From 565b91c6ce48dd6d2354d993a095d8617911c6e0 Mon Sep 17 00:00:00 2001
From: JonBruchim <yonbruchim@gmail.com>
Date: Wed, 4 Dec 2024 10:11:06 +0200
Subject: [PATCH 1/2] cdp: added resources and verbs for the cluster role

---
 helm-charts/falcon-sensor/README.md           |  1 +
 .../falcon-sensor/templates/clusterrole.yaml  | 22 ++++++++++++++++++-
 .../templates/clusterrolebinding.yaml         |  6 ++++-
 helm-charts/falcon-sensor/values.yaml         |  3 +++
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md
index 9346620b..df394a0d 100644
--- a/helm-charts/falcon-sensor/README.md
+++ b/helm-charts/falcon-sensor/README.md
@@ -127,6 +127,7 @@ The following tables lists the more common configurable parameters of the chart
 | `node.image.pullSecrets`          | Pull secrets for private registry                                      | None       (Conflicts with node.image.registryConfigJSON)               |
 | `node.image.registryConfigJSON`   | base64 encoded docker config json for the pull secret                  | None       (Conflicts with node.image.pullSecrets)                      |
 | `node.daemonset.resources`        | Configure Node sensor resource requests and limits (eBPF mode only)    | None       (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory.<br><br><div class="warning">:warning: **Warning**:<br>If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!</div> |
+| `node.cdpRolesEnabled`            | Enable cluster roles for Cloud Data Protection module                  | `true`                                                                  |
 | `falcon.cid`                      | CrowdStrike Customer ID (CID)                                          | None       (Required)                                                   |
 
 `falcon.cid` and `node.image.repository` are required values.
diff --git a/helm-charts/falcon-sensor/templates/clusterrole.yaml b/helm-charts/falcon-sensor/templates/clusterrole.yaml
index 0cbd2116..fa59be3a 100644
--- a/helm-charts/falcon-sensor/templates/clusterrole.yaml
+++ b/helm-charts/falcon-sensor/templates/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.container.enabled }}
+{{- if or .Values.container.enabled (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -8,7 +8,11 @@ metadata:
     app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{ if .Values.container.enabled }}
     app.kubernetes.io/component: "container_sensor"
+    {{ else if (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
+    app.kubernetes.io/component: "kernel_sensor"
+    {{ end }}
     crowdstrike.com/provider: crowdstrike
     helm.sh/chart: {{ include "falcon-sensor.chart" . }}
 rules:
@@ -16,6 +20,22 @@ rules:
   - ""
   resources:
   - secrets
+  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  - pods
+  - services
+  - nodes
+  - daemonsets
+  - replicasets
+  - deployments
+  - jobs
+  - ingresses
+  - cronjobs
+  - persistentvolumes
+  {{- end }}
   verbs:
   - get
+  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  - watch
+  - list
+  {{- end }}
 {{- end }}
diff --git a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
index 77ff998f..e9c6dcc3 100644
--- a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
+++ b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.container.enabled }}
+{{- if or .Values.container.enabled (and .Values.node.enabled .Values.node.cdpRolesEnabled) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -8,7 +8,11 @@ metadata:
     app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
+    {{ if .Values.container.enabled }}
     app.kubernetes.io/component: "container_sensor"
+    {{ else if (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
+    app.kubernetes.io/component: "kernel_sensor"
+    {{ end }}
     crowdstrike.com/provider: crowdstrike
     helm.sh/chart: {{ include "falcon-sensor.chart" . }}
 subjects:
diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
index 975737c2..c3c4e3c9 100644
--- a/helm-charts/falcon-sensor/values.yaml
+++ b/helm-charts/falcon-sensor/values.yaml
@@ -104,6 +104,9 @@ node:
     postDelete:
       enabled: true
 
+  # When enabled, Cloud data protection module is enabled
+  cdpRolesEnabled: true
+
 container:
   # When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
   enabled: false

