17 KiB
CrowdStrike Falcon Helm Chart
Falcon is the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more.
Kubernetes Cluster Compatability
The Falcon Helm chart has been tested to deploy on the following Kubernetes distributions:
- Amazon Elastic Kubernetes Service (EKS)
- Azure Kubernetes Service (AKS)
- Google Kubernetes Engine (GKE) - DaemonSet support for Ubuntu nodes only, Container sensor for GCOS nodes.
- Rancher K3s
- Red Hat OpenShift Container Platform 4.6+
Dependencies
- Requires a x86_64 Kubernetes cluster
- Must be a CrowdStrike customer with access to the Falcon Linux Sensor (container image) and Falcon Container from the CrowdStrike Container Registry.
- Kubernetes nodes must be Linux distributions supported by CrowdStrike.
- Before deploying the Helm chart, you should have a Falcon Linux Sensor and/or Falcon Container sensor in your own container registry or use CrowdStrike's registry before installing the Helm Chart. See the Deployment Considerations for more.
- Helm 3.x is installed and supported by the Kubernetes vendor.
Helm Chart Support for Falcon Sensor Versions
Helm chart Version | Falcon Sensor Version |
---|---|
<= 1.6.x |
<= 6.34.x |
>= 1.7.x && <= 1.17.x |
>= 6.35.x && < 6.49.x |
>= 1.18.x |
>= 6.49.x |
Installation
Add the CrowdStrike Falcon Helm repository
helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
Update the local Helm repository Cache
helm repo update
Falcon Configuration Options
The following tables lists the Falcon Sensor configurable parameters and their default values.
Parameter | Description | Default |
---|---|---|
falcon.cid |
CrowdStrike Customer ID (CID) | None (Required) |
falcon.apd |
App Proxy Disable (APD) | None |
falcon.aph |
App Proxy Hostname (APH) | None |
falcon.app |
App Proxy Port (APP) | None |
falcon.trace |
Set trace level. (none ,err ,warn ,info ,debug ) |
none |
falcon.feature |
Sensor Feature options | None |
falcon.backend |
Choose sensor backend (kernel ,bpf ). Sensor 6.49+ only |
None |
falcon.message_log |
Enable message log (true/false) | None |
falcon.billing |
Utilize default or metered billing | None |
falcon.tags |
Comma separated list of tags for sensor grouping | None |
falcon.provisioning_token |
Provisioning token value | None |
Installing on Kubernetes Cluster Nodes
Deployment Considerations
To ensure a successful deployment, you will want to ensure that:
- By default, the Helm Chart installs in the
default
namespace. Best practices for deploying to Kubernetes is to create a new namespace. This can be done by adding-n falcon-system --create-namespace
to yourhelm install
command. The namespace can be any name that you wish to use. - The Falcon Linux Sensor (not the Falcon Container) should be used as the container image to deploy to Kubernetes nodes.
- You must be a cluster administrator to deploy Helm Charts to the cluster.
- When deploying the Falcon Linux Sensor (container image) to Kubernetes nodes, it is a requirement that the Falcon Sensor run as a privileged container so that the Sensor can properly work with the kernel. This is a requirement for any kernel module that gets deployed to any container-optimized operating system regardless of whether it is a security sensor, graphics card driver, etc.
- The Falcon Linux Sensor should be deployed to Kubernetes environments that allow node access or installation via a Kubernetes DaemonSet.
- The Falcon Linux Sensor will create
/opt/CrowdStrike
on the Kubernetes nodes. DO NOT DELETE this folder. - CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is https://github.com/CrowdStrike/falcon-helm.
Pod Security Standards
Starting with Kubernetes 1.25, Pod Security Standards will be enforced. Setting the appropriate Pod Security Standards policy needs to be performed by adding a label to the namespace. Run the following command replacing my-existing-namespace
with the namespace that you have installed the falcon sensors e.g. falcon-system
..
kubectl label --overwrite ns my-existing-namespace \
pod-security.kubernetes.io/enforce=privileged
If your cluster is OpenShift version 4.11+, you will need to add an additional label to disable added OpenShift functionality that will sync Pod Security Standard policies based on the default Security Context Constraints (SCC).
Run the following command replacing my-existing-namespace
with the namespace that you have installed the falcon sensors e.g. falcon-system
.
kubectl label --overwrite ns my-existing-namespace \
security.openshift.io/scc.podSecurityLabelSync=false
If desired to silence the warning and change the auditing level for the Pod Security Standard, add the following labels
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/audit=privileged
kubectl label ns --overwrite my-existing-namespace pod-security.kubernetes.io/warn=privileged
Install CrowdStrike Falcon Helm Chart on Kubernetes Nodes
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
--set falcon.cid="<CrowdStrike_CID>" \
--set node.image.repository="<Your_Registry>/falcon-node-sensor"
Above command will install the CrowdStrike Falcon Helm Chart with the release name falcon-helm
in the namespace your kubectl
context is currently set to.
You can install also install into a customized namespace by running the following:
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
-n falcon-system --create-namespace \
--set falcon.cid="<CrowdStrike_CID>" \
--set node.image.repository="<Your_Registry>/falcon-node-sensor"
For more details please see the falcon-helm repository.
Node Configuration
The following tables lists the more common configurable parameters of the chart and their default values for installing on a Kubernetes node.
