2022-12-17 01:00:54 +00:00
{{- if .Values.container.enabled }}
{{- $name := (printf "%s-injector" (include "falcon-sensor.name" .)) -}}
{{- $fullName := (printf "%s.%s.svc" $name .Release.Namespace) -}}
{{- if .Values.container.domainName }}
{{- $fullName = (printf "%s.%s.svc.%s" $name .Release.Namespace .Values.container.domainName) -}}
{{- end }}
{{- $certValid := (.Values.container.certExpiration | int) -}}
{{- $altNames := list ( printf "%s" $fullName ) ( printf "%s.%s.svc" $name .Release.Namespace ) ( printf "%s.%s.svc.cluster.local" $name .Release.Namespace ) ( printf "%s.%s" $name .Release.Namespace ) ( printf "%s" $name ) -}}
{{- $ca := genCA ( printf "%s ca" .Release.Namespace ) $certValid -}}
{{- $cert := genSignedCert $fullName nil $altNames $certValid $ca -}}
{{- if not .Values.container.autoCertificateUpdate }}
{{- $tlscrt := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "falcon-sensor.name" .))).data -}}
{{- if kindIs "map" $tlscrt }}
{{- $cert = dict "Cert" (index $tlscrt "tls.crt" | b64dec ) "Key" (index $tlscrt "tls.key" | b64dec ) -}}
{{- end }}
{{- $tlsca := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace $name).webhooks -}}
{{- if kindIs "slice" $tlsca }}
{{- range $index, $wca := $tlsca -}}
{{- $ca = dict "Cert" ($wca.clientConfig.caBundle | b64dec) }}
{{- end }}
{{- end }}
{{- end }}
{{- $tlsCert := $cert.Cert | b64enc }}
{{- $tlsKey := $cert.Key | b64enc }}
{{- $caCert := $ca.Cert | b64enc }}
---
apiVersion : apps/v1
kind : Deployment
metadata :
name : {{ include "falcon-sensor.name" . }}-injector
namespace : {{ .Release.Namespace }}
labels :
app : {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance : {{ .Release.Name }}
app.kubernetes.io/managed-by : {{ .Release.Service }}
app.kubernetes.io/component : "container_sensor"
crowdstrike.com/provider : crowdstrike
helm.sh/chart : {{ include "falcon-sensor.chart" . }}
{{- if .Values.container.labels }}
{{- range $key, $value := .Values.container.labels }}
{{ $key }} : {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.container.annotations }}
annotations :
{{- range $key, $value := .Values.container.annotations }}
{{ $key }} : {{ $value | quote }}
{{- end }}
{{- end }}
spec :
replicas : {{ .Values.container.replicas }}
selector :
matchLabels :
app : {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance : {{ .Release.Name }}
app.kubernetes.io/component : "container_sensor"
crowdstrike.com/provider : crowdstrike
template :
metadata :
labels :
app : {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance : {{ .Release.Name }}
app.kubernetes.io/component : "container_sensor"
crowdstrike.com/provider : crowdstrike
crowdstrike.com/component : crowdstrike-falcon-injector
{{- if .Values.container.labels }}
{{- range $key, $value := .Values.container.labels }}
{{ $key }} : {{ $value | quote }}
{{- end }}
{{- end }}
{{- if or (.Values.container.autoDeploymentUpdate) (.Values.container.podAnnotations) }}
annotations :
{{- if .Values.container.autoDeploymentUpdate }}
rollme : {{ randAlphaNum 5 | quote }}
{{- end }}
{{- if .Values.container.podAnnotations }}
{{- range $key, $value := .Values.container.podAnnotations }}
{{ $key }} : {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
spec :
affinity :
nodeAffinity :
requiredDuringSchedulingIgnoredDuringExecution :
nodeSelectorTerms :
- matchExpressions :
- key : kubernetes.io/os
operator : In
values :
- linux
preferredDuringSchedulingIgnoredDuringExecution :
- weight : 1
preference :
matchExpressions :
- key : node-role.kubernetes.io/master
operator : DoesNotExist
2023-03-02 16:00:02 +00:00
{{- if .Values.container.topologySpreadConstraints }}
topologySpreadConstraints :
{{- toYaml .Values.container.topologySpreadConstraints | nindent 6 }}
{{- end }}
2022-12-17 01:00:54 +00:00
securityContext :
runAsNonRoot : true
{{- if .Values.container.image.pullSecrets.enable }}
imagePullSecrets :
- name : {{ .Values.container.image.pullSecrets.name | default (printf "%s-pull-secret" (include "falcon-sensor.fullname" .)) }}
{{- end }}
{{- if .Values.container.azure.enabled }}
initContainers :
- name : {{ include "falcon-sensor.name" . }}-init-container
image : "{{ include " falcon-sensor.image" . }}"
imagePullPolicy : "{{ .Values.container.image.pullPolicy }}"
command : [ 'bash' , '-c' , "cp /run/azure.json /tmp/CrowdStrike/; chmod a+r /tmp/CrowdStrike/azure.json" ]
securityContext :
runAsUser : 0
runAsNonRoot : false
privileged : false
volumeMounts :
- name : {{ include "falcon-sensor.name" . }}-volume
mountPath : /tmp/CrowdStrike
- name : {{ include "falcon-sensor.name" . }}-azure-config
mountPath : /run/azure.json
readOnly : true
{{- end }}
{{- if .Values.container.gcp.enabled }}
initContainers :
- name : {{ include "falcon-sensor.name" . }}-init-container
image : "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
