From 6933e6af00c0a3cbdba0ec61d87def226651459d Mon Sep 17 00:00:00 2001 From: pvyas Date: Wed, 11 Oct 2023 09:10:06 -0400 Subject: [PATCH 01/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- .github/workflows/helm-test.yaml | 1 + .../cs-image-analyzer-agent/.helmignore | 23 ++++++ .../cs-image-analyzer-agent/Chart.yaml | 24 ++++++ .../runtime-values/containerd.yaml | 31 ++++++++ .../runtime-values/crio.yaml | 55 ++++++++++++++ .../runtime-values/docker.yaml | 31 ++++++++ .../runtime-values/podman.yaml | 31 ++++++++ .../templates/NOTES.txt | 3 + .../templates/_helpers.tpl | 75 +++++++++++++++++++ .../cluster-role-read-access-binding.yaml | 14 ++++ .../templates/cluster-role-read-access.yaml | 14 ++++ .../templates/configmap.yaml | 15 ++++ .../templates/daemonset.yaml | 66 ++++++++++++++++ .../templates/deployment.yaml | 67 +++++++++++++++++ .../templates/docker-secret.yaml | 11 +++ .../templates/secret.yaml | 11 +++ .../templates/serviceaccount.yaml | 13 ++++ .../cs-image-analyzer-agent/values.yaml | 65 ++++++++++++++++ 18 files changed, 550 insertions(+) create mode 100644 helm-charts/cs-image-analyzer-agent/.helmignore create mode 100644 helm-charts/cs-image-analyzer-agent/Chart.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/NOTES.txt create mode 100644 helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl create mode 100644 helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/configmap.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/deployment.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/secret.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml create mode 100644 helm-charts/cs-image-analyzer-agent/values.yaml diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 9937f529..9fb10bd3 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -6,6 +6,7 @@ on: - 'helm-charts/**' - '!helm-charts/falcon-sensor/**' - '!helm-charts/cs-k8s-protection-agent/**' + - '!helm-charts/cs-image-analyzer-agent/**' - '!helm-charts/falcon-kac/**' jobs: diff --git a/helm-charts/cs-image-analyzer-agent/.helmignore b/helm-charts/cs-image-analyzer-agent/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm-charts/cs-image-analyzer-agent/Chart.yaml b/helm-charts/cs-image-analyzer-agent/Chart.yaml new file mode 100644 index 00000000..a825e1f7 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: cs-image-analyzer-agent +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml b/helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml new file mode 100644 index 00000000..c58b7446 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml @@ -0,0 +1,31 @@ +# TO BE USED ONLY WHEN Deploying as DaemonSet + +securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + +# Required for socket mode +volumeMounts: + - mountPath: /tmp + name: tmp-volume + - mountPath: /run/containerd/containerd.sock + name: var-run + +# This is a mandatory mount for both deployment and daemon set. +# this is used as a tmp working space for image storage +# Required for socket mode +volumes: + - name: tmp-volume + emptyDir: + sizeLimit: 20Gi + - name: var-run + hostPath: + path: /run/containerd/containerd.sock # Change It if different from default path + type: Socket + + +crowdstrikeConfig: + agentRuntime: containerd + agentRuntimeSocket: "unix:///run/containerd/containerd.sock" \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml b/helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml new file mode 100644 index 00000000..43c3cf48 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml @@ -0,0 +1,55 @@ +# TO BE USED ONLY WHEN Deploying as DaemonSet + +securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + +# Required for socket mode +volumeMounts: + - mountPath: /tmp + name: tmp-volume + - mountPath: /run/crio/crio.sock + name: var-run + - mountPath: /run/containers/storage + name: storage + - mountPath: /var/lib/containers + name: containers + - mountPath: /usr/bin/fuse-overlayfs + name: fuse-overlay + - mountPath: /etc/containers/storage.conf + name: crio-conf + + +# This is a mandatory mount for daemon set. +# this is used as a tmp working space for image storage +volumes: + - name: tmp-volume + emptyDir: + sizeLimit: 20Gi + - name: var-run + hostPath: + path: /run/crio/crio.sock # Change It if different from default path + type: Socket + - name: storage + hostPath: + path: /run/containers/storage # Change It if different from default path + type: Directory + - name: containers + hostPath: + path: /var/lib/containers # Change It if different from default path + type: Directory + - name: fuse-overlay + hostPath: + path: /usr/bin/fuse-overlayfs # Change It if different from default path + type: File + - name: crio-conf + hostPath: + path: /etc/containers/storage.conf # Change It if different from default path + type: File + + +crowdstrikeConfig: + agentRuntime: crio + agentRuntimeSocket: "unix:///run/crio/crio.sock" \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml b/helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml new file mode 100644 index 00000000..93d95c00 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml @@ -0,0 +1,31 @@ +# TO BE USED ONLY WHEN Deploying as DaemonSet + +securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + +# Required for socket mode +volumeMounts: + - mountPath: /tmp + name: tmp-volume + - mountPath: /run/docker.sock + name: var-run + +# This is a mandatory mount for daemon set. +# this is used as a tmp working space for image storage +# Required for socket mode +volumes: + - name: tmp-volume + emptyDir: + sizeLimit: 20Gi + - name: var-run + hostPath: + path: /run/docker.sock # Change It if different from default path + type: Socket + + +crowdstrikeConfig: + agentRuntime: docker + agentRuntimeSocket: "unix:///run/docker.sock" \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml b/helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml new file mode 100644 index 00000000..7442a15e --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml @@ -0,0 +1,31 @@ +# TO BE USED ONLY WHEN Deploying as DaemonSet + +securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + +# Required for socket mode +volumeMounts: + - mountPath: /tmp + name: tmp-volume + - mountPath: /run/podman/podman.sock + name: var-run + +# This is a mandatory mount for daemon set. +# this is used as a tmp working space for image storage +# Required for socket mode +volumes: + - name: tmp-volume + emptyDir: + sizeLimit: 20Gi + - name: var-run + hostPath: + path: /run/podman/podman.sock # Change It if different from default path + type: Socket + + +crowdstrikeConfig: + agentRuntime: podman + agentRuntimeSocket: "unix:///run/podman/podman.sock" \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/NOTES.txt b/helm-charts/cs-image-analyzer-agent/templates/NOTES.txt new file mode 100644 index 00000000..edcfa11e --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/NOTES.txt @@ -0,0 +1,3 @@ +The Crowdstrike Image Analyzer Agent is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "cs-image-analyzer-agent.fullname" . }}. You can now check if the agent is running by running the following command: + +"kubectl -n {{ .Release.Namespace}} get pods" diff --git a/helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl b/helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl new file mode 100644 index 00000000..e46c5419 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl @@ -0,0 +1,75 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "cs-image-analyzer-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cs-image-analyzer-agent.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cs-image-analyzer-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "cs-image-analyzer-agent.labels" -}} +helm.sh/chart: {{ include "cs-image-analyzer-agent.chart" . }} +{{ include "cs-image-analyzer-agent.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "cs-image-analyzer-agent.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cs-image-analyzer-agent.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cs-image-analyzer-agent.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cs-image-analyzer-agent.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + + +{{- define "imagePullSecret" }} +{{- with .Values.crowdstrikeConfig }} +{{- if eq .env "us-gov-1" }} +{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- else if eq .env "us-gov-2" }} +{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- else }} +{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml b/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml new file mode 100644 index 00000000..d9e55603 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "cs-image-analyzer-agent.fullname" . }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml b/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml new file mode 100644 index 00000000..d23d1eaa --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +rules: + - verbs: [ "get", "watch", "list" ] + apiGroups: [ "" ] + resources: + - "pods" + - "secrets" + - "namespaces" + diff --git a/helm-charts/cs-image-analyzer-agent/templates/configmap.yaml b/helm-charts/cs-image-analyzer-agent/templates/configmap.yaml new file mode 100644 index 00000000..f1a146af --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +data: + AGENT_CID: {{ required "Customer cid should be provided" .Values.crowdstrikeConfig.cid | quote }} + AGENT_CLUSTER_NAME: {{ required "A cluster name must be provided for the agent" .Values.crowdstrikeConfig.clusterName | quote }} + AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | default "false" | quote }} + AGENT_RUNMODE: {{ .Values.crowdstrikeConfig.runMode | default "watcher" | quote }} #( watcher / socket ) + AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }} + AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }} # not used in watcher mode + AGENT_RUNTIME_SOCKET: {{ .Values.crowdstrikeConfig.agentRuntimeSocket | quote }} #( have defaults constants for docker/podman/crio/ctrd ) + AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.maxConsumerThreads | default "1" | quote }} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml b/helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml new file mode 100644 index 00000000..3954002c --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml @@ -0,0 +1,66 @@ +{{- if .Values.daemonset.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "cs-image-analyzer-agent.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 8 }} + spec: + {{ if .Values.crowdstrikeConfig.dockerAPIToken }} + imagePullSecrets: + - name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: ["-runmode", "socket"] + envFrom: + - configMapRef: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + - secretRef: + {{- if .Values.crowdstrikeConfig.existingSecret }} + name: {{ .Values.crowdstrikeConfig.existingSecret }} + {{- else }} + name: {{ include "cs-image-analyzer-agent.fullname" . }} + {{- end }} + volumeMounts: + {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | default "" | nindent 8 }} + {{- end}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/deployment.yaml b/helm-charts/cs-image-analyzer-agent/templates/deployment.yaml new file mode 100644 index 00000000..89b6a6af --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/deployment.yaml @@ -0,0 +1,67 @@ +{{- if .Values.deployment.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "cs-image-analyzer-agent.