CS Falcon Image Analyzer ( IAR ) Helm

.github/workflows/helm-test.yaml

@@ -6,6 +6,7 @@ on:
       - 'helm-charts/**'
       - '!helm-charts/falcon-sensor/**'
       - '!helm-charts/cs-k8s-protection-agent/**'
+      - '!helm-charts/falcon-image-analyzer/**'
       - '!helm-charts/falcon-kac/**'
 
 jobs:

README.md

@@ -16,6 +16,7 @@ This repository is a collection of CrowdStrike Helm Charts. The Helm Charts deve
 | [Falcon Sensor](helm-charts/falcon-sensor)                           | Deploys the Falcon Sensor to Kubernetes Nodes or as a Sidecar to a pod. See [the README](helm-charts/falcon-sensor/README.md) for more info. |
 | [Falcon Integration Gateway](helm-charts/falcon-integration-gateway) | Deploys the Falcon Integration Gateway. See [the README](helm-charts/falcon-integration-gateway/README.md) for more info.                    |
 | [Falcon Kubernetes Admission Controller](helm-charts/falcon-kac)     | Deploy the Falcon Kubernetes Admission Controller. See [the README](helm-charts/falcon-kac/README.md) for more info. | 
+| [Falcon Image Analyzer](helm-charts/falcon-image-analyzer)           | Deploy the Falcon Image Analyzer. See [the README](helm-charts/falcon-image-analyzer/README.md) for more info.       |
 
 ## Developer Guide
 If you are a developer, please read our [Developer's Guide](docs/developer_guide.md).

helm-charts/falcon-image-analyzer/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm-charts/falcon-image-analyzer/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: falcon-image-analyzer
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"

