Merge branch 'feat-kac-clustername-support' of https://github.com/fal…

…con-pioupiou/falcon-helm into feat-kac-clustername-support
CrowdStrike · Jun 10, 2024 · 1246aa8 · 1246aa8
2 parents b5c0243 + d6ea967
commit 1246aa8
Show file tree

Hide file tree

Showing 32 changed files with 383 additions and 169 deletions.
diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
@@ -15,7 +15,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.1
 

diff --git a/.github/workflows/helm-node-sensor.yaml b/.github/workflows/helm-node-sensor.yaml
@@ -34,7 +34,7 @@ jobs:
         if: github.event_name == 'pull_request_target'
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.1
 
@@ -56,7 +56,7 @@ jobs:
           cp tests/node-values.yaml helm-charts/falcon-sensor/ci/node-values.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.10.0
 
       - name: Run chart-testing (install) using Node sensor
         run: ct install --config tests/ct.yaml --helm-extra-set-args "--set node.image.tag=${{ secrets.FALCON_NODE_TAG }} --set node.image.registryConfigJSON=${{ secrets.FALCON_REGISTRY_TOKEN }} --set falcon.cid=${{ secrets.FALCON_CID }}"
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
@@ -22,7 +22,7 @@ jobs:
           git config user.email "[email protected]"
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.1
 

diff --git a/.github/workflows/helm-sidecar-sensor.yaml b/.github/workflows/helm-sidecar-sensor.yaml
@@ -34,7 +34,7 @@ jobs:
         if: github.event_name == 'pull_request_target'
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.1
 
@@ -56,7 +56,7 @@ jobs:
           cp tests/sidecar-values.yaml helm-charts/falcon-sensor/ci/sidecar-values.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.10.0
 
       - name: Run chart-testing (install) using Sidecar sensor
         run: ct install --config tests/ct.yaml --helm-extra-set-args "--set container.image.tag=${{ secrets.FALCON_SIDECAR_TAG }} --set container.image.pullSecrets.registryConfigJSON=${{ secrets.FALCON_REGISTRY_TOKEN }} --set falcon.cid=${{ secrets.FALCON_CID }}"
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.1
 
@@ -43,7 +43,7 @@ jobs:
         run: ct lint --config tests/ct.yaml
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
+        uses: helm/kind-action@v1.10.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)

diff --git a/helm-charts/cs-k8s-protection-agent/Chart.yaml b/helm-charts/cs-k8s-protection-agent/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "1.0.2"
+version: "1.0.3"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm-charts/cs-k8s-protection-agent/templates/deployment.yaml b/helm-charts/cs-k8s-protection-agent/templates/deployment.yaml
@@ -65,6 +65,6 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.crowdstrikeConfig.priorityClassName }}
+      {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
diff --git a/helm-charts/falcon-image-analyzer/Chart.yaml b/helm-charts/falcon-image-analyzer/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.2
+version: 1.1.7
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.1.2"
+appVersion: "1.0.12"
diff --git a/helm-charts/falcon-image-analyzer/README.md b/helm-charts/falcon-image-analyzer/README.md
diff --git a/helm-charts/falcon-image-analyzer/ci/cid-values.yaml b/helm-charts/falcon-image-analyzer/ci/cid-values.yaml
@@ -1,3 +1,5 @@
+deployment:
+  enabled: true
 crowdstrikeConfig:
   clusterName: "test-cluster12.test"
   clientID: "abcdefABCDEF0123456789abcdefABCD"

diff --git a/helm-charts/falcon-image-analyzer/templates/_helpers.tpl b/helm-charts/falcon-image-analyzer/templates/_helpers.tpl
@@ -41,6 +41,18 @@ agentRunmode definition
 {{- end }}
 {{- end }}
 