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 8 }} + spec: + {{ if .Values.crowdstrikeConfig.dockerAPIToken }} + imagePullSecrets: + - name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: ["-runmode", "watcher"] + envFrom: + - configMapRef: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + - secretRef: + {{- if .Values.crowdstrikeConfig.existingSecret }} + name: {{ .Values.crowdstrikeConfig.existingSecret }} + {{- else }} + name: {{ include "cs-image-analyzer-agent.fullname" . }} + {{- end }} + volumeMounts: + {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | default "" | nindent 8 }} + {{- end}} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml b/helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml new file mode 100644 index 00000000..3df61518 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml @@ -0,0 +1,11 @@ +{{ if .Values.crowdstrikeConfig.dockerAPIToken }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} + {{- end}} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/secret.yaml b/helm-charts/cs-image-analyzer-agent/templates/secret.yaml new file mode 100644 index 00000000..73b23732 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if (not .Values.crowdstrikeConfig.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cs-image-analyzer-agent.fullname" . }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} +data: + AGENT_CLIENT_ID: {{ required "A valid crowdstrike client ID is required" .Values.crowdstrikeConfig.clientID | b64enc | quote }} + AGENT_CLIENT_SECRET: {{ required "A valid crowdstrike client secret is required" .Values.crowdstrikeConfig.clientSecret | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml b/helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml new file mode 100644 index 00000000..3160207f --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + labels: + {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/helm-charts/cs-image-analyzer-agent/values.yaml b/helm-charts/cs-image-analyzer-agent/values.yaml new file mode 100644 index 00000000..1e09da28 --- /dev/null +++ b/helm-charts/cs-image-analyzer-agent/values.yaml @@ -0,0 +1,65 @@ +# Default values for cs-image-analyzer-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +daemonset: + enabled: false + +deployment: + enabled: false + +replicaCount: 1 +image: + repository: eng-cloud-docker-sandbox-local.artifactory.crwd.dev/cloud/cs-imageanalyzer + tag: + pullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: agent-config + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Annotations to add to the service account + name: "" + annotations: {} + +volumeMounts: + - mountPath: /tmp + name: tmp-volume + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +nodeSelector: {} + +resources: {} + +tolerations: [] + +affinity: {} + +# This is a mandatory mount for both deployment and daemon set. +# this is used as a tmp working space for image storage +volumes: + - name: tmp-volume + emptyDir: + sizeLimit: 20Gi + +crowdstrikeConfig: + clusterName: "" + enableDebug: "" + clientID: "" + clientSecret: "" + cid: "" + dockerAPIToken: "" + existingSecret: "" + agentRunmode: "" + agentRegion: "" + agentRuntime: "" + agentRuntimeSocket: "" + agentMaxConsumerThreads: "" From 08c34f04f8700ab63b7a0268406707a9acfee83d Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Wed, 11 Oct 2023 10:20:58 -0600 Subject: [PATCH 02/22] feat: use product name for IAR chart --- .github/workflows/helm-test.yaml | 2 +- .../cluster-role-read-access-binding.yaml | 14 ------------ .../.helmignore | 0 .../Chart.yaml | 2 +- .../runtime-values/containerd.yaml | 3 +-- .../runtime-values/crio.yaml | 4 +--- .../runtime-values/docker.yaml | 3 +-- .../runtime-values/podman.yaml | 3 +-- .../templates/NOTES.txt | 2 +- .../templates/_helpers.tpl | 22 +++++++++---------- .../cluster-role-read-access-binding.yaml | 14 ++++++++++++ .../templates/cluster-role-read-access.yaml | 5 ++--- .../templates/configmap.yaml | 6 ++--- .../templates/daemonset.yaml | 18 +++++++-------- .../templates/deployment.yaml | 18 +++++++-------- .../templates/docker-secret.yaml | 7 +++--- .../templates/secret.yaml | 6 ++--- .../templates/serviceaccount.yaml | 4 ++-- .../values.yaml | 2 +- 19 files changed, 65 insertions(+), 70 deletions(-) delete mode 100644 helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/.helmignore (100%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/Chart.yaml (97%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/runtime-values/containerd.yaml (91%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/runtime-values/crio.yaml (96%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/runtime-values/docker.yaml (93%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/runtime-values/podman.yaml (92%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/NOTES.txt (59%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/_helpers.tpl (79%) create mode 100644 helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/cluster-role-read-access.yaml (63%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/configmap.yaml (84%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/daemonset.yaml (77%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/deployment.yaml (78%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/docker-secret.yaml (57%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/secret.yaml (74%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/templates/serviceaccount.yaml (65%) rename helm-charts/{cs-image-analyzer-agent => falcon-image-analyzer}/values.yaml (96%) diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 9fb10bd3..3d5d0ce1 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -6,7 +6,7 @@ on: - 'helm-charts/**' - '!helm-charts/falcon-sensor/**' - '!helm-charts/cs-k8s-protection-agent/**' - - '!helm-charts/cs-image-analyzer-agent/**' + - '!helm-charts/falcon-image-analyzer/**' - '!helm-charts/falcon-kac/**' jobs: diff --git a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml b/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml deleted file mode 100644 index d9e55603..00000000 --- a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} - labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "cs-image-analyzer-agent.fullname" . }} diff --git a/helm-charts/cs-image-analyzer-agent/.helmignore b/helm-charts/falcon-image-analyzer/.helmignore similarity index 100% rename from helm-charts/cs-image-analyzer-agent/.helmignore rename to helm-charts/falcon-image-analyzer/.helmignore diff --git a/helm-charts/cs-image-analyzer-agent/Chart.yaml b/helm-charts/falcon-image-analyzer/Chart.yaml similarity index 97% rename from helm-charts/cs-image-analyzer-agent/Chart.yaml rename to helm-charts/falcon-image-analyzer/Chart.yaml index a825e1f7..5055d718 100644 --- a/helm-charts/cs-image-analyzer-agent/Chart.yaml +++ b/helm-charts/falcon-image-analyzer/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: cs-image-analyzer-agent +name: falcon-image-analyzer description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml b/helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml similarity index 91% rename from helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml rename to helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml index c58b7446..c1b94438 100644 --- a/helm-charts/cs-image-analyzer-agent/runtime-values/containerd.yaml +++ b/helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml @@ -25,7 +25,6 @@ volumes: path: /run/containerd/containerd.sock # Change It if different from default path type: Socket - crowdstrikeConfig: agentRuntime: containerd - agentRuntimeSocket: "unix:///run/containerd/containerd.sock" \ No newline at end of file + agentRuntimeSocket: "unix:///run/containerd/containerd.sock" diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml b/helm-charts/falcon-image-analyzer/runtime-values/crio.yaml similarity index 96% rename from helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml rename to helm-charts/falcon-image-analyzer/runtime-values/crio.yaml index 43c3cf48..9dadce1b 100644 --- a/helm-charts/cs-image-analyzer-agent/runtime-values/crio.yaml +++ b/helm-charts/falcon-image-analyzer/runtime-values/crio.yaml @@ -21,7 +21,6 @@ volumeMounts: - mountPath: /etc/containers/storage.conf name: crio-conf - # This is a mandatory mount for daemon set. # this is used as a tmp working space for image storage volumes: @@ -49,7 +48,6 @@ volumes: path: /etc/containers/storage.conf # Change It if different from default path type: File - crowdstrikeConfig: agentRuntime: crio - agentRuntimeSocket: "unix:///run/crio/crio.sock" \ No newline at end of file + agentRuntimeSocket: "unix:///run/crio/crio.sock" diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml b/helm-charts/falcon-image-analyzer/runtime-values/docker.yaml similarity index 93% rename from helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml rename to helm-charts/falcon-image-analyzer/runtime-values/docker.yaml index 93d95c00..69b975bb 100644 --- a/helm-charts/cs-image-analyzer-agent/runtime-values/docker.yaml +++ b/helm-charts/falcon-image-analyzer/runtime-values/docker.yaml @@ -25,7 +25,6 @@ volumes: path: /run/docker.sock # Change It if different from default path type: Socket - crowdstrikeConfig: agentRuntime: docker - agentRuntimeSocket: "unix:///run/docker.sock" \ No newline at end of file + agentRuntimeSocket: "unix:///run/docker.sock" diff --git a/helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml b/helm-charts/falcon-image-analyzer/runtime-values/podman.yaml similarity index 92% rename from helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml rename to helm-charts/falcon-image-analyzer/runtime-values/podman.yaml index 7442a15e..43ea28b9 100644 --- a/helm-charts/cs-image-analyzer-agent/runtime-values/podman.yaml +++ b/helm-charts/falcon-image-analyzer/runtime-values/podman.yaml @@ -25,7 +25,6 @@ volumes: path: /run/podman/podman.sock # Change It if different from default path type: Socket - crowdstrikeConfig: agentRuntime: podman - agentRuntimeSocket: "unix:///run/podman/podman.sock" \ No newline at end of file + agentRuntimeSocket: "unix:///run/podman/podman.sock" diff --git a/helm-charts/cs-image-analyzer-agent/templates/NOTES.txt b/helm-charts/falcon-image-analyzer/templates/NOTES.txt similarity index 59% rename from helm-charts/cs-image-analyzer-agent/templates/NOTES.txt rename to helm-charts/falcon-image-analyzer/templates/NOTES.txt index edcfa11e..7b4b8572 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/NOTES.txt +++ b/helm-charts/falcon-image-analyzer/templates/NOTES.txt @@ -1,3 +1,3 @@ -The Crowdstrike Image Analyzer Agent is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "cs-image-analyzer-agent.fullname" . }}. You can now check if the agent is running by running the following command: +The Crowdstrike Image Analyzer Agent is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "falcon-image-analyzer.fullname" . }}. You can now check if the agent is running by running the following command: "kubectl -n {{ .Release.Namespace}} get pods" diff --git a/helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl similarity index 79% rename from helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl rename to helm-charts/falcon-image-analyzer/templates/_helpers.tpl index e46c5419..f859bb61 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "cs-image-analyzer-agent.name" -}} +{{- define "falcon-image-analyzer.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "cs-image-analyzer-agent.fullname" -}} +{{- define "falcon-image-analyzer.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "cs-image-analyzer-agent.chart" -}} +{{- define "falcon-image-analyzer.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "cs-image-analyzer-agent.labels" -}} -helm.sh/chart: {{ include "cs-image-analyzer-agent.chart" . }} -{{ include "cs-image-analyzer-agent.selectorLabels" . }} +{{- define "falcon-image-analyzer.labels" -}} +helm.sh/chart: {{ include "falcon-image-analyzer.chart" . }} +{{ include "falcon-image-analyzer.