helm-charts/falcon-image-analyzer/README.md

@@ -0,0 +1,107 @@
+# CrowdStrike Falcon Image Analyzer Helm Chart
+
+[Falcon](https://www.crowdstrike.com/) is the [CrowdStrike](https://www.crowdstrike.com/)
+platform purpose-built to stop breaches via a unified set of cloud-delivered
+technologies that prevent all types of attacks — including malware and much
+more.
+
+## Kubernetes cluster compatability
+
+The Falcon Image Analyzer Helm chart has been tested to deploy on the following Kubernetes distributions:
+
+* Amazon Elastic Kubernetes Service (EKS) - EKS and EKS Fargate
+* Azure Kubernetes Service (AKS)
+* Google Kubernetes Engine (GKE)
+* SUSE Rancher K3s
+* Red Hat OpenShift Kubernetes
+
+## Dependencies
+
+1. Requires a x86_64 Kubernetes cluster
+1. Before deploying the Helm chart, you should have the `falcon-imageanalyzer` container image in your own container registry, or use CrowdStrike's registry before installing the Helm chart. See the [Deployment Considerations](#deployment-considerations) for more.
+1. Helm 3.x is installed and supported by the Kubernetes vendor.
+
+## Installation
+
+### Add the CrowdStrike Falcon Helm repository
+
+```
+helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
+```
+
+### Update the local Helm repository cache
+
+```
+helm repo update
+```
+
+## Falcon configuration options
+
+The following tables list the Falcon sensor configurable parameters and their default values.
+
+| Parameter                              | Description                                                                                                                                              | Default                                                                           |
+|:---------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------|
+| `daemonset.enabled`                    | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `socket`                                                               | false                                                                             |
+| `deployment.enabled`                   | Set to `true` if running in Watcher Mode i.e. `crowdstrikeConfig.agentRunmode` is `watcher`                                                              | false                                                                             |
+| `image.repo`                           | IAR image repo name                                                                                                                                      | `registry.crowdstrike.com/falcon-imageanalyzer/us-1/release/falcon-imageanalyzer` |
+| `image.tag`                            | Image tag version                                                                                                                                        | None                                                                              |
+| `azure.enabled`                        | Set to `true` if cluster is Azure AKS or self-managed on Azure nodes.                                                                                    | false                                                                             |
+| `azure.azureConfig`                    | Azure  config file path                                                                                                                                  | `/etc/kubernetes/azure.json`                                                      |
+| `gcp.enabled`                          | Set to `true` if cluster is Gogle GKE or self-managed on Google Cloud GCP nodes.                                                                         | false                                                                             |
+| `crowdstrikeConfig.clusterName`        | Cluster name                                                                                                                                             | None                                                                              |
+| `crowdstrikeConfig.enableDebug`        | Set to `true` for debug level log verbosity.                                                                                                             | false                                                                             |
+| `crowdstrikeConfig.clientID`           | CrowdStrike Falcon OAuth API Client ID                                                                                                                   | None                                                                              |
+| `crowdstrikeConfig.clientSecret`       | CrowdStrike Falcon OAuth API Client secret                                                                                                               | None                                                                              |
+| `crowdstrikeConfig.cid`                | Customer ID (CID)                                                                                                                                        | None                                                                              |
+| `crowdstrikeConfig.dockerAPIToken`     | Crowdstrike Artifactory Image Pull Token for pulling IAR image directly from  `registry.crowdstrike.com`                                                 | None                                                                              |
+| `crowdstrikeConfig.existingSecret`     | Existing secret ref name of the customer Kubernetes cluster                                                                                              | None                                                                              |
+| `crowdstrikeConfig.agentRunmode`       | Agent run mode `watcher` or `socket` for Kubernetes. Set this along with `deployment.enabled` and `daemonset.enabled` respectively                       | None                                                                              |
+| `crowdstrikeConfig.agentRegion`        | Region of the CrowdStrike API to connect to us-1/us-2/eu-1                                                                                               | None                                                                              |
+| `crowdstrikeConfig.agentRuntime`       | The underlying runtime of the OS. docker/containerd/podman/crio. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket`                        | None                                                                              |
+| `crowdstrikeConfig.agentRuntimeSocket` | The unix socket path for the runtime socket. For example: `unix///var/run/docker.sock`. ONLY TO BE USED with `crowdstrikeConfig.agentRunmode` = `socket` | None                                                                              |
+
+## Installing on Kubernetes cluster nodes
+
+### Deployment considerations
+
+For a successful deployment, you will want to ensure that:
+1. By default, the Helm chart installs in the `default` namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding `--create-namespace -n falcon-image-analyzer` to your `helm install` command. The namespace can be any name that you wish to use.
+1. You must be a cluster administrator to deploy Helm charts to the cluster.
+1. CrowdStrike's Helm chart is a project, not a product, and released to the community as a way to automate sensor deployment to Kubernetes clusters. The upstream repository for this project is [https://github.com/CrowdStrike/falcon-helm](https://github.com/CrowdStrike/falcon-helm).
+
+### Pod Security Standards
+
+Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command, and replace `my-existing-namespace` with the namespace that you have installed the falcon sensors, for example: `falcon-image-analyzer`.
+```
+kubectl label --overwrite ns my-existing-namespace \
+  pod-security.kubernetes.io/enforce=privileged
+```
+
+If you want to silence the warning and change the auditing level for the Pod Security Standard, add the following labels:
+```
+kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged
+kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged
+```
+
+### Install CrowdStrike Falcon Helm chart on Kubernetes nodes
+
+Before you install IAR, set the Helm chart variables and add them to the `values.yaml` file. Then, run the following to install IAR:
+
+```
+helm upgrade --install -f path-to-my-values.yaml \ 
+      --create-namespace -n falcon-image-analyzer imageanalyzer falcon-helm crowdstrike/falcon-image-analyzer
+```
+
+
+For more details, see the [falcon-helm](https://github.com/CrowdStrike/falcon-helm) repository.
+
+```
+helm show values crowdstrike/falcon-sensor
+```
+
+## Uninstall Helm chart
+
+To uninstall, run the following command:
+```
+helm uninstall imageanalyzer -n falcon-image-analyzer && kubectl delete namespace falcon-image-analyzer
+```

helm-charts/falcon-image-analyzer/ci/cid-values.yaml

@@ -0,0 +1,5 @@
+crowdstrikeConfig:
+  clusterName: "test-cluster12.test"
+  clientID: "abcdefABCDEF0123456789abcdefABCD"
+  clientSecret: "abcdefABCDEF0123456789abcdefABCDEF012345"
+  cid: "1234567890ABCDEF1234567890ABCDEF-12"

helm-charts/falcon-image-analyzer/templates/NOTES.txt

@@ -0,0 +1,3 @@
+The Crowdstrike Image Analyzer Agent is now deployed to your cluster under the {{ .Release.Namespace }} namespace as {{ include "falcon-image-analyzer.fullname" . }}. You can now check if the agent is running by running the following command:
+
+"kubectl -n {{ .Release.Namespace}} get pods"