From 0d237e35dd9ea38a9f5e0dd3cc9aec39e4caefb0 Mon Sep 17 00:00:00 2001
From: JonBruchim <yonbruchim@gmail.com>
Date: Wed, 8 Jan 2025 17:05:34 +0200
Subject: [PATCH 2/2] cdp: added resources and verbs for the cluster role

---
 helm-charts/falcon-sensor/README.md                       | 1 -
 helm-charts/falcon-sensor/templates/clusterrole.yaml      | 8 ++++----
 .../falcon-sensor/templates/clusterrolebinding.yaml       | 4 ++--
 helm-charts/falcon-sensor/values.yaml                     | 3 ---
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md
index df394a0d..9346620b 100644
--- a/helm-charts/falcon-sensor/README.md
+++ b/helm-charts/falcon-sensor/README.md
@@ -127,7 +127,6 @@ The following tables lists the more common configurable parameters of the chart
 | `node.image.pullSecrets`          | Pull secrets for private registry                                      | None       (Conflicts with node.image.registryConfigJSON)               |
 | `node.image.registryConfigJSON`   | base64 encoded docker config json for the pull secret                  | None       (Conflicts with node.image.pullSecrets)                      |
 | `node.daemonset.resources`        | Configure Node sensor resource requests and limits (eBPF mode only)    | None       (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory.<br><br><div class="warning">:warning: **Warning**:<br>If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!</div> |
-| `node.cdpRolesEnabled`            | Enable cluster roles for Cloud Data Protection module                  | `true`                                                                  |
 | `falcon.cid`                      | CrowdStrike Customer ID (CID)                                          | None       (Required)                                                   |
 
 `falcon.cid` and `node.image.repository` are required values.
diff --git a/helm-charts/falcon-sensor/templates/clusterrole.yaml b/helm-charts/falcon-sensor/templates/clusterrole.yaml
index fa59be3a..cac28803 100644
--- a/helm-charts/falcon-sensor/templates/clusterrole.yaml
+++ b/helm-charts/falcon-sensor/templates/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.container.enabled (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
+{{- if or .Values.container.enabled .Values.node.enabled}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     {{ if .Values.container.enabled }}
     app.kubernetes.io/component: "container_sensor"
-    {{ else if (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
+    {{ else if .Values.node.enabled }}
     app.kubernetes.io/component: "kernel_sensor"
     {{ end }}
     crowdstrike.com/provider: crowdstrike
@@ -20,7 +20,7 @@ rules:
   - ""
   resources:
   - secrets
-  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  {{- if .Values.node.enabled }}
   - pods
   - services
   - nodes
@@ -34,7 +34,7 @@ rules:
   {{- end }}
   verbs:
   - get
-  {{- if and .Values.node.enabled .Values.node.cdpRolesEnabled }}
+  {{- if .Values.node.enabled }}
   - watch
   - list
   {{- end }}
diff --git a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
index e9c6dcc3..7ad79ec5 100644
--- a/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
+++ b/helm-charts/falcon-sensor/templates/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.container.enabled (and .Values.node.enabled .Values.node.cdpRolesEnabled) }}
+{{- if or .Values.container.enabled .Values.node.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -10,7 +10,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     {{ if .Values.container.enabled }}
     app.kubernetes.io/component: "container_sensor"
-    {{ else if (and .Values.node.enabled .Values.node.cdpRolesEnabled)}}
+    {{ else if .Values.node.enabled }}
     app.kubernetes.io/component: "kernel_sensor"
     {{ end }}
     crowdstrike.com/provider: crowdstrike
diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
index c3c4e3c9..975737c2 100644
--- a/helm-charts/falcon-sensor/values.yaml
+++ b/helm-charts/falcon-sensor/values.yaml
@@ -104,9 +104,6 @@ node:
     postDelete:
       enabled: true
 
-  # When enabled, Cloud data protection module is enabled
-  cdpRolesEnabled: true
-
 container:
   # When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
   enabled: false