rancher-partner-charts/charts/crowdstrike/falcon-sensor/README.md

17 KiB

CrowdStrike Falcon Helm Chart

Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.

Kubernetes Cluster Compatability

The Falcon Helm chart has been tested to deploy on the following Kubernetes distributions:

  • Amazon Elastic Kubernetes Service (EKS)
  • Azure Kubernetes Service (AKS)
  • Google Kubernetes Engine (GKE) - DaemonSet support for Ubuntu nodes only, Container sensor for GCOS nodes.
  • Rancher K3s
  • Red Hat OpenShift Container Platform 4.6+

Dependencies

  1. Requires a x86_64 Kubernetes cluster
  2. Must be a CrowdStrike customer with access to the Falcon Linux Sensor (container image) and Falcon Container from the CrowdStrike Container Registry.
  3. Kubernetes nodes must be Linux distributions supported by CrowdStrike.
  4. Before deploying the Helm chart, you should have a Falcon Linux Sensor and/or Falcon Container sensor in your own container registry or use CrowdStrike's registry before installing the Helm Chart. See the Deployment Considerations for more.
  5. Helm 3.x is installed and supported by the Kubernetes vendor.

Helm Chart Support for Falcon Sensor Versions

Helm chart Version Falcon Sensor Version
<= 1.6.x <= 6.34.x
>= 1.7.x && <= 1.17.x >= 6.35.x && < 6.49.x
>= 1.18.x >= 6.49.x

Installation

Add the CrowdStrike Falcon Helm repository

helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm

Update the local Helm repository Cache

helm repo update

Falcon Configuration Options

The following tables lists the Falcon Sensor configurable parameters and their default values.

Parameter Description Default
falcon.cid CrowdStrike Customer ID (CID) None (Required)
falcon.apd App Proxy Disable (APD) None
falcon.aph App Proxy Hostname (APH) None
falcon.app App Proxy Port (APP) None
falcon.trace Set trace level. (none,err,warn,info,debug) none
falcon.feature Sensor Feature options None
falcon.backend Choose sensor backend (kernel,bpf). Sensor 6.49+ only None
falcon.message_log Enable message log (true/false) None
falcon.billing Utilize default or metered billing None
falcon.tags Comma separated list of tags for sensor grouping None
falcon.provisioning_token Provisioning token value None

Installing on Kubernetes Cluster Nodes

Deployment Considerations

To ensure a successful deployment, you will want to ensure that:

  1. By default, the Helm Chart installs in the default namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding -n falcon-system --create-namespace to your helm install command. The namespace can be any name that you wish to use.
  2. The Falcon Linux Sensor (not the Falcon Container) should be used as the container image to deploy to Kubernetes nodes.
  3. You must be a cluster administrator to deploy Helm Charts to the cluster.
  4. When deploying the Falcon Linux Sensor (container image) to Kubernetes nodes, it is a requirement that the Falcon Sensor run as a privileged container so that the Sensor can properly work with the kernel. This is a requirement for any kernel module that gets deployed to any container-optimized operating system regardless of whether it is a security sensor, graphics card driver, etc.
  5. The Falcon Linux Sensor should be deployed to Kubernetes environments that allow node access or installation via a Kubernetes DaemonSet.
  6. The Falcon Linux Sensor will create /opt/CrowdStrike on the Kubernetes nodes. DO NOT DELETE this folder.
  7. CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is https://github.com/CrowdStrike/falcon-helm.

Pod Security Standards

Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command replacing my-existing-namespace with the namespace that you have installed the falcon sensors e.g. falcon-system..

kubectl label --overwrite ns my-existing-namespace \
  pod-security.kubernetes.io/enforce=privileged

If your cluster is OpenShift version 4.11+, you will need to add an additional label to disable added OpenShift functionality that will sync Pod Security Standard policies based on the default Security Context Constraints (SCC). Run the following command replacing my-existing-namespace with the namespace that you have installed the falcon sensors e.g. falcon-system.

kubectl label --overwrite ns my-existing-namespace \
  security.openshift.io/scc.podSecurityLabelSync=false

If desired to silence the warning and change the auditing level for the Pod Security Standard, add the following labels

kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged

Install CrowdStrike Falcon Helm Chart on Kubernetes Nodes

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set node.image.repository="<Your_Registry>/falcon-node-sensor"

Above command will install the CrowdStrike Falcon Helm Chart with the release name falcon-helm in the namespace your kubectl context is currently set to. You can install also install into a customized namespace by running the following:

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    -n falcon-system --create-namespace \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set node.image.repository="<Your_Registry>/falcon-node-sensor"

For more details please see the falcon-helm repository.

Node Configuration

The following tables lists the more common configurable parameters of the chart and their default values for installing on a Kubernetes node.

Parameter Description Default
node.enabled Enable installation on the Kubernetes node true
node.image.repository Falcon Sensor Node registry/image name falcon-node-sensor
node.image.tag The version of the official image to use latest (Use node.image.digest instead for security and production)
node.image.digest The sha256 digest of the official image to use None (Use instead of the image tag for security and production)
node.image.pullPolicy Policy for updating images Always
node.image.pullSecrets Pull secrets for private registry None (Conflicts with node.image.registryConfigJSON)
node.image.registryConfigJSON base64 encoded docker config json for the pull secret None (Conflicts with node.image.pullSecrets)
falcon.cid CrowdStrike Customer ID (CID) None (Required)

falcon.cid and node.image.repository are required values.

