255 lines
8.0 KiB
YAML
255 lines
8.0 KiB
YAML
# Default values for falcon-sensor.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
node:
|
|
# When enabled, Helm chart deploys the Falcon Sensors to Kubernetes nodes
|
|
enabled: true
|
|
|
|
# Overrides the backend leveraged by the Falcon Sensor (kernel, bpf)
|
|
backend: kernel
|
|
|
|
# Enable for use on Google's GKE Autopilot clusters
|
|
gke:
|
|
autopilot: false
|
|
|
|
daemonset:
|
|
# Annotations to apply to the daemonset
|
|
annotations: {}
|
|
|
|
# The key that is used to handle enabling/disabling sensor injection at the pod/node level
|
|
podAnnotationKey: sensor.falcon-system.crowdstrike.com/injection
|
|
|
|
# additionals labels
|
|
labels: {}
|
|
|
|
# Enable the priorityClass creation on chart installation
|
|
priorityClassCreate: false
|
|
# Assign a PriorityClassName to pods if set
|
|
priorityClassName: ""
|
|
priorityClassValue: 1000000000
|
|
|
|
tolerations:
|
|
# We want to schedule on control plane nodes where they are accessible
|
|
- key: "node-role.kubernetes.io/master"
|
|
operator: "Exists"
|
|
effect: "NoSchedule"
|
|
# Future taint for K8s >=1.24
|
|
- key: "node-role.kubernetes.io/control-plane"
|
|
operator: "Exists"
|
|
effect: "NoSchedule"
|
|
- key: "kubernetes.azure.com/scalesetpriority"
|
|
operator: "Equal"
|
|
value: "spot"
|
|
effect: "NoSchedule"
|
|
# Daemonsets automatically get additional tolerations: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
|
|
|
|
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
# Allow setting additional node selections e.g. processor type
|
|
# nodeAffinity:
|
|
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
# nodeSelectorTerms:
|
|
# - matchExpressions:
|
|
# - key: kubernetes.io/arch
|
|
# operator: In
|
|
# values:
|
|
# - amd64
|
|
nodeAffinity: {}
|
|
|
|
# Resource settings that can be set with backend is set to bpf only. Cannot be used when backend is set to kernel.
|
|
# This will be ignored if backend is set to kernel. Purposefully. The defaults are set to the minimum requirements.
|
|
# Depending on the size of your cluster and the node types, you may need to increase these values.
|
|
# resources:
|
|
# limits:
|
|
# cpu: 250m
|
|
# ephemeral-storage: 100Mi
|
|
# memory: 500Mi
|
|
# requests:
|
|
# cpu: 250m
|
|
# ephemeral-storage: 100Mi
|
|
# memory: 500Mi
|
|
|
|
# Update strategy to role out new daemonset configuration to the nodes.
|
|
updateStrategy: RollingUpdate
|
|
|
|
# Sets the max unavailable nodes. Default is 1 when no value exists.
|
|
maxUnavailable: 1
|
|
|
|
image:
|
|
repository: falcon-node-sensor
|
|
pullPolicy: Always
|
|
pullSecrets:
|
|
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
|
|
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
|
|
tag: "latest"
