Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v1.1.11 helm updates for hostNetwork #331

Merged
merged 1 commit into from
Jan 16, 2025
Merged

v1.1.11 helm updates for hostNetwork #331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions helm-charts/falcon-image-analyzer/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.1.10
version: 1.1.11

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.16"
appVersion: "1.0.17"
23 changes: 18 additions & 5 deletions helm-charts/falcon-image-analyzer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ The Falcon Image Analyzer Helm chart has been tested to deploy on the following
* SUSE Rancher K3s
* Red Hat OpenShift Kubernetes

## New updates in current release (1.1.10) for iar 1.0.16
- adding `crowdstrikeConfig.enableKlogs` flag to enable native klogs for troubleshooting
- support `autodiscovery|autodiscover|auto` values for `crowdstrikeConfig.agentRegion` field for commercial cloud customers ONLY. This will enable the IAR
to discover the customer region automatically IF the customer belongs to commercial cloud (`us-1 | us-2 | eu-1`).
**NOTE. FOR GOV customers i.e. `gov1|gov2` this is NOT Supported. Please explicitly specify the region**
## New updates in current release (1.1.11) for iar 1.0.17
- Support for multiarch IAR. IAR now is supported on both amd64 and arm64 nodes from iar 1.0.17 onwards
- add `hostNetwork` param in values to support usage of hostnetwork
- add `dnsPolicy` param in values to support k8s DNS supported polices. no value implies `Default`. see
https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

## Dependencies

Expand Down Expand Up @@ -61,6 +61,8 @@ The following tables list the Falcon sensor configurable parameters and their de
| `exclusions.namespace` optional ( available in falcon-imageanalyzer >= 1.0.8 and Helm Chart v >= 1.1.3) | Set the value as a comma separate list of namespaces to be excluded. all pods in that namespace(s) will be excluded | "" |
| `exclusions.registry` optional ( available in falcon-imageanalyzer >= 1.0.8 and Helm Chart v >= 1.1.3) | Set the value as a comma separate list of registries to be excluded. all images in that registry(s) will be excluded | "" |
| `log.output` optional ( available Helm Chart v >= 1.1.7 & falcon-imageanalyzer >= 1.0.12) | Set the value to for log output terminal. `2=stderr` and `1=stdout` | 2 ( stderr ) |
| `hostNetwork` optional ( available Helm Chart v >= 1.1.11) | Set the value to `true` to use the hostNetwork instead of pod network | `false` |
| `dnsPolicy` optional ( available Helm Chart v >= 1.1.11) | Set the value to any supported value from https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | `` no value implies `Default` |
| `scanStats.enabled` optional ( available Helm Chart v >= 1.1.8 & falcon-imageanalyzer >= 1.0.13) | Set `enabled` to true for agent to send scan error and stats to cloud | false |
| `crowdstrikeConfig.clusterName` required | Cluster name | None |
| `crowdstrikeConfig.enableDebug` optional | Set to `true` for debug level log verbosity. | false |
Expand Down Expand Up @@ -340,6 +342,17 @@ for e.g. a docker-registry secret can be created as below
```
use the above secret as `"my-app-ns:regcred,my-app-ns:regcred2"`

### PROXY Usage
If a customer us using proxy settings . Please make sure to add the registry domains ```myreg.some.com``` in the ```NO_PROXY```.
This is so that the IAR can connect to the registries without proxy and authenticate if needed using secrets provided or download the public free images.

***Note that some registries domains also have other urls based on the auth challange that is sent by the registry service. Please make sure to add those as well to ```NO_PROXY```
for e.g. for gitlab registries there exists the
- registry domain ```my-reg.gitlab.com```
- and the other ```www.gitlab.com```

- The above is very registry provider specific. One needs to ensure nothing ie being blocked by Proxy

### Pod Eviction
If for some reason pod evivictions are observed in the Cluster due to exceeding ephemeral storage
please set the `priorityClassName` to `system-node-critical` or `system-cluster-critical` in `config-values.yaml` and update.
Expand Down
6 changes: 6 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,4 +104,10 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }}
{{- else if .Values.dnsPolicy}}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- end }}
6 changes: 6 additions & 0 deletions helm-charts/falcon-image-analyzer/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,4 +115,10 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }}
{{- else if .Values.dnsPolicy}}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- end }}
13 changes: 9 additions & 4 deletions helm-charts/falcon-image-analyzer/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,6 @@ affinity:
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64

priorityClassName: ""

Expand Down Expand Up @@ -112,6 +108,15 @@ exclusions:
# registry: "index.docker.io,my.private.registry,localhost,localhost:1234"
registry: ""


# set this to true will bypass the kubernetes network and use the node/host network. This is needed in some
# setups where proxy rules are strict and if we IAR to make calls especially for private registry/auth via the host.
# NOTE That setting this to true will also set the dnsPolicy: "ClusterFirstWithHostNet"
hostNetwork: false

# Define ImageAnalyzer POD DNS Policy, defaults to "ClusterFirstWithHostNet" when hostNetwork = true
dnsPolicy:

# Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2
# each secret should be of type docker-registry for each of the private registry that is used.
# for e.g. a docker-registry secret can be created as below
Expand Down
Loading