helm-charts/falcon-image-analyzer/templates/_helpers.tpl

@@ -0,0 +1,167 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "falcon-image-analyzer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "falcon-image-analyzer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "falcon-image-analyzer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "falcon-image-analyzer.labels" -}}
+helm.sh/chart: {{ include "falcon-image-analyzer.chart" . }}
+{{ include "falcon-image-analyzer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "falcon-image-analyzer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "falcon-image-analyzer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "falcon-image-analyzer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "falcon-image-analyzer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.securityContext" -}}
+{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" -}}
+privileged: {{ .Values.securityContext.privileged | default true }}
+allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
+runAsUser: {{ .Values.securityContext.runAsUser | default 0 }}
+runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.volumeMounts" -}}
+{{- if lt (len .Values.volumeMounts) 2 -}}
+{{- .Values.volumeMounts | toYaml }}
+{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
+- name: var-run
+  mountPath: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
+{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
+- name: storage
+  mountPath: /run/containers/storage
+- name: containers
+  mountPath: /var/lib/containers
+- name: fuse-overlay
+  mountPath: /usr/bin/fuse-overlayfs
+- name: crio-conf
+  mountPath: /etc/containers
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- .Values.volumeMounts | toYaml }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.volumes" -}}
+{{- if lt (len .Values.volumes) 2 -}}
+{{- .Values.volumes | toYaml }}
+{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
+- name: var-run
+  hostPath:
+    path: {{ trimPrefix "unix://" (include "falcon-image-analyzer.agentRuntimeSocket" . ) }}
+    type: Socket
+{{- if eq .Values.crowdstrikeConfig.agentRuntime "crio" }}
+- name: storage
+  hostPath:
+    path: /run/containers/storage
+    type: Directory
+- name: containers
+  hostPath:
+    path: /var/lib/containers
+    type: Directory
+- name: crio-conf
+  hostPath:
+    path: /etc/containers
+    type: Directory
+- name: fuse-overlay
+  hostPath:
+    path: /usr/bin/fuse-overlayfs
+    type: File
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- .Values.volumes | toYaml }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.agentRuntimeSocket" -}}
+{{- if eq .Values.crowdstrikeConfig.agentRunmode "socket" }}
+{{- if not .Values.crowdstrikeConfig.agentRuntimeSocket }}
+{{- if eq .Values.crowdstrikeConfig.agentRuntime "docker" }}
+{{- printf "%s" "unix:///run/docker.sock" }}
+{{- else if eq .Values.crowdstrikeConfig.agentRuntime "containerd" -}}
+{{- printf "%s" "unix:///run/containerd/containerd.sock" }}
+{{- else if eq .Values.crowdstrikeConfig.agentRuntime "crio" -}}
+{{- printf "%s" "unix:///run/crio/crio.sock" }}
+{{- else if eq .Values.crowdstrikeConfig.agentRuntime "podman" -}}
+{{- printf "%s" "unix:///run/podman/podman.sock" }}
+{{- end }}
+{{- else -}}
+{{- .Values.crowdstrikeConfig.agentRuntimeSocket }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.imagePullSecret" }}
+{{- with .Values.crowdstrikeConfig }}
+{{- if eq .agentRegion "us-gov-1" }}
+{{- printf "{\"auths\":{\"registry.laggar.gcw.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
+{{- else if eq .agentRegion "us-gov-2" }}
+{{- printf "{\"auths\":{\"registry.us-gov-2.crowdstrike.mil\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
+{{- else }}
+{{- printf "{\"auths\":{\"registry.crowdstrike.com\":{\"username\":\"fc-%s\",\"password\":\"%s\",\"email\":\"[email protected]\",\"auth\":\"%s\"}}}" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken (printf "fc-%s:%s" (first (regexSplit "-" (lower .cid) -1)) .dockerAPIToken | b64enc) | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "falcon-image-analyzer.image" -}}
+{{- if .Values.image.digest -}}
+{{- if contains "sha256:" .Values.image.digest -}}
+{{- printf "%s@%s" .Values.image.repository .Values.image.digest -}}
+{{- else -}}
+{{- printf "%s@%s:%s" .Values.image.repository "sha256" .Values.image.digest -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" .Values.image.repository .Values.image.tag -}}
+{{- end -}}
+{{- end -}}

helm-charts/falcon-image-analyzer/templates/cluster-role-read-access-binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "falcon-image-analyzer.fullname" . }}
+  labels:
+  {{- include "falcon-image-analyzer.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.name | default ( include "falcon-image-analyzer.fullname" . ) }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "falcon-image-analyzer.fullname" . }}

helm-charts/falcon-image-analyzer/templates/cluster-role-read-access.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "falcon-image-analyzer.fullname" . }}
+  labels:
+  {{- include "falcon-image-analyzer.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - secrets
+    - namespaces
+    verbs:
+    - get
+    - watch
+    - list