{{- if .Values.node.enabled }} apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ include "falcon-sensor.fullname" . }} labels: app: "{{ include "falcon-sensor.name" . }}" app.kubernetes.io/name: {{ include "falcon-sensor.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: "kernel_sensor" crowdstrike.com/provider: crowdstrike helm.sh/chart: {{ include "falcon-sensor.chart" . }} {{- if .Values.node.daemonset.labels }} {{- range $key, $value := .Values.node.daemonset.labels }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} {{- if .Values.node.daemonset.annotations }} annotations: {{- range $key, $value := .Values.node.daemonset.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} namespace: {{ .Release.Namespace }} spec: selector: matchLabels: app.kubernetes.io/name: {{ include "falcon-sensor.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "kernel_sensor" crowdstrike.com/provider: crowdstrike updateStrategy: type: {{ .Values.node.daemonset.updateStrategy }} {{- if and (eq .Values.node.daemonset.updateStrategy "RollingUpdate") (ne (int .Values.node.daemonset.maxUnavailable) 1) }} rollingUpdate: maxUnavailable: {{ .Values.node.daemonset.maxUnavailable }} {{- end }} template: metadata: annotations: {{ .Values.node.daemonset.podAnnotationKey }}: disabled {{- range $key, $value := .Values.node.podAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} labels: app: "{{ include "falcon-sensor.name" . }}" app.kubernetes.io/name: {{ include "falcon-sensor.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: "kernel_sensor" crowdstrike.com/provider: crowdstrike helm.sh/chart: {{ include "falcon-sensor.chart" . }} {{- if .Values.node.daemonset.labels }} {{- range $key, $value := .Values.node.daemonset.labels }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} spec: {{- if and (.Values.node.image.pullSecrets) (.Values.node.image.registryConfigJSON) }} {{- fail "node.image.pullSecrets and node.image.registryConfigJSON cannot be used together." }} {{- else }} {{- if or (.Values.node.image.pullSecrets) (.Values.node.image.registryConfigJSON) }} imagePullSecrets: {{- if .Values.node.image.pullSecrets }} - name: {{ .Values.node.image.pullSecrets }} {{- end }} {{- if .Values.node.image.registryConfigJSON }} - name: {{ include "falcon-sensor.fullname" . }}-pull-secret {{- end }} {{- end }} {{- end }} {{- if .Values.node.daemonset.tolerations }} tolerations: {{- with .Values.node.daemonset.tolerations }} {{- toYaml . | nindent 6 }} {{- end }} {{- end }} nodeSelector: kubernetes.io/os: linux {{- if .Values.node.daemonset.nodeAffinity }} affinity: nodeAffinity: {{- with .Values.node.daemonset.nodeAffinity }} {{- toYaml . | nindent 10 }} {{- end }} {{- end }} initContainers: # This init container creates empty falconstore file so that when # it's mounted into the sensor-node-container, k8s would just use it # rather than creating a directory. Mounting falconstore file as # a file volume ensures that AID is preserved across container # restarts. Sensor versions 6.54+ have a helper binary to initialize falconstore. - name: init-falconstore image: "{{ include "falcon-sensor.image" . }}" imagePullPolicy: "{{ .Values.node.image.pullPolicy }}" command: - /bin/bash {{- if .Values.node.gke.autopilot }} args: - '-c' - >- echo "Running /opt/CrowdStrike/falcon-daemonset-init -i"; /opt/CrowdStrike/falcon-daemonset-init -i {{- else }} args: ['-c', 'if [ -x "/opt/CrowdStrike/falcon-daemonset-init" ]; then echo "Running falcon-daemonset-init -i" ; /opt/CrowdStrike/falcon-daemonset-init -i ; else if [ -d "/host_opt/CrowdStrike/falconstore" ] ; then echo "Re-creating /opt/CrowdStrike/falconstore as it is a directory instead of a file"; rm -rf /host_opt/CrowdStrike/falconstore; fi; mkdir -p /host_opt/CrowdStrike && touch /host_opt/CrowdStrike/falconstore; fi'] volumeMounts: - name: falconstore-dir mountPath: /host_opt {{- end }} resources: requests: cpu: 10m ephemeral-storage: 10Mi memory: 50Mi limits: cpu: 10m ephemeral-storage: 10Mi memory: 50Mi securityContext: runAsUser: 0 privileged: true allowPrivilegeEscalation: true {{- if .Values.node.gke.autopilot }} readOnlyRootFilesystem: true capabilities: add: - SYS_ADMIN - SYS_PTRACE - SYS_CHROOT - DAC_READ_SEARCH {{- else }} readOnlyRootFilesystem: false {{- end }} containers: - name: falcon-node-sensor image: "{{ include "falcon-sensor.image" . }}" imagePullPolicy: "{{ .Values.node.image.pullPolicy }}" # Various pod security context settings. Bear in mind that many of these have an impact # on the Falcon Sensor working correctly. # # - User that the container will execute as. Typically necessary to run as root (0). # - Runs the Falcon Sensor containers as privileged containers. This is required when # running the Falcon Linux Sensor on Kubernetes nodes to properly run in the node's # kernel and to actually protect the node. securityContext: runAsUser: 0 privileged: true readOnlyRootFilesystem: false allowPrivilegeEscalation: true {{- if .Values.node.gke.autopilot }} capabilities: add: - SYS_ADMIN - SETGID - SETUID - SYS_PTRACE - SYS_CHROOT - DAC_OVERRIDE - SETPCAP - DAC_READ_SEARCH - BPF - PERFMON - SYS_RESOURCE - NET_RAW - CHOWN {{- end }} {{- if (eq .Values.node.backend "bpf") }} {{- include "falcon-sensor.daemonsetResources" . | nindent 8 }} {{- end }} envFrom: - configMapRef: name: {{ include "falcon-sensor.fullname" . }}-config volumeMounts: - name: falconstore mountPath: /opt/CrowdStrike/falconstore volumes: {{- if not .Values.node.gke.autopilot }} - name: falconstore-dir hostPath: path: /opt type: DirectoryOrCreate {{- end }} - name: falconstore hostPath: path: /opt/CrowdStrike/falconstore serviceAccountName: {{ .Values.serviceAccount.name }} terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }} {{- if or .Values.node.daemonset.priorityClassName .Values.node.gke.autopilot }} priorityClassName: {{ include "falcon-sensor.priorityClassName" . }} {{- end }} hostNetwork: true hostPID: true hostIPC: true {{- end }}