For a complete listing of configurable parameters, run the following command:

helm show values crowdstrike/falcon-sensor

Installing in Kubernetes Cluster as a Sidecar

Deployment Considerations

To ensure a successful deployment, you will want to ensure that:

  1. You must be a cluster administrator to deploy Helm Charts to the cluster.
  2. When deploying the Falcon Container as a sidecar sensor, make sure that there are no firewall rules blocking communication to the Mutating Webhook. This will most likely result in a context deadline exceeded error. The default port for the Webhook is 4433.
  3. The Falcon Container as a sidecar sensor should be deployed to Kubernetes managed environments, or environments that do not allow node access or installation via a Kubernetes DaemonSet.
  4. CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is https://github.com/CrowdStrike/falcon-helm.
  5. Be aware that there is advanced Helm Chart functionality in use and those specific features may not work fully with GitOps tools like ArgoCD. The reason for this is that ArgoCD does not fully support Helm when compared to FluxCD. For features that do not work in this instance, disable those features until ArgoCD supports Helm correctly.

Install CrowdStrike Falcon Helm Chart in Kubernetes Cluster as a Sidecar

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    --set node.enabled=false \
    --set container.enabled=true \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set container.image.repository="<Your_Registry>/falcon-sensor"

Above command will install the CrowdStrike Falcon Helm Chart with the release name falcon-helm in the namespace your kubectl context is currently set to. You can install also install into a customized namespace by running the following:

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    -n falcon-system --create-namespace \
    --set node.enabled=false \
    --set container.enabled=true \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set container.image.repository="<Your_Registry>/falcon-sensor"

Note about installation namespace

For Kubernetes clusters <1.22 (or 1.21 where the NamespaceDefaultLabelName feature gate is NOT enabled), be sure to label your namespace for injector exclusion before installing the Container sensor:

kubectl create namespace falcon-system
kubectl label namespace falcon-system kubernetes.io/metadata.name=falcon-system

Container Sensor Configuration

The following tables lists the more common configurable parameters of the chart and their default values for installing the Container sensor as a Sidecar.

Parameter Description Default
container.enabled Enable installation on the Kubernetes node false
container.azure.enabled For AKS without the pulltoken option false
container.azure.azureConfig Path to the Kubernetes Azure config file on worker nodes /etc/kubernetes/azure.json
container.disableNSInjection Disable injection for all Namespaces false
container.disablePodInjection Disable injection for all Pods false
container.certExpiration Certificate validity duration in number of days 3650
container.registryCertSecret Name of generic Secret with additional CAs for external registries None
container.image.repository Falcon Sensor Node registry/image name falcon-sensor
container.image.tag The version of the official image to use. latest (Use container.image.digest instead for security and production.)
container.image.digest The sha256 digest of the official image to use. None (Use instead of image tag for security and production.)
container.image.pullPolicy Policy for updating images Always
container.image.pullSecrets.enable Enable pull secrets for private registry false
container.image.pullSecrets.namespaces List of Namespaces to pull the Falcon sensor from an authenticated registry None
container.image.pullSecrets.allNamespaces Use Helm's lookup function to deploy the pull secret to all namespaces false
container.image.pullSecrets.registryConfigJSON base64 encoded docker config json for the pull secret None
container.image.sensorResources The requests and limits of the sensor (see example below) None
falcon.cid CrowdStrike Customer ID (CID) None (Required)

falcon.cid and container.image.repository are required values.

For a complete listing of configurable parameters, run the following command:

helm show values crowdstrike/falcon-sensor

Note about using --set with lists

If you need to provide a list of values to a --set command, you need to escape the commas between the values e.g. --set falcon.tags="tag1\,tag2\,tag3"

Example using container.image.sensorResources

When setting container.image.sensorResources, the simplest method would be to provide a values file to the helm install command.

Example:

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    --set node.enabled=false \
    --set container.enabled=true \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set container.image.repository="<Your_Registry>/falcon-sensor" \
    --values values.yaml

Where values.yaml is

container:
  sensorResources:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 10m
      memory: 20Mi

Of course, one could specify all options in the values.yaml file and skip the --set options altogether:

node:
  enabled: false
container:
  enabled: true
  image:
    repository: "<Your_Registry>/falcon-sensor"
  sensorResources:
    limits:
      cpu: 100m
      memory: 128Mi
    requests:
      cpu: 10m
      memory: 20Mi
falcon:
  cid: "<CrowdStrike_CID>"

If using a local values file is not an option, you could do this:

helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
    --set node.enabled=false \
    --set container.enabled=true \
    --set falcon.cid="<CrowdStrike_CID>" \
    --set container.image.repository="<Your_Registry>/falcon-sensor" \
    --set container.sensorResources.limits.memory="128Mi" \
    --set container.sensorResources.limits.cpu="100m" \
    --set container.sensorResources.requests.memory="20Mi" \
    --set container.sensorResources.requests.cpu="10m"

Uninstall Helm Chart

To uninstall, run the following command:

helm uninstall falcon-helm

To uninstall from a custom namespace, run the following command:

helm uninstall falcon-helm -n falcon-system

You may need/want to delete the falcon-system as well since helm will not do it for you:

kubectl delete ns falcon-system