imagePullPolicy : "Always"
2023-03-02 16:00:02 +00:00
command :
2022-12-17 01:00:54 +00:00
- '/bin/bash'
- '-c'
- |
curl -sS -H 'Metadata-Flavor : Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 60 --connect-timeout 3 --fail --retry-all-errors > /dev/null && exit 0 || echo 'Retry limit exceeded. Failed to wait for metadata server to be available. Check if the gke-metadata-server Pod in the kube-system namespace is healthy.' >&2; exit 1
securityContext :
runAsUser : 0
runAsNonRoot : false
privileged : false
{{- end }}
containers :
- name : {{ include "falcon-sensor.name" . }}-injector
image : "{{ include " falcon-sensor.image" . }}"
imagePullPolicy : "{{ .Values.container.image.pullPolicy }}"
command : [ "injector" ]
envFrom :
- configMapRef :
name : {{ include "falcon-sensor.fullname" . }}-config
ports :
- name : https
containerPort : {{ .Values.container.injectorPort }}
volumeMounts :
- name : {{ include "falcon-sensor.name" . }}-tls-certs
mountPath : /run/secrets/tls
readOnly : true
{{- if or (.Files.Glob "certs/*.crt") (.Values.container.registryCertSecret) }}
- name : {{ include "falcon-sensor.name" . }}-registry-certs
mountPath : /etc/docker/certs.d/{{ .Release.Namespace }}-certs
readOnly : true
{{- end }}
{{- if .Values.container.azure.enabled }}
- name : {{ include "falcon-sensor.name" . }}-volume
mountPath : /tmp/CrowdStrike
readOnly : true
{{- end }}
readinessProbe :
httpGet :
path : /live
port : {{ .Values.container.injectorPort }}
scheme : HTTPS
initialDelaySeconds : 5
periodSeconds : 10
livenessProbe :
httpGet :
path : /live
port : {{ .Values.container.injectorPort }}
scheme : HTTPS
initialDelaySeconds : 5
periodSeconds : 10
resources :
{{- toYaml .Values.resources | nindent 12 }}
2023-03-02 16:00:02 +00:00
{{- if .Values.container.tolerations }}
2022-12-17 01:00:54 +00:00
tolerations :
{{- with .Values.container.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
volumes :
- name : {{ include "falcon-sensor.name" . }}-tls-certs
secret :
secretName : {{ include "falcon-sensor.name" . }}-tls
{{- if (.Files.Glob "certs/*.crt") }}
- name : {{ include "falcon-sensor.name" . }}-registry-certs
configMap :
name : {{ include "falcon-sensor.name" . }}-registry-certs-config
{{- else if .Values.container.registryCertSecret }}
- name : {{ include "falcon-sensor.name" . }}-registry-certs
secret :
secretName : {{ .Values.container.registryCertSecret }}
{{- end }}
{{- if .Values.container.azure.enabled }}
- emptyDir : {}
name : {{ include "falcon-sensor.name" . }}-volume
- name : {{ include "falcon-sensor.name" . }}-azure-config
hostPath :
path : {{ .Values.container.azure.azureConfig }}
type : File
{{- end }}
serviceAccountName : {{ .Values.serviceAccount.name }}
---
apiVersion : v1
kind : Secret
metadata :
name : {{ include "falcon-sensor.name" . }}-tls
namespace : {{ .Release.Namespace }}
labels :
app : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/name : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance : {{ .Release.Name }}
app.kubernetes.io/managed-by : {{ .Release.Service }}
app.kubernetes.io/component : "container_sensor"
crowdstrike.com/provider : crowdstrike
helm.sh/chart : {{ include "falcon-sensor.chart" . }}
type : Opaque
data :
tls.crt : {{ $tlsCert }}
tls.key : {{ $tlsKey }}
ca.crt : {{ $caCert }}
---
apiVersion : admissionregistration.k8s.io/v1
kind : MutatingWebhookConfiguration
metadata :
name : {{ include "falcon-sensor.name" . }}-injector
labels :
app : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/name : {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance : {{ .Release.Name }}
app.kubernetes.io/managed-by : {{ .Release.Service }}
app.kubernetes.io/component : "container_sensor"
crowdstrike.com/provider : crowdstrike
helm.sh/chart : {{ include "falcon-sensor.chart" . }}
webhooks :
- name : {{ $name }}.{{ .Release.Namespace }}.svc
admissionReviewVersions :
- v1
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
- v1beta1
{{- end }}
sideEffects : None
namespaceSelector :
matchExpressions :
- key : {{ .Values.container.namespaceLabelKey }}
operator : {{ if .Values.container.disableNSInjection }}In{{ else }}NotIn{{- end }}
values :
- {{ if .Values.container.disableNSInjection }}enabled{{ else }}disabled{{- end }}
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
- key : "name"
{{- else }}
- key : kubernetes.io/metadata.name
{{- end }}
operator : "NotIn"
values :
- {{ .Release.Namespace }}
- kube-system
- kube-public
clientConfig :
{{- if .Values.container.domainName }}
url : https://{{ $fullName }}:443/mutate
{{- else }}
service :
name : {{ include "falcon-sensor.name" . }}-injector
namespace : {{ .Release.Namespace }}
path : "/mutate"
{{- end }}
caBundle : {{ $caCert }}
failurePolicy : Fail
rules :
- operations :
- CREATE
apiGroups :
- ""
apiVersions :
- v1
resources :
- pods
timeoutSeconds : 30
{{- end }}