|
|
# Setting a digest will override any tag and should be used instead of tags.
|
|
#
|
|
# Example digest variable configuration:
|
|
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
|
|
digest:
|
|
|
|
# Value must be base64. This setting conflicts with node.image.pullSecrets
|
|
# The base64 encoded string of the docker config json for the pull secret can be
|
|
# gotten through:
|
|
# $ cat ~/.docker/config.json | base64 -
|
|
registryConfigJSON:
|
|
|
|
podAnnotations: {}
|
|
|
|
# How long to wait for Falcon pods to stop gracefully
|
|
terminationGracePeriod: 30
|
|
|
|
container:
|
|
# When enabled, Helm chart deploys the Falcon Container Sensor to Pods through Webhooks
|
|
enabled: false
|
|
|
|
# Configure the number of replicas for the mutating webhook backend
|
|
replicas: 2
|
|
|
|
# Configure PodTopologySpread constraints to allow pods run on different nodes
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: kubernetes.io/hostname
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
crowdstrike.com/component: crowdstrike-falcon-injector
|
|
|
|
# Auto update the certificates every time there is an update
|
|
autoCertificateUpdate: true
|
|
|
|
# Update Webhook and roll out new Deployment on upgrade
|
|
autoDeploymentUpdate: true
|
|
|
|
# For AKS without the pulltoken option
|
|
azure:
|
|
enabled: false
|
|
|
|
# Path to the Kubernetes Azure config file on worker nodes
|
|
azureConfig: /etc/kubernetes/azure.json
|
|
|
|
# GCP GKE workload identity init container
|
|
gcp:
|
|
enabled: false
|
|
|
|
# Enable Network Policies within the Injector namespace to allow ingress
|
|
networkPolicy:
|
|
enabled: false
|
|
|
|
# Enable using hostNetwork for the injector pod
|
|
hostNetwork: false
|
|
|
|
# Disable injection for all Namespaces
|
|
disableNSInjection: false
|
|
|
|
# Disable injection for all Pods
|
|
disablePodInjection: false
|
|
|
|
# Certificate validity duration in number of days
|
|
certExpiration: 3650
|
|
|
|
# Configure the Injector Port
|
|
injectorPort: 4433
|
|
|
|
# Configure the requests and limits of the sensor
|
|
sensorResources:
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 10m
|
|
# memory: 20Mi
|
|
|
|
# For custom DNS configurations when .svc requires a domain for services
|
|
# For example if service.my-namespace.svc doesn't resolve and the cluster uses
|
|
# service.my-namespace.svc.testing.io, you would add testing.io as the value below.
|
|
# Otherwise, keep this blank.
|
|
domainName:
|
|
|
|
# Provide a Secret containing CA certificate files.
|
|
# All CA certificates need to be a valid secret key, and have the extension ".crt"
|
|
# Example: kubectl create secret generic external-registry-cas --from-file=/tmp/thawte-Primary-Root-CA.crt --from-file=/tmp/DigiCert-Global-Root-CA.crt
|
|
#
|
|
# registryCertSecret: external-registry-cas
|
|
registryCertSecret:
|
|
|
|
# The key that is used to handle enabling/disabling sensor injection at the namespace level
|
|
namespaceLabelKey: sensor.falcon-system.crowdstrike.com/injection
|
|
|
|
image:
|
|
repository: falcon-sensor
|
|
pullPolicy: Always
|
|
# Set to true if connecting to a registry that requires authentication
|
|
pullSecrets:
|
|
enable: false
|
|
name:
|
|
# Configure the list of namespaces that should have access to pull the Falcon
|
|
# sensor from a registry that requires authentication. This is a comma separated
|
|
# list. For example:
|
|
#
|
|
# namespaces: ns1,ns2,ns3
|
|
namespaces:
|
|
|
|
# Attempt to create the Falcon sensor pull secret in all Namespaces
|
|
# instead of using "container.image.pullSecrets.namespaces"
|
|
allNamespaces: false
|
|
|
|
# Value must be base64
|
|
# The base64 encoded string of the docker config json for the pull secret can be
|
|
# gotten through:
|
|
# $ cat ~/.docker/config.json | base64 -
|
|
registryConfigJSON:
|
|
|
|
# Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those
|
|
# who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability.
|
|
tag: "latest"
|
|
# Setting a digest will override any tag and should be used instead of tags.
|
|
#
|
|
# Example digest variable configuration:
|
|
# digest: sha256:ffdc91f66ef8570bd7612cf19145563a787f552656f5eec43cd80ef9caca0398
|
|
digest:
|
|
|
|
# Annotations to apply to the injector deployment
|
|
annotations: {}
|
|
|
|
# additionals labels to apply to the injector deployment
|
|
labels: {}
|
|
|
|
# Annotations to apply to the injector deployment
|
|
podAnnotations: {}
|
|
|
|
tolerations: []
|
|
|
|
resources:
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 20Mi
|
|
|
|
serviceAccount:
|
|
name: crowdstrike-falcon-sa
|
|
annotations: {}
|
|
|
|
# Deploys the test suite during install for testing purposes.
|
|
testing:
|
|
enabled: false
|
|
|
|
falcon:
|
|
cid:
|
|
apd:
|
|
aph:
|
|
app:
|
|
trace: none
|
|
feature:
|
|
message_log:
|
|
billing:
|
|
tags:
|
|
provisioning_token:
|
|
|
|
# Override various naming aspects of this chart
|
|
# Only edit these if you know what you're doing
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|