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "cs-image-analyzer-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "cs-image-analyzer-agent.name" . }} +{{- define "falcon-image-analyzer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "falcon-image-analyzer.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "cs-image-analyzer-agent.serviceAccountName" -}} +{{- define "falcon-image-analyzer.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "cs-image-analyzer-agent.fullname" .) .Values.serviceAccount.name }} +{{- default (include "falcon-image-analyzer.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} @@ -72,4 +72,4 @@ Create the name of the service account to use {{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml new file mode 100644 index 00000000..0100d75c --- /dev/null +++ b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "falcon-image-analyzer.fullname" . }} + labels: + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "falcon-image-analyzer.fullname" . }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml similarity index 63% rename from helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml rename to helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml index d23d1eaa..095cc27b 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/cluster-role-read-access.yaml +++ b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml @@ -1,9 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} rules: - verbs: [ "get", "watch", "list" ] apiGroups: [ "" ] @@ -11,4 +11,3 @@ rules: - "pods" - "secrets" - "namespaces" - diff --git a/helm-charts/cs-image-analyzer-agent/templates/configmap.yaml b/helm-charts/falcon-image-analyzer/templates/configmap.yaml similarity index 84% rename from helm-charts/cs-image-analyzer-agent/templates/configmap.yaml rename to helm-charts/falcon-image-analyzer/templates/configmap.yaml index f1a146af..17fc0a4e 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/configmap.yaml +++ b/helm-charts/falcon-image-analyzer/templates/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} data: AGENT_CID: {{ required "Customer cid should be provided" .Values.crowdstrikeConfig.cid | quote }} AGENT_CLUSTER_NAME: {{ required "A cluster name must be provided for the agent" .Values.crowdstrikeConfig.clusterName | quote }} @@ -12,4 +12,4 @@ data: AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }} AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }} # not used in watcher mode AGENT_RUNTIME_SOCKET: {{ .Values.crowdstrikeConfig.agentRuntimeSocket | quote }} #( have defaults constants for docker/podman/crio/ctrd ) - AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.maxConsumerThreads | default "1" | quote }} \ No newline at end of file + AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.maxConsumerThreads | default "1" | quote }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml similarity index 77% rename from helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml rename to helm-charts/falcon-image-analyzer/templates/daemonset.yaml index 3954002c..30c315a3 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/daemonset.yaml +++ b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml @@ -2,13 +2,13 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} spec: selector: matchLabels: - {{- include "cs-image-analyzer-agent.selectorLabels" . | nindent 6 }} + {{- include "falcon-image-analyzer.selectorLabels" . | nindent 6 }} template: metadata: annotations: @@ -18,13 +18,13 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 8 }} + {{- include "falcon-image-analyzer.labels" . | nindent 8 }} spec: {{ if .Values.crowdstrikeConfig.dockerAPIToken }} imagePullSecrets: - - name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: @@ -38,12 +38,12 @@ spec: args: ["-runmode", "socket"] envFrom: - configMapRef: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} - secretRef: {{- if .Values.crowdstrikeConfig.existingSecret }} name: {{ .Values.crowdstrikeConfig.existingSecret }} {{- else }} - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} {{- end }} volumeMounts: {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} @@ -63,4 +63,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml similarity index 78% rename from helm-charts/cs-image-analyzer-agent/templates/deployment.yaml rename to helm-charts/falcon-image-analyzer/templates/deployment.yaml index 89b6a6af..bc7d1b9f 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/deployment.yaml +++ b/helm-charts/falcon-image-analyzer/templates/deployment.yaml @@ -2,14 +2,14 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - {{- include "cs-image-analyzer-agent.selectorLabels" . | nindent 6 }} + {{- include "falcon-image-analyzer.selectorLabels" . | nindent 6 }} template: metadata: annotations: @@ -19,13 +19,13 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 8 }} + {{- include "falcon-image-analyzer.labels" . | nindent 8 }} spec: {{ if .Values.crowdstrikeConfig.dockerAPIToken }} imagePullSecrets: - - name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: @@ -39,12 +39,12 @@ spec: args: ["-runmode", "watcher"] envFrom: - configMapRef: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} - secretRef: {{- if .Values.crowdstrikeConfig.existingSecret }} name: {{ .Values.crowdstrikeConfig.existingSecret }} {{- else }} - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} {{- end }} volumeMounts: {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} @@ -64,4 +64,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml similarity index 57% rename from helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml rename to helm-charts/falcon-image-analyzer/templates/docker-secret.yaml index 3df61518..70357c06 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/docker-secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml @@ -2,10 +2,11 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }}-regsecret + name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{ template "imagePullSecret" . }} - {{- end}} \ No newline at end of file + {{- end}} + \ No newline at end of file diff --git a/helm-charts/cs-image-analyzer-agent/templates/secret.yaml b/helm-charts/falcon-image-analyzer/templates/secret.yaml similarity index 74% rename from helm-charts/cs-image-analyzer-agent/templates/secret.yaml rename to helm-charts/falcon-image-analyzer/templates/secret.yaml index 73b23732..92d68a05 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/secret.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "cs-image-analyzer-agent.fullname" . }} + name: {{ include "falcon-image-analyzer.fullname" . }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} data: AGENT_CLIENT_ID: {{ required "A valid crowdstrike client ID is required" .Values.crowdstrikeConfig.clientID | b64enc | quote }} AGENT_CLIENT_SECRET: {{ required "A valid crowdstrike client secret is required" .Values.crowdstrikeConfig.clientSecret | b64enc | quote }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml b/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml similarity index 65% rename from helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml rename to helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml index 3160207f..15f0b294 100644 --- a/helm-charts/cs-image-analyzer-agent/templates/serviceaccount.yaml +++ b/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.serviceAccount.name | default ( include "cs-image-analyzer-agent.fullname" . ) }} + name: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} labels: - {{- include "cs-image-analyzer-agent.labels" . | nindent 4 }} + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} diff --git a/helm-charts/cs-image-analyzer-agent/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml similarity index 96% rename from helm-charts/cs-image-analyzer-agent/values.yaml rename to helm-charts/falcon-image-analyzer/values.yaml index 1e09da28..f696b671 100644 --- a/helm-charts/cs-image-analyzer-agent/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -1,4 +1,4 @@ -# Default values for cs-image-analyzer-agent. +# Default values for falcon-image-analyzer. # This is a YAML-formatted file. # Declare variables to be passed into your templates. From 9746910ac75838f12c9e77ddb37baa3b3e2f01f3 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Wed, 11 Oct 2023 10:23:37 -0600 Subject: [PATCH 03/22] feat: add link to IAR in project README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f801b4ed..a9eed393 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ This repository is a collection of CrowdStrike Helm Charts. The Helm Charts deve | [Falcon Sensor](helm-charts/falcon-sensor) | Deploys the Falcon Sensor to Kubernetes Nodes or as a Sidecar to a pod. See [the README](helm-charts/falcon-sensor/README.md) for more info. | | [Falcon Integration Gateway](helm-charts/falcon-integration-gateway) | Deploys the Falcon Integration Gateway. See [the README](helm-charts/falcon-integration-gateway/README.md) for more info. | | [Falcon Kubernetes Admission Controller](helm-charts/falcon-kac) | Deploy the Falcon Kubernetes Admission Controller. See [the README](helm-charts/falcon-kac/README.md) for more info. | +| [Falcon Image Analyzer](helm-charts/falcon-image-analyzer) | Deploy the Falcon Image Analyzer. See [the README](helm-charts/falcon-image-analyzer/README.md) for more info. | ## Developer Guide If you are a developer, please read our [Developer's Guide](docs/developer_guide.md). From 82530095c02016b3d1adcc1efa24e4a31647e44e Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 10:59:14 -0600 Subject: [PATCH 04/22] fix: use yaml notation in clusterrole --- .../templates/cluster-role-read-access.yaml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml index 095cc27b..b969a933 100644 --- a/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml +++ b/helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml @@ -5,9 +5,13 @@ metadata: labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} rules: - - verbs: [ "get", "watch", "list" ] - apiGroups: [ "" ] + - apiGroups: + - "" resources: - - "pods" - - "secrets" - - "namespaces" + - pods + - secrets + - namespaces + verbs: + - get + - watch + - list From d228a28441e611f71913bd233483c7cb651a1e05 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 11:05:19 -0600 Subject: [PATCH 05/22] feat: add values.schema.json - Fix some typos in templates - Set defaults in values.yaml - Add additional configuration values --- .../templates/configmap.yaml | 17 +- .../templates/docker-secret.yaml | 10 +- .../templates/secret.yaml | 7 +- .../templates/serviceaccount.yaml | 4 +- .../falcon-image-analyzer/values.schema.json | 245 ++++++++++++++++++ helm-charts/falcon-image-analyzer/values.yaml | 17 +- 6 files changed, 278 insertions(+), 22 deletions(-) create mode 100644 helm-charts/falcon-image-analyzer/values.schema.json diff --git a/helm-charts/falcon-image-analyzer/templates/configmap.yaml b/helm-charts/falcon-image-analyzer/templates/configmap.yaml index 17fc0a4e..b9119fe8 100644 --- a/helm-charts/falcon-image-analyzer/templates/configmap.yaml +++ b/helm-charts/falcon-image-analyzer/templates/configmap.yaml @@ -2,14 +2,17 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "falcon-image-analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} data: - AGENT_CID: {{ required "Customer cid should be provided" .Values.crowdstrikeConfig.cid | quote }} - AGENT_CLUSTER_NAME: {{ required "A cluster name must be provided for the