{{- if .Values.container.enabled }}
{{- $name := (printf "%s-injector" (include "falcon-sensor.name" .)) -}}
{{- $fullName := (printf "%s.%s.svc" $name .Release.Namespace) -}}
{{- if .Values.container.domainName }}
{{- $fullName = (printf "%s.%s.svc.%s" $name .Release.Namespace .Values.container.domainName) -}}
{{- end }}
{{- $certValid := (.Values.container.certExpiration | int) -}}
{{- $altNames := list ( printf "%s" $fullName ) ( printf "%s.%s.svc" $name .Release.Namespace ) ( printf "%s.%s.svc.cluster.local" $name .Release.Namespace ) ( printf "%s.%s" $name .Release.Namespace ) ( printf "%s" $name ) -}}
{{- $ca := genCA ( printf "%s ca" .Release.Namespace ) $certValid -}}
{{- $cert := genSignedCert $fullName nil $altNames $certValid $ca -}}
{{- if not .Values.container.autoCertificateUpdate }}
{{- $tlscrt := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "falcon-sensor.name" .))).data -}}
{{- if kindIs "map" $tlscrt }}
{{- $cert = dict "Cert" (index $tlscrt "tls.crt" | b64dec ) "Key" (index $tlscrt "tls.key" | b64dec ) -}}
{{- end }}
{{- $tlsca := (lookup "admissionregistration.k8s.io/v1" "MutatingWebhookConfiguration" .Release.Namespace $name).webhooks -}}
{{- if kindIs "slice" $tlsca }}
{{- range $index, $wca := $tlsca -}}
{{- $ca = dict "Cert" ($wca.clientConfig.caBundle | b64dec) }}
{{- end }}
{{- end }}
{{- end }}
{{- $tlsCert := $cert.Cert | b64enc }}
{{- $tlsKey := $cert.Key | b64enc }}
{{- $caCert := $ca.Cert | b64enc }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "falcon-sensor.name" . }}-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "container_sensor"
crowdstrike.com/provider: crowdstrike
helm.sh/chart: {{ include "falcon-sensor.chart" . }}
{{- if .Values.container.labels }}
{{- range $key, $value := .Values.container.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.container.annotations }}
annotations:
{{- range $key, $value := .Values.container.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
replicas: {{ .Values.container.replicas }}
selector:
matchLabels:
app: {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "container_sensor"
crowdstrike.com/provider: crowdstrike
template:
metadata:
labels:
app: {{ include "falcon-sensor.name" . }}-injector
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: "container_sensor"
crowdstrike.com/provider: crowdstrike
crowdstrike.com/component: crowdstrike-falcon-injector
{{- if .Values.container.labels }}
{{- range $key, $value := .Values.container.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if or (.Values.container.autoDeploymentUpdate) (.Values.container.podAnnotations) }}
annotations:
{{- if .Values.container.autoDeploymentUpdate }}
rollme: {{ randAlphaNum 5 | quote }}
{{- end }}
{{- if .Values.container.podAnnotations }}
{{- range $key, $value := .Values.container.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: DoesNotExist
{{- if .Values.container.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml .Values.container.topologySpreadConstraints | nindent 6 }}
{{- end }}
securityContext:
runAsNonRoot: true
{{- if .Values.container.image.pullSecrets.enable }}
imagePullSecrets:
- name: {{ .Values.container.image.pullSecrets.name | default (printf "%s-pull-secret" (include "falcon-sensor.fullname" .)) }}
{{- end }}
{{- if .Values.container.azure.enabled }}
initContainers:
- name: {{ include "falcon-sensor.name" . }}-init-container
image: "{{ include "falcon-sensor.image" . }}"
imagePullPolicy: "{{ .Values.container.image.pullPolicy }}"
command: ['bash', '-c', "cp /run/azure.json /tmp/CrowdStrike/; chmod a+r /tmp/CrowdStrike/azure.json"]
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: false
volumeMounts:
- name: {{ include "falcon-sensor.name" . }}-volume
mountPath: /tmp/CrowdStrike
- name: {{ include "falcon-sensor.name" . }}-azure-config
mountPath: /run/azure.json
readOnly: true
{{- end }}
{{- if .Values.container.gcp.enabled }}
initContainers:
- name: {{ include "falcon-sensor.name" . }}-init-container
image: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine"
imagePullPolicy: "Always"
command:
- '/bin/bash'
- '-c'
- |