+
+{{/*
+tmp-volume volume size definition
+*/}}
+{{- define "falcon-image-analyzer.tempvolsize" -}}
+{{- range $v := .Values.volumes }}
+{{- if eq $v.name "tmp-volume" }}
+{{- printf $v.emptyDir.sizeLimit }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/helm-charts/falcon-image-analyzer/templates/configmap.yaml b/helm-charts/falcon-image-analyzer/templates/configmap.yaml
@@ -7,12 +7,16 @@ metadata:
   {{- include "falcon-image-analyzer.labels" . | nindent 4 }}
 data:
   IS_KUBERNETES: {{ .Values.isKubernetes | quote }}
+  LOG_OUTPUT: {{ .Values.log.output | quote }}
   AGENT_CID: {{ .Values.crowdstrikeConfig.cid | quote }}
   AGENT_CLUSTER_NAME: {{ .Values.crowdstrikeConfig.clusterName | quote }}
   AGENT_REGISTRY_CREDENTIALS: {{ .Values.privateRegistries.credentials | quote }}
+  AGENT_NAMESPACE_EXCLUSIONS: {{ .Values.exclusions.namespace | quote }}
+  AGENT_REGISTRY_EXCLUSIONS: {{ .Values.exclusions.registry | quote }}
   AGENT_DEBUG: {{ .Values.crowdstrikeConfig.enableDebug | quote }}
   AGENT_RUNMODE: {{ include "falcon-image-analyzer.agentrunmode" . | quote }}
   AGENT_REGION: {{ .Values.crowdstrikeConfig.agentRegion | quote }}
+  AGENT_TEMP_MOUNT_SIZE: {{ include "falcon-image-analyzer.tempvolsize" . | quote }}
   {{- if .Values.daemonset.enabled }}
   AGENT_RUNTIME: {{ .Values.crowdstrikeConfig.agentRuntime | quote }}
   AGENT_RUNTIME_SOCKET: {{ include "falcon-image-analyzer.agentRuntimeSocket" . | quote }}

diff --git a/helm-charts/falcon-image-analyzer/templates/daemonset.yaml b/helm-charts/falcon-image-analyzer/templates/daemonset.yaml
@@ -13,6 +13,7 @@ spec:
   template:
     metadata:
       annotations:
+        sensor.falcon-system.crowdstrike.com/injection: disabled
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -100,7 +101,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.crowdstrikeConfig.priorityClassName }}
+      {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
  {{- end }}
diff --git a/helm-charts/falcon-image-analyzer/templates/deployment.yaml b/helm-charts/falcon-image-analyzer/templates/deployment.yaml
@@ -14,6 +14,7 @@ spec:
   template:
     metadata:
       annotations:
+        sensor.falcon-system.crowdstrike.com/injection: disabled
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -54,12 +55,21 @@ spec:
             runAsUser: 0
             runAsNonRoot: false
             privileged: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
             runAsUser: 0
             privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           resources:
           {{- if .Values.resources }}
           {{- toYaml .Values.resources | nindent 12 }}
@@ -102,7 +112,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.crowdstrikeConfig.priorityClassName }}
+      {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
 {{- end }}
diff --git a/helm-charts/falcon-image-analyzer/values.schema.json b/helm-charts/falcon-image-analyzer/values.schema.json
@@ -249,6 +249,48 @@
             }
         }
     },
+    "oneOf": [
+        {
+            "properties": {
+                "deployment": {
+                    "properties": {
+                        "enabled": {
+                            "const": true
+                        }
+                    }
+                }
+            },
+            "additionalProperties": {
+                "daemonset": {
+                  "properties": {
+                     "enabled": {
+                     "const": false
+                }
+              }
+          }
+        }
+        },
+        {
+            "properties": {
+                "daemonset": {
+                    "properties": {
+                        "enabled": {
+                            "const": true
+                        }
+                    }
+                }
+            },
+            "additionalProperties": {
+                "deployment": {
+                    "properties": {
+                        "enabled": {
+                            "const": false
+                        }
+                    }
+                }
+            }
+        }
+    ],
     "allOf": [
         {
             "if": {

diff --git a/helm-charts/falcon-image-analyzer/values.yaml b/helm-charts/falcon-image-analyzer/values.yaml
@@ -11,7 +11,6 @@ daemonset:
 deployment:
   enabled: false
 
-
 # Do not override anywhere in values - Always 1 for Deployment. NA for daemonset
 replicaCount: 1
 image:
@@ -63,7 +62,19 @@ resources: {}
 
 tolerations: []
 