agent" .Values.crowdstrikeConfig.clusterName | quote }} - AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | default "false" | quote }} - AGENT_RUNMODE: {{ .Values.crowdstrikeConfig.runMode | default "watcher" | quote }} #( watcher / socket ) + AGENT_CID: {{ .Values.crowdstrikeConfig.cid | quote }} + AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }} + AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | quote }} + AGENT_RUNMODE: {{ .Values.crowdstrikeConfig.agentRunmode | quote }} AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }} - AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }} # not used in watcher mode - AGENT_RUNTIME_SOCKET: {{ .Values.crowdstrikeConfig.agentRuntimeSocket | quote }} #( have defaults constants for docker/podman/crio/ctrd ) - AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.maxConsumerThreads | default "1" | quote }} + {{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} + AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }} + AGENT_RUNTIME_SOCKET: {{ include "falcon-image-analyzer.agentRuntimeSocket" . | quote }} + {{- end }} + AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.agentMaxConsumerThreads | quote }} diff --git a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml index 70357c06..ecc46cec 100644 --- a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml @@ -1,12 +1,12 @@ -{{ if .Values.crowdstrikeConfig.dockerAPIToken }} +{{- if .Values.crowdstrikeConfig.dockerAPIToken -}} apiVersion: v1 kind: Secret metadata: - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret + name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ template "imagePullSecret" . }} - {{- end}} - \ No newline at end of file + .dockerconfigjson: {{ template "falcon-image-analyzer.imagePullSecret" . }} +{{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/secret.yaml b/helm-charts/falcon-image-analyzer/templates/secret.yaml index 92d68a05..78e9b093 100644 --- a/helm-charts/falcon-image-analyzer/templates/secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/secret.yaml @@ -1,11 +1,12 @@ -{{- if (not .Values.crowdstrikeConfig.existingSecret) -}} +{{- if not .Values.crowdstrikeConfig.existingSecret -}} apiVersion: v1 kind: Secret metadata: name: {{ include "falcon-image-analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} data: - AGENT_CLIENT_ID: {{ required "A valid crowdstrike client ID is required" .Values.crowdstrikeConfig.clientID | b64enc | quote }} - AGENT_CLIENT_SECRET: {{ required "A valid crowdstrike client secret is required" .Values.crowdstrikeConfig.clientSecret | b64enc | quote }} + AGENT_CLIENT_ID: {{ .Values.crowdstrikeConfig.clientID | b64enc | quote }} + AGENT_CLIENT_SECRET: {{ .Values.crowdstrikeConfig.clientSecret | b64enc | quote }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml b/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml index 15f0b294..28e143d3 100644 --- a/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml +++ b/helm-charts/falcon-image-analyzer/templates/serviceaccount.yaml @@ -2,11 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/helm-charts/falcon-image-analyzer/values.schema.json b/helm-charts/falcon-image-analyzer/values.schema.json new file mode 100644 index 00000000..f1717344 --- /dev/null +++ b/helm-charts/falcon-image-analyzer/values.schema.json @@ -0,0 +1,245 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "daemonset": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "description": "Enable the deployment as a Kubernetes privileged DaemonSet" + } + } + }, + "deployment": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "description": "Enable the deployment as a Kubernetes non-privileged Deployment" + } + } + }, + "image": { + "type": "object", + "required": [ + "repository", + "pullPolicy" + ], + "properties": { + "pullPolicy": { + "type": "string", + "default": "Always", + "pattern": "^(Always|Never|IfNotPresent)$" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": [ + "null", + "string" + ], + "example": [ + "1.0.0" + ] + }, + "digest": { + "type": [ + "null", + "string" + ], + "pattern": "^sha256:[0-9a-f]{64}$", + "description": "Image digest, overrides tag if both are set", + "example": [ + "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" + ] + } + } + }, + "nameOverride": { + "type": [ + "null", + "string" + ] + }, + "fullnameOverride": { + "type": [ + "null", + "string" + ] + }, + "serviceAccount": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "annotations": { + "type": "object", + "default": {}, + "examples": [ + { + "iam.gke.io/gcp-service-account": "my-service-account@my-project.iam.gserviceaccount.com" + } + ] + } + } + }, + "podAnnotations": { + "type": "object", + "default": {} + }, + "podSecurityContext": { + "type": "object", + "default": {} + }, + "securityContext": { + "type": "object", + "default": {} + }, + "nodeSelector": { + "type": "object", + "default": {} + }, + "resources": { + "type": "object", + "default": {} + }, + "tolerations": { + "type": "array" + }, + "affinity": { + "type": "object", + "default": {} + }, + "priorityClassName": { + "type": "string" + }, + "volumeMounts": { + "type": "array" + }, + "volumes": { + "type": "array" + }, + "crowdstrikeConfig": { + "type": "object", + "required": [ + "clusterName", + "cid" + ], + "properties": { + "agentMaxConsumerThreads": { + "type": "string", + "pattern": "^[1-9][0-9]*$", + "description": "Maximum number of threads to use for image analysis", + "default": "1" + }, + "clusterName": { + "type": "string", + "pattern": "[\\S\\s]+[\\S]+", + "description": "Cluster name to use for the agent" + }, + "dockerAPIToken": { + "type": "string" + }, + "enableDebug": { + "type": "string", + "pattern": "^(true|false)$", + "description": "Enable debug logging for the agent", + "default": "false" + }, + "existingSecret": { + "type": "string" + }, + "agentRegion": { + "type": "string", + "pattern": "^(us-|eu-|us-gov-)[1-2]+$", + "description": "CrowdStrike Cloud Region", + "default": "us-1" + }, + "agentRunmode": { + "type": "string", + "pattern": "^(socket|watcher)$", + "description": "CrowdStrike Image Analyzer Runmode", + "default": "watcher" + }, + "agentRuntime": { + "type": "string", + "description": "Runtime for the agent to use" + }, + "agentRuntimeSocket": { + "type": "string", + "description": "Runtime container socket for the agent to use", + "examples": [ + "/run/containerd/containerd.sock" + ] + }, + "cid": { + "type": "string", + "description": "CrowdStrike CID", + "pattern": "^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$", + "example": [ + "1234567890ABCDEF1234567890ABCDEF-12" + ] + }, + "clientID": { + "type": "string", + "description": "CrowdStrike Oauth Client ID" + }, + "clientSecret": { + "type": "string", + "description": "CrowdStrike Oauth Client Secret" + } + }, + "dependentRequired": { + "clientID": [ + "clientSecret" + ], + "agentRunmode": [ + "agentRuntimeSocket", + "agentRuntime" + ] + }, + "allOf": [ + { + "if": { + "properties": { + "existingSecret": { + "const": "" + } + } + }, + "then": { + "properties": { + "clientID": { + "pattern": "^[a-zA-Z0-9]{32}$" + }, + "clientSecret": { + "pattern": "^[a-zA-Z0-9]{40}$" + } + } + } + }, + { + "if": { + "properties": { + "agentRunmode": { + "const": "socket" + } + } + }, + "then": { + "properties": { + "agentRuntime": { + "pattern": "^(docker|containerd|crio|podman)$" + } + } + } + } + ] + } + } +} diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index f696b671..5d76cc6a 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -11,7 +11,14 @@ deployment: replicaCount: 1 image: repository: eng-cloud-docker-sandbox-local.artifactory.crwd.dev/cloud/cs-imageanalyzer + # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those + # who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability. tag: + # Setting a digest will override any tag and should be used instead of tags. + # + # Example digest variable configuration: + # digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398 + digest: pullPolicy: IfNotPresent envFrom: - configMapRef: @@ -43,6 +50,8 @@ tolerations: [] affinity: {} +priorityClassName: "" + # This is a mandatory mount for both deployment and daemon set. # this is used as a tmp working space for image storage volumes: @@ -52,14 +61,14 @@ volumes: crowdstrikeConfig: clusterName: "" - enableDebug: "" + enableDebug: "false" clientID: "" clientSecret: "" cid: "" dockerAPIToken: "" existingSecret: "" - agentRunmode: "" - agentRegion: "" + agentRunmode: "watcher" + agentRegion: "us-1" agentRuntime: "" agentRuntimeSocket: "" - agentMaxConsumerThreads: "" + agentMaxConsumerThreads: "1" From ae700f67c2ec4bac6f3f73aaa66875bbd47f0586 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 14:20:46 -0600 Subject: [PATCH 06/22] feat: add templates to generate various socket settings --- .../templates/_helpers.tpl | 97 ++++++++++++++++++- .../templates/daemonset.yaml | 24 +++-- .../templates/deployment.yaml | 16 ++- 3 files changed, 122 insertions(+), 15 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index f859bb61..13eeafe7 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -61,15 +61,106 @@ Create the name of the service account to use {{- end }} {{- end }} +{{- define "falcon-image-analyzer.securityContext" -}} +{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} +privileged: {{ .Values.securityContext.privileged | default true }} +allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }} +runAsUser: {{ .Values.securityContext.runAsUser | default 0 }} +runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} +{{- end }} +{{- end }} + +{{- define "falcon-image-analyzer.defaultVolumeMounts" -}} + + +{{- end }} + +{{- define "falcon-image-analyzer.volumeMounts" -}} +{{- if lt (len .Values.volumeMounts) 2 -}} +{{- .Values.volumeMounts | toYaml }} +{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} +- name: var-run + mountPath: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }} +{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }} +- name: storage + mountPath: /run/containers/storage +- name: containers + mountPath: /var/lib/containers +- name: fuse-overlay + mountPath: /usr/bin/fuse-overlayfs +- name: crio-conf + mountPath: /etc/containers/storage.conf +{{- end }} +{{- end }} +{{- else -}} +{{- .Values.volumeMounts | toYaml -}} +{{- end }} +{{- end }} -{{- define "imagePullSecret" }} +{{- define "falcon-image-analyzer.volumes" -}} +{{- if lt (len .Values.volumes) 2 -}} +{{- .Values.volumes | toYaml -}} +{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} +- name: var-run + hostPath: + path: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }} + type: Socket +{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }} +- name: storage + hostPath: + path: /run/containers/storage + type: Directory +- name: containers + hostPath: + path: /var/lib/containers + type: Directory +- name: crio-conf + hostPath: + path: /etc/containers/storage.conf + type: File +{{- end }} +{{- end }} +{{- else -}} +{{- .Values.volumes | toYaml -}} +{{- end }} +{{- end }} + +{{- define "falcon-image-analyzer.agentRuntimeSocket" -}} +{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} +{{- if not .Values.crowdstrikeConfig.agentRuntimeSocket }} +{{- if eq .Values.crowdstrikeConfig.agentRuntime "docker" }} +{{- printf "%s" "unix:///run/docker.sock" }} +{{- else if eq .Values.crowdstrikeConfig.agentRuntime "containerd" -}} +{{- printf "%s" "unix:///run/containerd/containerd.sock" }} +{{- else if eq .Values.crowdstrikeConfig.agentRuntime "crio" -}} +{{- printf "%s" "unix:///run/crio/crio.sock" }} +{{- else if eq .Values.crowdstrikeConfig.agentRuntime "podman" -}} +{{- printf "%s" "unix:///run/podman/podman.sock" }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "falcon-image-analyzer.imagePullSecret" }} {{- with .Values.crowdstrikeConfig }} -{{- if eq .env "us-gov-1" }} +{{- if eq .Values.crowdstrikeConfig.agentRegion "us-gov-1" }} {{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} -{{- else if eq .env "us-gov-2" }} +{{- else if eq .Values.crowdstrikeConfig.agentRegion "us-gov-2" }} {{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- else }} {{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- end }} {{- end }} {{- end }} + +{{- define "falcon-image-analyzer.image" -}} +{{- if .Values.image.digest -}} +{{- if contains "sha256:" .Values.image.digest -}} +{{- printf "%s@%s" .Values.image.repository .Values.image.digest -}} +{{- else -}} +{{- printf "%s@%s:%s" .Values.image.repository "sha256" .Values.image.digest -}} +{{- end -}} +{{- else -}} +{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}} +{{- end -}} +{{- end -}} diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml index 30c315a3..1e4733a2 100644 --- a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml +++ b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml @@ -3,12 +3,13 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ include "falcon-image-analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} spec: selector: matchLabels: - {{- include "falcon-image-analyzer.selectorLabels" . | nindent 6 }} + {{- include "falcon-image-analyzer.selectorLabels" . | nindent 6 }} template: metadata: annotations: @@ -20,20 +21,24 @@ spec: labels: {{- include "falcon-image-analyzer.labels" . | nindent 8 }} spec: - {{ if .Values.crowdstrikeConfig.dockerAPIToken }} + {{- if .Values.crowdstrikeConfig.dockerAPIToken }} imagePullSecrets: - - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret + - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret {{- end }} serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: + {{- if .Values.podSecurityContext }} {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- include "falcon-image-analyzer.securityContext" . | nindent 12 }} resources: + {{- if .Values.resources }} {{- toYaml .Values.resources | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} + image: {{ include "falcon-image-analyzer.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-runmode", "socket"] envFrom: @@ -46,15 +51,13 @@ spec: name: {{ include "falcon-image-analyzer.fullname" . }} {{- end }} volumeMounts: - {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} + {{- (include "falcon-image-analyzer.volumeMounts" .) | nindent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.volumes }} volumes: - {{- toYaml . | default "" | nindent 8 }} - {{- end}} + {{- include "falcon-image-analyzer.volumes" . | nindent 8 }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} @@ -63,4 +66,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.crowdstrikeConfig.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml index bc7d1b9f..a5e9c670 100644 --- a/helm-charts/falcon-image-analyzer/templates/deployment.yaml +++ b/helm-charts/falcon-image-analyzer/templates/deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "falcon-image-analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} spec: @@ -21,20 +22,26 @@ spec: labels: {{- include "falcon-image-analyzer.labels" . | nindent 8 }} spec: - {{ if .Values.crowdstrikeConfig.dockerAPIToken }} + {{- if .Values.crowdstrikeConfig.dockerAPIToken }} imagePullSecrets: - - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret + - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret {{- end }} serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: + {{- if .Values.podSecurityContext }} {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: + {{- if .Values.securityContext }} {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} resources: + {{- if .Values.resources }} {{- toYaml .Values.resources | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + {{- end }} + image: {{ include "falcon-image-analyzer.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: ["-runmode", "watcher"] envFrom: @@ -64,4 +71,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.crowdstrikeConfig.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} {{- end }} From f4fe366103930b67df720292919108ea76deaf89 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 14:27:49 -0600 Subject: [PATCH 07/22] feat: add test values --- helm-charts/falcon-image-analyzer/ci/cid-values.yaml | 5 +++++ helm-charts/falcon-image-analyzer/templates/_helpers.tpl | 9 +++------ 2 files changed, 8 insertions(+), 6 deletions(-) create mode 100644 helm-charts/falcon-image-analyzer/ci/cid-values.yaml diff --git a/helm-charts/falcon-image-analyzer/ci/cid-values.yaml b/helm-charts/falcon-image-analyzer/ci/cid-values.yaml new file mode 100644 index 00000000..9aa0c32c --- /dev/null +++ b/helm-charts/falcon-image-analyzer/ci/cid-values.yaml @@ -0,0 +1,5 @@ +crowdstrikeConfig: + clusterName: "test-cluster12.test" + clientID: "abcdefABCDEF0123456789abcdefABCD" + clientSecret: "abcdefABCDEF0123456789abcdefABCDEF012345" + cid: "1234567890ABCDEF1234567890ABCDEF-12" diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index 13eeafe7..8b1e0375 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -62,7 +62,7 @@ Create the name of the service account to use {{- end }} {{- define "falcon-image-analyzer.securityContext" -}} -{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} +{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" -}} privileged: {{ .Values.securityContext.privileged | default true }} allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }} runAsUser: {{ .Values.securityContext.runAsUser | default 0 }} @@ -70,11 +70,6 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- end }} {{- end }} -{{- define "falcon-image-analyzer.defaultVolumeMounts" -}} - - -{{- end }} - {{- define "falcon-image-analyzer.volumeMounts" -}} {{- if lt (len .Values.volumeMounts) 2 -}} {{- .Values.volumeMounts | toYaml }} @@ -137,6 +132,8 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- else if eq .Values.crowdstrikeConfig.agentRuntime "podman" -}} {{- printf "%s" "unix:///run/podman/podman.sock" }} {{- end }} +{{- else -}} +{{- .Values.crowdstrikeConfig.agentRuntimeSocket }} {{- end }} {{- end }} {{- end }} From ef0332ec8de23805bdfa0f0d0df643b2b395d0f9 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 14:28:21 -0600 Subject: [PATCH 08/22] fix: remove runtime values --- .../runtime-values/containerd.yaml | 30 ----------- .../runtime-values/crio.yaml | 53 ------------------- .../runtime-values/docker.yaml | 30 ----------- .../runtime-values/podman.yaml | 30 ----------- 4 files changed, 143 deletions(-) delete mode 100644 helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml delete mode 100644 helm-charts/falcon-image-analyzer/runtime-values/crio.yaml delete mode 100644 helm-charts/falcon-image-analyzer/runtime-values/docker.yaml delete mode 100644 helm-charts/falcon-image-analyzer/runtime-values/podman.yaml diff --git a/helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml b/helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml deleted file mode 100644 index c1b94438..00000000 --- a/helm-charts/falcon-image-analyzer/runtime-values/containerd.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# TO BE USED ONLY WHEN Deploying as DaemonSet - -securityContext: - privileged: true - allowPrivilegeEscalation: true - runAsUser: 0 - runAsGroup: 0 - -# Required for socket mode -volumeMounts: - - mountPath: /tmp - name: tmp-volume - - mountPath: /run/containerd/containerd.sock - name: var-run - -# This is a mandatory mount for both deployment and daemon set. -# this is used as a tmp working space for image storage -# Required for socket mode -volumes: - - name: tmp-volume - emptyDir: - sizeLimit: 20Gi - - name: var-run - hostPath: - path: /run/containerd/containerd.sock # Change It if different from default path - type: Socket - -crowdstrikeConfig: - agentRuntime: containerd - agentRuntimeSocket: "unix:///run/containerd/containerd.sock" diff --git a/helm-charts/falcon-image-analyzer/runtime-values/crio.yaml b/helm-charts/falcon-image-analyzer/runtime-values/crio.yaml deleted file mode 100644 index 9dadce1b..00000000 --- a/helm-charts/falcon-image-analyzer/runtime-values/crio.yaml +++ /dev/null @@ -1,53 +0,0 @@ -# TO BE USED ONLY WHEN Deploying as DaemonSet - -securityContext: - privileged: true - allowPrivilegeEscalation: true - runAsUser: 0 - runAsGroup: 0 - -# Required for socket mode -volumeMounts: - - mountPath: /tmp - name: tmp-volume - - mountPath: /run/crio/crio.sock - name: var-run - - mountPath: /run/containers/storage - name: storage - - mountPath: /var/lib/containers - name: containers - - mountPath: /usr/bin/fuse-overlayfs - name: fuse-overlay - - mountPath: /etc/containers/storage.conf - name: crio-conf - -# This is a mandatory mount for daemon set. -# this is used as a tmp working space for image storage -volumes: - - name: tmp-volume - emptyDir: - sizeLimit: 20Gi - - name: var-run - hostPath: - path: /run/crio/crio.sock # Change It if different from default path - type: Socket - - name: storage - hostPath: - path: /run/containers/storage # Change It if different from default path - type: Directory - - name: containers - hostPath: - path: /var/lib/containers # Change It if different from default path - type: Directory - - name: fuse-overlay - hostPath: - path: /usr/bin/fuse-overlayfs # Change It if different from default path - type: File - - name: crio-conf - hostPath: - path: /etc/containers/storage.conf # Change It if different from default path - type: File - -crowdstrikeConfig: - agentRuntime: crio - agentRuntimeSocket: "unix:///run/crio/crio.sock" diff --git a/helm-charts/falcon-image-analyzer/runtime-values/docker.yaml b/helm-charts/falcon-image-analyzer/runtime-values/docker.yaml deleted file mode 100644 index 69b975bb..00000000 --- a/helm-charts/falcon-image-analyzer/runtime-values/docker.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# TO BE USED ONLY WHEN Deploying as DaemonSet - -securityContext: - privileged: true - allowPrivilegeEscalation: true - runAsUser: 0 - runAsGroup: 0 - -# Required for socket mode -volumeMounts: - - mountPath: /tmp - name: tmp-volume - - mountPath: /run/docker.sock - name: var-run - -# This is a mandatory mount for daemon set. -# this is used as a tmp working space for image storage -# Required for socket mode -volumes: - - name: tmp-volume - emptyDir: - sizeLimit: 20Gi - - name: var-run - hostPath: - path: /run/docker.sock # Change It if different from default path - type: Socket - -crowdstrikeConfig: - agentRuntime: docker - agentRuntimeSocket: "unix:///run/docker.sock" diff --git a/helm-charts/falcon-image-analyzer/runtime-values/podman.yaml b/helm-charts/falcon-image-analyzer/runtime-values/podman.yaml deleted file mode 100644 index 43ea28b9..00000000 --- a/helm-charts/falcon-image-analyzer/runtime-values/podman.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# TO BE USED ONLY WHEN Deploying as DaemonSet - -securityContext: - privileged: true - allowPrivilegeEscalation: true - runAsUser: 0 - runAsGroup: 0 - -# Required for socket mode -volumeMounts: - - mountPath: /tmp - name: tmp-volume - - mountPath: /run/podman/podman.sock - name: var-run - -# This is a mandatory mount for daemon set. -# this is used as a tmp working space for image storage -# Required for socket mode -volumes: - - name: tmp-volume - emptyDir: - sizeLimit: 20Gi - - name: var-run - hostPath: - path: /run/podman/podman.sock # Change It if different from default path - type: Socket - -crowdstrikeConfig: - agentRuntime: podman - agentRuntimeSocket: "unix:///run/podman/podman.sock" From a55c47379d2f7aea47ba6441f78529ca1cdc8045 Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 17 Oct 2023 19:41:04 -0400 Subject: [PATCH 09/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/templates/_helpers.