curl -sS -H 'Metadata-Flavor: Google' 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 60 --connect-timeout 3 --fail --retry-all-errors > /dev/null && exit 0 || echo 'Retry limit exceeded. Failed to wait for metadata server to be available. Check if the gke-metadata-server Pod in the kube-system namespace is healthy.' >&2; exit 1
securityContext:
runAsUser: 0
runAsNonRoot: false
privileged: false
{{- end }}
containers:
- name: {{ include "falcon-sensor.name" . }}-injector
image: "{{ include "falcon-sensor.image" . }}"
imagePullPolicy: "{{ .Values.container.image.pullPolicy }}"
command: ["injector"]
envFrom:
- configMapRef:
name: {{ include "falcon-sensor.fullname" . }}-config
ports:
- name: https
containerPort: {{ .Values.container.injectorPort }}
volumeMounts:
- name: {{ include "falcon-sensor.name" . }}-tls-certs
mountPath: /run/secrets/tls
readOnly: true
{{- if or (.Files.Glob "certs/*.crt") (.Values.container.registryCertSecret) }}
- name: {{ include "falcon-sensor.name" . }}-registry-certs
mountPath: /etc/docker/certs.d/{{ .Release.Namespace }}-certs
readOnly: true
{{- end }}
{{- if .Values.container.azure.enabled }}
- name: {{ include "falcon-sensor.name" . }}-volume
mountPath: /tmp/CrowdStrike
readOnly: true
{{- end }}
readinessProbe:
httpGet:
path: /live
port: {{ .Values.container.injectorPort }}
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /live
port: {{ .Values.container.injectorPort }}
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.container.tolerations }}
tolerations:
{{- with .Values.container.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
volumes:
- name: {{ include "falcon-sensor.name" . }}-tls-certs
secret:
secretName: {{ include "falcon-sensor.name" . }}-tls
{{- if (.Files.Glob "certs/*.crt") }}
- name: {{ include "falcon-sensor.name" . }}-registry-certs
configMap:
name: {{ include "falcon-sensor.name" . }}-registry-certs-config
{{- else if .Values.container.registryCertSecret }}
- name: {{ include "falcon-sensor.name" . }}-registry-certs
secret:
secretName: {{ .Values.container.registryCertSecret }}
{{- end }}
{{- if .Values.container.azure.enabled }}
- emptyDir: {}
name: {{ include "falcon-sensor.name" . }}-volume
- name: {{ include "falcon-sensor.name" . }}-azure-config
hostPath:
path: {{ .Values.container.azure.azureConfig }}
type: File
{{- end }}
serviceAccountName: {{ .Values.serviceAccount.name }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "falcon-sensor.name" . }}-tls
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "container_sensor"
crowdstrike.com/provider: crowdstrike
helm.sh/chart: {{ include "falcon-sensor.chart" . }}
type: Opaque
data:
tls.crt: {{ $tlsCert }}
tls.key: {{ $tlsKey }}
ca.crt: {{ $caCert }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "falcon-sensor.name" . }}-injector
labels:
app: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/name: {{ include "falcon-sensor.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "container_sensor"
crowdstrike.com/provider: crowdstrike
helm.sh/chart: {{ include "falcon-sensor.chart" . }}
webhooks:
- name: {{ $name }}.{{ .Release.Namespace }}.svc
admissionReviewVersions:
- v1
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
- v1beta1
{{- end }}
sideEffects: None
namespaceSelector:
matchExpressions:
- key: {{ .Values.container.namespaceLabelKey }}
operator: {{ if .Values.container.disableNSInjection }}In{{ else }}NotIn{{- end }}
values:
- {{ if .Values.container.disableNSInjection }}enabled{{ else }}disabled{{- end }}
{{- if lt (int (semver .Capabilities.KubeVersion.Version).Minor) 22 }}
- key: "name"
{{- else }}
- key: kubernetes.io/metadata.name
{{- end }}
operator: "NotIn"
values:
- {{ .Release.Namespace }}
- kube-system
- kube-public
clientConfig:
{{- if .Values.container.domainName }}
url: https://{{ $fullName }}:443/mutate
{{- else }}
service:
name: {{ include "falcon-sensor.name" . }}-injector
namespace: {{ .Release.Namespace }}
path: "/mutate"
{{- end }}
caBundle: {{ $caCert }}
failurePolicy: Fail
rules:
- operations:
- CREATE
apiGroups:
- ""
apiVersions:
- v1
resources:
- pods
timeoutSeconds: 30
{{- end }}