helm-charts/falcon-sensor/templates/clusterrole.yaml b/helm-charts/falcon-sensor/templates/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.container.enabled }}
+{{- if or .Values.container.enabled .Values.node.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -16,6 +16,22 @@ rules:
   - ""
   resources:
   - secrets
+  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  - pods
+  - services
+  - nodes
+  - daemonsets
+  - replicasets
+  - deployments
+  - jobs
+  - ingresses
+  - cronjobs
+  - persistentvolumes
+  {{- end }}
   verbs:
   - get
+  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  - watch
+  - list
+  {{- end }}
 {{- end }}
diff --git a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.container.enabled }}
+{{- if or .Values.container.enabled .Values.node.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
@@ -104,6 +104,9 @@ node:
     postDelete:
       enabled: true
 
+  # When enabled, Cloud data protection module is enabled
+  cdpRolesEnabled: true
+
 container:
   # When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
   enabled: false