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index 8b1e0375..c5396be9 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -113,6 +113,10 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} hostPath: path: /etc/containers/storage.conf type: File +- name: fuse-overlay + hostPath: + path: /usr/bin/fuse-overlayfs + type: File {{- end }} {{- end }} {{- else -}} From b03441a43eae506193dd91f93fc7867bbbdb1f48 Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 24 Oct 2023 17:36:18 -0400 Subject: [PATCH 10/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- .../falcon-image-analyzer/templates/_helpers.tpl | 6 +++--- .../templates/docker-secret.yaml | 11 +++++++++++ .../falcon-image-analyzer/values.schema.json | 3 +++ helm-charts/falcon-image-analyzer/values.yaml | 15 +++++++++++++++ 4 files changed, 32 insertions(+), 3 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index c5396be9..1059bcc3 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -145,11 +145,11 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- define "falcon-image-analyzer.imagePullSecret" }} {{- with .Values.crowdstrikeConfig }} {{- if eq .Values.crowdstrikeConfig.agentRegion "us-gov-1" }} -{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- else if eq .Values.crowdstrikeConfig.agentRegion "us-gov-2" }} -{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- else }} -{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"ia-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "ia-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} {{- end }} {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml index ecc46cec..41ffc8b9 100644 --- a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml @@ -10,3 +10,14 @@ type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{ template "falcon-image-analyzer.imagePullSecret" . }} {{- end }} +{{ if .Values.image.pullSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret + labels: + {{- include "falcon-image-analyzer.labels" . | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ .Values.image.pullSecret }} + {{- end}} diff --git a/helm-charts/falcon-image-analyzer/values.schema.json b/helm-charts/falcon-image-analyzer/values.schema.json index f1717344..5fd5843a 100644 --- a/helm-charts/falcon-image-analyzer/values.schema.json +++ b/helm-charts/falcon-image-analyzer/values.schema.json @@ -34,6 +34,9 @@ "default": "Always", "pattern": "^(Always|Never|IfNotPresent)$" }, + "pullSecret": { + "type": "string" + }, "repository": { "type": "string" }, diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 5d76cc6a..baaf4a6f 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -20,6 +20,12 @@ image: # digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398 digest: pullPolicy: IfNotPresent + + # Use this if you have a base64 encoded docker + # config json with user and pass of your own + # private repository + pullSecret: + envFrom: - configMapRef: name: agent-config @@ -65,7 +71,16 @@ crowdstrikeConfig: clientID: "" clientSecret: "" cid: "" + + # Use the value for the crowdstrike Artifactory + # Token retrieved by calling container-security + # /entities/image-registry-credentials/v1 dockerAPIToken: "" + + + # Use this value if you have an existing secret + # defined in your k8s that may contain secrets + # for falcon api client id and pw existingSecret: "" agentRunmode: "watcher" agentRegion: "us-1" From 21a4bb9aa0df6d97eb6c2c15305f23a6dc0a96df Mon Sep 17 00:00:00 2001 From: pvyas Date: Thu, 26 Oct 2023 16:14:21 -0400 Subject: [PATCH 11/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/templates/_helpers.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index 1059bcc3..ca2b0b1c 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -84,7 +84,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} - name: fuse-overlay mountPath: /usr/bin/fuse-overlayfs - name: crio-conf - mountPath: /etc/containers/storage.conf + mountPath: /etc/containers {{- end }} {{- end }} {{- else -}} @@ -111,8 +111,8 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} type: Directory - name: crio-conf hostPath: - path: /etc/containers/storage.conf - type: File + path: /etc/containers + type: Directory - name: fuse-overlay hostPath: path: /usr/bin/fuse-overlayfs From b533eb2c73b875b17e0e5e62dd12379f71f958df Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 28 Nov 2023 22:25:59 -0500 Subject: [PATCH 12/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- .../falcon-image-analyzer/templates/_helpers.tpl | 10 +++++----- .../falcon-image-analyzer/templates/docker-secret.yaml | 2 +- helm-charts/falcon-image-analyzer/values.schema.json | 10 ++++++++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index ca2b0b1c..3e57c944 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -144,12 +144,12 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- define "falcon-image-analyzer.imagePullSecret" }} {{- with .Values.crowdstrikeConfig }} -{{- if eq .Values.crowdstrikeConfig.agentRegion "us-gov-1" }} -{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} -{{- else if eq .Values.crowdstrikeConfig.agentRegion "us-gov-2" }} -{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- if eq .agentRegion "us-gov-1" }} +{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }} +{{- else if eq .agentRegion "us-gov-2" }} +{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.mil\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }} {{- else }} -{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" .cid .dockerAPIToken (printf "fc-%s:%s" .cid .dockerAPIToken | b64enc) | b64enc }} +{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"image-assessment@crowdstrike.com\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }} {{- end }} {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml index 41ffc8b9..79db4104 100644 --- a/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml +++ b/helm-charts/falcon-image-analyzer/templates/docker-secret.yaml @@ -14,7 +14,7 @@ data: apiVersion: v1 kind: Secret metadata: - name: {{ include "falcon-image-analyzer.fullname" . }}-regsecret + name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} type: kubernetes.io/dockerconfigjson diff --git a/helm-charts/falcon-image-analyzer/values.schema.json b/helm-charts/falcon-image-analyzer/values.schema.json index 5fd5843a..d642bc2d 100644 --- a/helm-charts/falcon-image-analyzer/values.schema.json +++ b/helm-charts/falcon-image-analyzer/values.schema.json @@ -35,7 +35,10 @@ "pattern": "^(Always|Never|IfNotPresent)$" }, "pullSecret": { - "type": "string" + "type": [ + "null", + "string" + ] }, "repository": { "type": "string" @@ -146,7 +149,10 @@ "description": "Cluster name to use for the agent" }, "dockerAPIToken": { - "type": "string" + "type": [ + "null", + "string" + ] }, "enableDebug": { "type": "string", From 1a16e00754654c051069446fa70009b5bd139626 Mon Sep 17 00:00:00 2001 From: pvyas Date: Thu, 7 Dec 2023 11:34:23 -0500 Subject: [PATCH 13/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index baaf4a6f..60200e39 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -10,7 +10,7 @@ deployment: replicaCount: 1 image: - repository: eng-cloud-docker-sandbox-local.artifactory.crwd.dev/cloud/cs-imageanalyzer + repository: registry.crowdstrike.com/ivan-agent/us-1/stage/cs-imageanalyzer # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those # who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability. tag: From 5c56da9af8232d3a7c96b0ecc2be4ad869745f08 Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 12 Dec 2023 12:29:38 -0500 Subject: [PATCH 14/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/templates/daemonset.yaml | 4 ++++ helm-charts/falcon-image-analyzer/templates/deployment.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml index 1e4733a2..e6db71eb 100644 --- a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml +++ b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml @@ -25,6 +25,10 @@ spec: imagePullSecrets: - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret {{- end }} + {{- if .Values.image.pullSecret }} + imagePullSecrets: + - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret + {{- end }} serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: {{- if .Values.podSecurityContext }} diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml index a5e9c670..66b3c7c1 100644 --- a/helm-charts/falcon-image-analyzer/templates/deployment.yaml +++ b/helm-charts/falcon-image-analyzer/templates/deployment.yaml @@ -26,6 +26,10 @@ spec: imagePullSecrets: - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret {{- end }} + {{- if .Values.image.pullSecret }} + imagePullSecrets: + - name: {{ include "falcon-image-analyzer.fullname" . }}-pull-secret + {{- end }} serviceAccountName: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }} securityContext: {{- if .Values.podSecurityContext }} From e38038e3c02ab06153190ec8514986495d5fc935 Mon Sep 17 00:00:00 2001 From: pvyas Date: Wed, 13 Dec 2023 12:35:19 -0500 Subject: [PATCH 15/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 60200e39..e80178ac 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -10,7 +10,7 @@ deployment: replicaCount: 1 image: - repository: registry.crowdstrike.com/ivan-agent/us-1/stage/cs-imageanalyzer + repository: registry.crowdstrike.com/ivan-agent/us-1/release/cs-imageanalyzer # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those # who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability. tag: From 95b294ba30d84739630e7ba492d47a0cdb3423c2 Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 19 Dec 2023 13:15:07 -0500 Subject: [PATCH 16/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- .../templates/configmap.yaml | 9 +++++++ .../falcon-image-analyzer/values.schema.json | 24 +++++++++++++++++++ helm-charts/falcon-image-analyzer/values.yaml | 6 +++++ 3 files changed, 39 insertions(+) diff --git a/helm-charts/falcon-image-analyzer/templates/configmap.yaml b/helm-charts/falcon-image-analyzer/templates/configmap.yaml index b9119fe8..880cad99 100644 --- a/helm-charts/falcon-image-analyzer/templates/configmap.yaml +++ b/helm-charts/falcon-image-analyzer/templates/configmap.yaml @@ -16,3 +16,12 @@ data: AGENT_RUNTIME_SOCKET: {{ include "falcon-image-analyzer.agentRuntimeSocket" . | quote }} {{- end }} AGENT_MAX_CONSUMER_THREADS: {{ .Values.crowdstrikeConfig.agentMaxConsumerThreads | quote }} + {{- if .Values.proxyConfig.HTTP_PROXY }} + HTTP_PROXY: {{ .Values.proxyConfig.HTTP_PROXY }} + {{- end }} + {{- if .Values.proxyConfig.HTTPS_PROXY }} + HTTPS_PROXY: {{ .Values.proxyConfig.HTTPS_PROXY }} + {{- end }} + {{- if .Values.proxyConfig.NO_PROXY }} + NO_PROXY: {{ .Values.proxyConfig.NO_PROXY }} + {{- end }} diff --git a/helm-charts/falcon-image-analyzer/values.schema.json b/helm-charts/falcon-image-analyzer/values.schema.json index d642bc2d..b9a29311 100644 --- a/helm-charts/falcon-image-analyzer/values.schema.json +++ b/helm-charts/falcon-image-analyzer/values.schema.json @@ -249,6 +249,30 @@ } } ] + }, + "proxyConfig": { + "default": {}, + "type": "object", + "properties": { + "HTTP_PROXY": { + "type": [ + "null", + "string" + ] + }, + "HTTPS_PROXY": { + "type": [ + "null", + "string" + ] + }, + "NO_PROXY": { + "type": [ + "null", + "string" + ] + } + } } } } diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index e80178ac..2d545e9f 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -87,3 +87,9 @@ crowdstrikeConfig: agentRuntime: "" agentRuntimeSocket: "" agentMaxConsumerThreads: "1" + + +proxyConfig: + HTTP_PROXY: "" + HTTPS_PROXY: "" + NO_PROXY: "" \ No newline at end of file From 1350baa001cd33d324013283693bf5cfe06b22fa Mon Sep 17 00:00:00 2001 From: pvyas Date: Fri, 5 Jan 2024 14:32:14 -0500 Subject: [PATCH 17/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/templates/configmap.yaml | 1 + helm-charts/falcon-image-analyzer/values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/helm-charts/falcon-image-analyzer/templates/configmap.yaml b/helm-charts/falcon-image-analyzer/templates/configmap.yaml index 880cad99..86111a2d 100644 --- a/helm-charts/falcon-image-analyzer/templates/configmap.yaml +++ b/helm-charts/falcon-image-analyzer/templates/configmap.