-affinity: {}
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/os
+          operator: In
+          values:
+            - linux
+        - key: kubernetes.io/arch
+          operator: In
+          values:
+            - amd64
 
 priorityClassName: ""
 
@@ -78,6 +89,26 @@ azure:
 gcp:
   enabled: false
 
+exclusions:
+  # provide a comma separate list of name spaces that you want to be
+  # excluded from IAR scanning.
+  # Note that all pods will be excluded.
+  # Use this param when you install IAR on a cluster that already has pods running and want to be excluded
+  # For excluding only specific pods or excluding namespaces AFTER iar has been installed , please refer to README
+  # For e.g.
+  #  exclusions:
+  #    namespace: "ns1,ns2"
+  namespace: ""
+
+  # provide a comma separate list of
+  # registries ( without transport http/https:// ) to be excluded
+  # from IAR scanning.
+  # Note that any pods running any image with the registry will be excluded
+  # Use this param when you install IAR on a cluster that already has pods running and want to be excluded
+  # for E.g.
+  #   exclusions:
+  #    registry: "index.docker.io,my.private.registry,localhost,localhost:1234"
+  registry: ""
 
 # Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2
 # each secret should be of type docker-registry for each of the private registry that is used.
@@ -93,12 +124,25 @@ privateRegistries:
   credentials: ""
 
 # This is a mandatory mount for both deployment and daemon set.
-# this is used as a tmp working space for image storage
+# this is used as a tmp working space for image storage.
+# adjust this space to any comfortable value. The max Size should be equals
+# to the largest image possible to run in the container.
+# for e.g. if the largest possible image is in the range of 1-4g put 4Gi as the value.
 volumes:
   - name: tmp-volume
     emptyDir:
       sizeLimit: 20Gi
 
+
+# use this field to set the output terminal of logs
+# 1 = stdout ( some cloud providers like GCP assume any output on stderr to be critical err and display on console )  .
+# 2 = stderr/default ( stderr is the normal output for logs )
+# any other value will be defaulted to stderr
+# https://stackoverflow.com/questions/4919093/should-i-log-messages-to-stderr-or-stdout/4919110#4919110 )
+
+log:
+  output: 2
+
 crowdstrikeConfig:
   clusterName: ""
   enableDebug: "false"
@@ -111,7 +155,6 @@ crowdstrikeConfig:
   # /entities/image-registry-credentials/v1
   dockerAPIToken: ""
 
-
   # Use this value if you have an existing secret
   # defined in your k8s that may contain secrets
   # for falcon api client id and pw
@@ -121,7 +164,6 @@ crowdstrikeConfig:
   agentRuntimeSocket: ""
   agentMaxConsumerThreads: "1"
 
-
 proxyConfig:
   HTTP_PROXY: ""
   HTTPS_PROXY: ""

diff --git a/helm-charts/falcon-kac/templates/deployment_webhook.yaml b/helm-charts/falcon-kac/templates/deployment_webhook.yaml
@@ -214,11 +214,13 @@ spec:
           type: RuntimeDefault
       serviceAccountName: {{ .Values.serviceAccount.name }}
       shareProcessNamespace: true
-      {{- if .Values.tolerations }}
-      tolerations:
-      {{- with .Values.tolerations }}
-      {{- toYaml . | nindent 6 }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
       - name: {{ include "falcon-kac.name" . }}-tls-certs
@@ -286,7 +288,7 @@ webhooks:
     - pods/ephemeralcontainers
     scope: '*'
   sideEffects: None
-  timeoutSeconds: 5
+  timeoutSeconds: 10
 - admissionReviewVersions:
   - v1
   clientConfig:
@@ -359,4 +361,5 @@ webhooks:
     - jobs
     scope: '*'
   sideEffects: None
-  timeoutSeconds: 5
+  timeoutSeconds: 10
+
diff --git a/helm-charts/falcon-kac/templates/resourcequota.yaml b/helm-charts/falcon-kac/templates/resourcequota.yaml
@@ -7,7 +7,7 @@ metadata:
     {{- include "falcon-kac.labels" . | nindent 4 }}
 spec:
   hard:
-    pods: 2
+    pods: {{ .Values.resourceQuota.pods }}
   scopeSelector:
     matchExpressions:
     - operator: In