Parameter | Description | Default |
---|---|---|
node.enabled |
Enable installation on the Kubernetes node | true |
node.image.repository |
Falcon Sensor Node registry/image name | falcon-node-sensor |
node.image.tag |
The version of the official image to use | latest (Use node.image.digest instead for security and production) |
node.image.digest |
The sha256 digest of the official image to use | None (Use instead of the image tag for security and production) |
node.image.pullPolicy |
Policy for updating images | Always |
node.image.pullSecrets |
Pull secrets for private registry | None (Conflicts with node.image.registryConfigJSON) |
node.image.registryConfigJSON |
base64 encoded docker config json for the pull secret | None (Conflicts with node.image.pullSecrets) |
falcon.cid |
CrowdStrike Customer ID (CID) | None (Required) |
falcon.cid
and node.image.repository
are required values.
For a complete listing of configurable parameters, run the following command:
helm show values crowdstrike/falcon-sensor
Installing in Kubernetes Cluster as a Sidecar
Deployment Considerations
To ensure a successful deployment, you will want to ensure that:
- You must be a cluster administrator to deploy Helm Charts to the cluster.
- When deploying the Falcon Container as a sidecar sensor, make sure that there are no firewall rules blocking communication to the Mutating Webhook. This will most likely result in a
context deadline exceeded
error. The default port for the Webhook is4433
. - The Falcon Container as a sidecar sensor should be deployed to Kubernetes managed environments, or environments that do not allow node access or installation via a Kubernetes DaemonSet.
- CrowdStrike's Helm Chart is a project, not a product, and released to the community as a way to automate sensor deployment to kubernetes clusters. The upstream repository for this project is https://github.com/CrowdStrike/falcon-helm.
- Be aware that there is advanced Helm Chart functionality in use and those specific features may not work fully with GitOps tools like ArgoCD. The reason for this is that ArgoCD does not fully support Helm when compared to FluxCD. For features that do not work in this instance, disable those features until ArgoCD supports Helm correctly.
Install CrowdStrike Falcon Helm Chart in Kubernetes Cluster as a Sidecar
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="<CrowdStrike_CID>" \
--set container.image.repository="<Your_Registry>/falcon-sensor"
Above command will install the CrowdStrike Falcon Helm Chart with the release name falcon-helm
in the namespace your kubectl
context is currently set to.
You can install also install into a customized namespace by running the following:
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
-n falcon-system --create-namespace \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="<CrowdStrike_CID>" \
--set container.image.repository="<Your_Registry>/falcon-sensor"
Note about installation namespace
For Kubernetes clusters <1.22 (or 1.21 where the NamespaceDefaultLabelName feature gate is NOT enabled), be sure to label your namespace for injector exclusion before installing the Container sensor:
kubectl create namespace falcon-system
kubectl label namespace falcon-system kubernetes.io/metadata.name=falcon-system
Container Sensor Configuration
The following tables lists the more common configurable parameters of the chart and their default values for installing the Container sensor as a Sidecar.
Parameter | Description | Default |
---|---|---|
container.enabled |
Enable installation on the Kubernetes node | false |
container.azure.enabled |
For AKS without the pulltoken option | false |
container.azure.azureConfig |
Path to the Kubernetes Azure config file on worker nodes | /etc/kubernetes/azure.json |
container.disableNSInjection |
Disable injection for all Namespaces | false |
container.disablePodInjection |
Disable injection for all Pods | false |
container.certExpiration |
Certificate validity duration in number of days | 3650 |
container.registryCertSecret |
Name of generic Secret with additional CAs for external registries | None |
container.image.repository |
Falcon Sensor Node registry/image name | falcon-sensor |
container.image.tag |
The version of the official image to use. | latest (Use container.image.digest instead for security and production.) |
container.image.digest |
The sha256 digest of the official image to use. | None (Use instead of image tag for security and production.) |
container.image.pullPolicy |
Policy for updating images | Always |
container.image.pullSecrets.enable |
Enable pull secrets for private registry | false |
container.image.pullSecrets.namespaces |
List of Namespaces to pull the Falcon sensor from an authenticated registry | None |
container.image.pullSecrets.allNamespaces |
Use Helm's lookup function to deploy the pull secret to all namespaces | false |
container.image.pullSecrets.registryConfigJSON |
base64 encoded docker config json for the pull secret | None |
container.image.sensorResources |
The requests and limits of the sensor (see example below) | None |
falcon.cid |
CrowdStrike Customer ID (CID) | None (Required) |
falcon.cid
and container.image.repository
are required values.
For a complete listing of configurable parameters, run the following command:
helm show values crowdstrike/falcon-sensor
Note about using --set with lists
If you need to provide a list of values to a --set
command, you need to escape the commas between the values e.g. --set falcon.tags="tag1\,tag2\,tag3"
Example using container.image.sensorResources
When setting container.image.sensorResources
, the simplest method would be to provide a values file to the helm install
command.
Example:
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="<CrowdStrike_CID>" \
--set container.image.repository="<Your_Registry>/falcon-sensor" \
--values values.yaml
Where values.yaml
is
container:
sensorResources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 20Mi
Of course, one could specify all options in the values.yaml
file and skip the --set
options altogether:
node:
enabled: false
container:
enabled: true
image:
repository: "<Your_Registry>/falcon-sensor"
sensorResources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 20Mi
falcon:
cid: "<CrowdStrike_CID>"
If using a local values file is not an option, you could do this:
helm upgrade --install falcon-helm crowdstrike/falcon-sensor \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="<CrowdStrike_CID>" \
--set container.image.repository="<Your_Registry>/falcon-sensor" \
--set container.sensorResources.limits.memory="128Mi" \
--set container.sensorResources.limits.cpu="100m" \
--set container.sensorResources.requests.memory="20Mi" \
--set container.sensorResources.requests.cpu="10m"
Uninstall Helm Chart
To uninstall, run the following command:
helm uninstall falcon-helm
To uninstall from a custom namespace, run the following command:
helm uninstall falcon-helm -n falcon-system
You may need/want to delete the falcon-system as well since helm will not do it for you:
kubectl delete ns falcon-system