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "falcon-image-analyzer.labels" . | nindent 4 }} data: + IS_KUBERNETES: {{ .Values.isKubernetes | quote }} AGENT_CID: {{ .Values.crowdstrikeConfig.cid | quote }} AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }} AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | quote }} diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 2d545e9f..9a1c4eab 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -2,6 +2,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# Do not override anywhere in values +isKubernetes: true + daemonset: enabled: false From 1c66027e1f12f290d7af5a23804f1f542c5fa7f1 Mon Sep 17 00:00:00 2001 From: pvyas Date: Mon, 8 Jan 2024 09:57:33 -0500 Subject: [PATCH 18/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 9a1c4eab..ef6b97ff 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -2,7 +2,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# Do not override anywhere in values +# Do not override anywhere in values - Always true when run in k8s isKubernetes: true daemonset: From 4901033d802b181200c029d343f04cb9e809fea3 Mon Sep 17 00:00:00 2001 From: pvyas Date: Tue, 16 Jan 2024 10:25:30 -0500 Subject: [PATCH 19/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index ef6b97ff..685bbeab 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -95,4 +95,4 @@ crowdstrikeConfig: proxyConfig: HTTP_PROXY: "" HTTPS_PROXY: "" - NO_PROXY: "" \ No newline at end of file + NO_PROXY: "" From 7bb9e4880ce200dbd807857c021ea4b908e92d30 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 30 Jan 2024 08:39:13 -0700 Subject: [PATCH 20/22] CS Falcon Image Analyzer ( IAR ) Helm initial Draft --- helm-charts/falcon-image-analyzer/README.md | 113 ++++++++++++++++++ .../templates/_helpers.tpl | 6 +- .../templates/daemonset.yaml | 25 ++++ .../templates/deployment.yaml | 36 ++++-- helm-charts/falcon-image-analyzer/values.yaml | 17 ++- 5 files changed, 185 insertions(+), 12 deletions(-) create mode 100644 helm-charts/falcon-image-analyzer/README.md diff --git a/helm-charts/falcon-image-analyzer/README.md b/helm-charts/falcon-image-analyzer/README.md new file mode 100644 index 00000000..75b08cd5 --- /dev/null +++ b/helm-charts/falcon-image-analyzer/README.md @@ -0,0 +1,113 @@ +# CrowdStrike Falcon Helm Chart + +[Falcon](https://www.crowdstrike.com/) is the [CrowdStrike](https://www.crowdstrike.com/) +platform purpose-built to stop breaches via a unified set of cloud-delivered +technologies that prevent all types of attacks — including malware and much +more. + +# Kubernetes Cluster Compatability + +The Falcon Helm chart has been tested to deploy on the following Kubernetes distributions: + +* Amazon Elastic Kubernetes Service (EKS) + * Daemonset (node) sensor support for EKS nodes + * Container sensor support for EKS Fargate nodes +* Azure Kubernetes Service (AKS) +* Google Kubernetes Engine (GKE) +* Rancher K3s +* OpenShift Kubernetes + +# Dependencies + +1. Requires a x86_64 Kubernetes cluster +1. Before deploying the Helm chart, you should have a Falcon Linux Sensor and/or Falcon Container sensor in your own container registry or use CrowdStrike's registry before installing the Helm Chart. See the Deployment Considerations for more. +1. Helm 3.x is installed and supported by the Kubernetes vendor. + +# Installation + +### Add the CrowdStrike Falcon Helm repository + +``` +helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm +``` + +### Update the local Helm repository Cache + +``` +helm repo update +``` + +# Falcon Configuration Options + +The following tables lists the Falcon Sensor configurable parameters and their default values. + +| Parameter | Description | Default | +|:---------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------| +| `daemonset.enabled` | set to true if running in watcher mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false | +| `deployment.enabled` | set to true if running in watcher mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false | +| `image.repo` | iar image repo name. | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` | +| `image.tag` | image tag version | None | +| `azure.enabled` | set to true if cluster is azure aks OR self managed on azure nodes | false | +| `azure.azureConfig` | azure config file path | `/etc/kubernetes/azure.json` | +| `gcp.enabled` | set to true if cluster is azure aks OR self managed on google cloud gcp nodes | false | +| `crowdstrikeConfig.clusterName` | cluster name | None | +| `crowdstrikeConfig.enableDebug` | set to true for debug level log verbosity | false | +| `crowdstrikeConfig.clientID` | crowdstrike falcon OAuth API Client ID | None | +| `crowdstrikeConfig.clientSecret` | crowdstrike falcon OAuth API Client secret | None | +| `crowdstrikeConfig.cid` | customer ID ( CID ) | None | +| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None | +| `crowdstrikeConfig.existingSecret` | existing secret ref name of the customer kubernetes cluster | None | +| `crowdstrikeConfig.agentRunmode` | agent run mode `watcher` or `socket` for kubernetes set this along with deployment.enabled and daemonset.enabled respectively | None | +| `crowdstrikeConfig.agentRegion` | region of the crowdstike api to connect to us-1/us-2/eu-1 | None | +| `crowdstrikeConfig.agentRuntime` | the underlying runtime of the OS. docker/containerd/podman/crio . ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | +| `crowdstrikeConfig.agentRuntimeSocket` | the unix socket path for the runtime socket .ef. `unix///var/run/docker.sock` . ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | + + + + +## Installing on Kubernetes Cluster Nodes + +### Deployment Considerations + +To ensure a successful deployment, you will want to ensure that: +1. By default, the Helm Chart installs in the `default` namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding `--create-namespace -n falcon-image-analyzer` to your `helm install` command. The namespace can be any name that you wish to use. +1. You must be a cluster administrator to deploy Helm Charts to the cluster. +1. CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm). + +### Pod Security Standards + +Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command replacing `my-existing-namespace` with the namespace that you have installed the falcon sensors e.g. `falcon-system`.. +``` +kubectl label --overwrite ns my-existing-namespace \ + pod-security.kubernetes.io/enforce=privileged +``` + +If desired to silence the warning and change the auditing level for the Pod Security Standard, add the following labels +``` +kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged +kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged +``` + +### Install CrowdStrike Falcon Helm Chart on Kubernetes Nodes + +Before installing the IAR. please set the values of the helm chart variables and save in some path as yaml file. + +``` +helm upgrade --install -f path-to-my-values.yaml \ + --create-namespace -n falcon-image-analyzer imageanalyzer falcon-helm crowdstrike/falcon-image-analyzer +``` + + +For more details please see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository. + +``` +helm show values crowdstrike/falcon-sensor +``` + + +### Uninstall Helm Chart +To uninstall, run the following command: +``` +helm uninstall imageanalyzer -n falcon-image-analyzer && kubectl delete namespace falcon-image-analyzer +``` + diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl index 3e57c944..d5cdc68a 100644 --- a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl +++ b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl @@ -88,13 +88,13 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- end }} {{- end }} {{- else -}} -{{- .Values.volumeMounts | toYaml -}} +{{- .Values.volumeMounts | toYaml }} {{- end }} {{- end }} {{- define "falcon-image-analyzer.volumes" -}} {{- if lt (len .Values.volumes) 2 -}} -{{- .Values.volumes | toYaml -}} +{{- .Values.volumes | toYaml }} {{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }} - name: var-run hostPath: @@ -120,7 +120,7 @@ runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} {{- end }} {{- end }} {{- else -}} -{{- .Values.volumes | toYaml -}} +{{- .Values.volumes | toYaml }} {{- end }} {{- end }} diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml index e6db71eb..35ac07d6 100644 --- a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml +++ b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml @@ -34,6 +34,21 @@ spec: {{- if .Values.podSecurityContext }} {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- end }} + {{- if .Values.gcp.enabled }} + initContainers: + - name: {{ .Chart.Name }}-init-container + image: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine" + imagePullPolicy: "Always" + command: + - '/bin/bash' + - '-c' + - | + curl -sS -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 60 --connect-timeout 3 --fail --retry-all-errors > /dev/null && exit 0 || echo 'Retry limit exceeded. Failed to wait for metadata server to be available. Check if the gke-metadata-server Pod in the kube-system namespace is healthy.' >&2; exit 1 + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: false + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -56,12 +71,22 @@ spec: {{- end }} volumeMounts: {{- (include "falcon-image-analyzer.volumeMounts" .) | nindent 12 }} + {{- if .Values.azure.enabled }} + - name: azure-config + mountPath: /etc/kubernetes/azure.json + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} volumes: {{- include "falcon-image-analyzer.volumes" . | nindent 8 }} + {{- if .Values.azure.enabled }} + - name: azure-config + hostPath: + path: {{ .Values.azure.azureConfig }} + type: File + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml index 66b3c7c1..ad3149cd 100644 --- a/helm-charts/falcon-image-analyzer/templates/deployment.yaml +++ b/helm-charts/falcon-image-analyzer/templates/deployment.yaml @@ -35,12 +35,26 @@ spec: {{- if .Values.podSecurityContext }} {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- end }} + {{- if .Values.gcp.enabled }} + initContainers: + - name: {{ .Chart.Name }}-init-container + image: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine" + imagePullPolicy: "Always" + command: + - '/bin/bash' + - '-c' + - | + curl -sS -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 60 --connect-timeout 3 --fail --retry-all-errors > /dev/null && exit 0 || echo 'Retry limit exceeded. Failed to wait for metadata server to be available. Check if the gke-metadata-server Pod in the kube-system namespace is healthy.' >&2; exit 1 + securityContext: + runAsUser: 0 + runAsNonRoot: false + privileged: false + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 12 }} - {{- end }} + runAsUser: 0 + privileged: false resources: {{- if .Values.resources }} {{- toYaml .Values.resources | nindent 12 }} @@ -58,15 +72,23 @@ spec: name: {{ include "falcon-image-analyzer.fullname" . }} {{- end }} volumeMounts: - {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} + {{- toYaml .Values.volumeMounts | default "" | nindent 12 }} + {{- if .Values.azure.enabled }} + - name: azure-config + mountPath: /etc/kubernetes/azure.json + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.volumes }} volumes: - {{- toYaml . | default "" | nindent 8 }} - {{- end}} + {{- toYaml .Values.volumes | default "" | nindent 8 }} + {{- if .Values.azure.enabled }} + - name: azure-config + hostPath: + path: {{ .Values.azure.azureConfig }} + type: File + {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml index 685bbeab..8b12439b 100644 --- a/helm-charts/falcon-image-analyzer/values.yaml +++ b/helm-charts/falcon-image-analyzer/values.yaml @@ -11,9 +11,11 @@ daemonset: deployment: enabled: false + +# Do not override anywhere in values - Always 1 for Deployment. NA for daemonset replicaCount: 1 image: - repository: registry.crowdstrike.com/ivan-agent/us-1/release/cs-imageanalyzer + repository: registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those # who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability. tag: @@ -22,7 +24,7 @@ image: # Example digest variable configuration: # digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398 digest: - pullPolicy: IfNotPresent + pullPolicy: Always # Use this if you have a base64 encoded docker # config json with user and pass of your own @@ -61,6 +63,17 @@ affinity: {} priorityClassName: "" + # For AKS without the pulltoken option +azure: + enabled: false + + # Path to the Kubernetes Azure config file on worker nodes + azureConfig: /etc/kubernetes/azure.json + +# GCP GKE workload identity init container +gcp: + enabled: false + # This is a mandatory mount for both deployment and daemon set. # this is used as a tmp working space for image storage volumes: From 662a8d2ce96ae4a82699c2e3b08ad584d88bf8ea Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 30 Jan 2024 08:41:23 -0700 Subject: [PATCH 21/22] bump IAR chart version to 1.0.0 --- helm-charts/falcon-image-analyzer/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/Chart.yaml b/helm-charts/falcon-image-analyzer/Chart.yaml index 5055d718..7b706824 100644 --- a/helm-charts/falcon-image-analyzer/Chart.yaml +++ b/helm-charts/falcon-image-analyzer/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "1.0.0" From bbddf3003843e1fc0c5b414c7a341a59200f429b Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 30 Jan 2024 10:15:45 -0700 Subject: [PATCH 22/22] fix: update falcon-image-analyzer readme --- helm-charts/falcon-image-analyzer/README.md | 104 +++++++++----------- 1 file changed, 49 insertions(+), 55 deletions(-) diff --git a/helm-charts/falcon-image-analyzer/README.md b/helm-charts/falcon-image-analyzer/README.md index 75b08cd5..9e8f625a 100644 --- a/helm-charts/falcon-image-analyzer/README.md +++ b/helm-charts/falcon-image-analyzer/README.md @@ -1,29 +1,27 @@ -# CrowdStrike Falcon Helm Chart +# CrowdStrike Falcon Image Analyzer Helm Chart [Falcon](https://www.crowdstrike.com/) is the [CrowdStrike](https://www.crowdstrike.com/) platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more. -# Kubernetes Cluster Compatability +## Kubernetes cluster compatability -The Falcon Helm chart has been tested to deploy on the following Kubernetes distributions: +The Falcon Image Analyzer Helm chart has been tested to deploy on the following Kubernetes distributions: -* Amazon Elastic Kubernetes Service (EKS) - * Daemonset (node) sensor support for EKS nodes - * Container sensor support for EKS Fargate nodes +* Amazon Elastic Kubernetes Service (EKS) - EKS and EKS Fargate * Azure Kubernetes Service (AKS) * Google Kubernetes Engine (GKE) -* Rancher K3s -* OpenShift Kubernetes +* SUSE Rancher K3s +* Red Hat OpenShift Kubernetes -# Dependencies +## Dependencies 1. Requires a x86_64 Kubernetes cluster -1. Before deploying the Helm chart, you should have a Falcon Linux Sensor and/or Falcon Container sensor in your own container registry or use CrowdStrike's registry before installing the Helm Chart. See the Deployment Considerations for more. +1. Before deploying the Helm chart, you should have the `falcon-imageanalyzer` container image in your own container registry, or use CrowdStrike's registry before installing the Helm chart. See the [Deployment Considerations](#deployment-considerations) for more. 1. Helm 3.x is installed and supported by the Kubernetes vendor. -# Installation +## Installation ### Add the CrowdStrike Falcon Helm repository @@ -31,66 +29,63 @@ The Falcon Helm chart has been tested to deploy on the following Kubernetes dist helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm ``` -### Update the local Helm repository Cache +### Update the local Helm repository cache ``` helm repo update ``` -# Falcon Configuration Options - -The following tables lists the Falcon Sensor configurable parameters and their default values. - -| Parameter | Description | Default | -|:---------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------| -| `daemonset.enabled` | set to true if running in watcher mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false | -| `deployment.enabled` | set to true if running in watcher mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false | -| `image.repo` | iar image repo name. | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` | -| `image.tag` | image tag version | None | -| `azure.enabled` | set to true if cluster is azure aks OR self managed on azure nodes | false | -| `azure.azureConfig` | azure config file path | `/etc/kubernetes/azure.json` | -| `gcp.enabled` | set to true if cluster is azure aks OR self managed on google cloud gcp nodes | false | -| `crowdstrikeConfig.clusterName` | cluster name | None | -| `crowdstrikeConfig.enableDebug` | set to true for debug level log verbosity | false | -| `crowdstrikeConfig.clientID` | crowdstrike falcon OAuth API Client ID | None | -| `crowdstrikeConfig.clientSecret` | crowdstrike falcon OAuth API Client secret | None | -| `crowdstrikeConfig.cid` | customer ID ( CID ) | None | -| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None | -| `crowdstrikeConfig.existingSecret` | existing secret ref name of the customer kubernetes cluster | None | -| `crowdstrikeConfig.agentRunmode` | agent run mode `watcher` or `socket` for kubernetes set this along with deployment.enabled and daemonset.enabled respectively | None | -| `crowdstrikeConfig.agentRegion` | region of the crowdstike api to connect to us-1/us-2/eu-1 | None | -| `crowdstrikeConfig.agentRuntime` | the underlying runtime of the OS. docker/containerd/podman/crio . ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | -| `crowdstrikeConfig.agentRuntimeSocket` | the unix socket path for the runtime socket .ef. `unix///var/run/docker.sock` . ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | - - - - -## Installing on Kubernetes Cluster Nodes - -### Deployment Considerations - -To ensure a successful deployment, you will want to ensure that: -1. By default, the Helm Chart installs in the `default` namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding `--create-namespace -n falcon-image-analyzer` to your `helm install` command. The namespace can be any name that you wish to use. -1. You must be a cluster administrator to deploy Helm Charts to the cluster. -1. CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm). +## Falcon configuration options + +The following tables list the Falcon sensor configurable parameters and their default values. + +| Parameter | Description | Default | +|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------| +| `daemonset.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `socket` | false | +| `deployment.enabled` | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher` | false | +| `image.repo` | IAR image repo name | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` | +| `image.tag` | Image tag version | None | +| `azure.enabled` | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes. | false | +| `azure.azureConfig` | Azure config file path | `/etc/kubernetes/azure.json` | +| `gcp.enabled` | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes. | false | +| `crowdstrikeConfig.clusterName` | Cluster name | None | +| `crowdstrikeConfig.enableDebug` | Set to `true` for debug level log verbosity. | false | +| `crowdstrikeConfig.clientID` | CrowdStrike Falcon OAuth API Client ID | None | +| `crowdstrikeConfig.clientSecret` | CrowdStrike Falcon OAuth API Client secret | None | +| `crowdstrikeConfig.cid` | Customer ID (CID) | None | +| `crowdstrikeConfig.dockerAPIToken` | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from `registry.crowdstrike.com` | None | +| `crowdstrikeConfig.existingSecret` | Existing secret ref name of the customer Kubernetes cluster | None | +| `crowdstrikeConfig.agentRunmode` | Agent run mode `watcher` or `socket` for Kubernetes. Set this along with `deployment.enabled` and `daemonset.enabled` respectively | None | +| `crowdstrikeConfig.agentRegion` | Region of the CrowdStrike API to connect to us-1/us-2/eu-1 | None | +| `crowdstrikeConfig.agentRuntime` | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | +| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None | + +## Installing on Kubernetes cluster nodes + +### Deployment considerations + +For a successful deployment, you will want to ensure that: +1. By default, the Helm chart installs in the `default` namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding `--create-namespace -n falcon-image-analyzer` to your `helm install` command. The namespace can be any name that you wish to use. +1. You must be a cluster administrator to deploy Helm charts to the cluster. +1. CrowdStrike's Helm chart is a project, not a product, and released to the community as a way to automate sensor deployment to Kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm). ### Pod Security Standards -Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command replacing `my-existing-namespace` with the namespace that you have installed the falcon sensors e.g. `falcon-system`.. +Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command, and replace `my-existing-namespace` with the namespace that you have installed the falcon sensors, for example: `falcon-image-analyzer`. ``` kubectl label --overwrite ns my-existing-namespace \ pod-security.kubernetes.io/enforce=privileged ``` -If desired to silence the warning and change the auditing level for the Pod Security Standard, add the following labels +If you want to silence the warning and change the auditing level for the Pod Security Standard, add the following labels: ``` kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged ``` -### Install CrowdStrike Falcon Helm Chart on Kubernetes Nodes +### Install CrowdStrike Falcon Helm chart on Kubernetes nodes -Before installing the IAR. please set the values of the helm chart variables and save in some path as yaml file. +Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR: ``` helm upgrade --install -f path-to-my-values.yaml \ @@ -98,16 +93,15 @@ helm upgrade --install -f path-to-my-values.yaml \ ``` -For more details please see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository. +For more details, see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository. ``` helm show values crowdstrike/falcon-sensor ``` +## Uninstall Helm chart -### Uninstall Helm Chart To uninstall, run the following command: ``` helm uninstall imageanalyzer -n falcon-image-analyzer && kubectl delete namespace falcon-image-analyzer ``` -