From b2f4584f9720dc33b69a7ddb8fc9f9a1cfd4e965 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 7 Nov 2024 16:01:47 +0100 Subject: [PATCH] feat(container-pull-script): add new SHRA images Closes #384 This PR adds the `falcon-jobcontroller` and `falcon-registryassessmentexecutor` images used for Self Hosted Registry Assessments. --- .../falcon-container-sensor-pull/README.md | 74 +++++++++++-------- .../falcon-container-sensor-pull.sh | 41 ++++++++-- 2 files changed, 80 insertions(+), 35 deletions(-) diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md index bc4e8c4..198fe27 100644 --- a/bash/containers/falcon-container-sensor-pull/README.md +++ b/bash/containers/falcon-container-sensor-pull/README.md @@ -1,6 +1,6 @@ # Falcon Container Sensor pull script -Use this bash script to pull the latest **Falcon Container** sensor, **Node DaemonSet** sensor, **Kubernetes Admission Controller** or **Kubernetes Protection Agent** from the CrowdStrike container registry and push it to your local Docker registry or remote registries. +A bash script for managing CrowdStrike Falcon container images. Pull from the official registry, copy to local/remote registries, generate Kubernetes pull tokens, retrieve image paths, manage credentials and more. ## Deprecation Warning :warning: @@ -46,7 +46,7 @@ To check your version of cURL, run the following command: `curl --version` > [!IMPORTANT] > The following API scopes are the minimum required to retrieve the images. If you need to perform other operations post-retrieval, please refer to the CrowdStrike documentation to identify any additional scopes that may be required. -- **falcon-sensor | falcon-container | falcon-kac | falcon-imageanalyzer** +- **falcon-sensor | falcon-container | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor** - `Sensor Download (read)` - `Falcon Images Download (read)` - **kpagent** @@ -83,7 +83,19 @@ Optional Flags: -c, --copy Registry to copy the image to, e.g., myregistry.com/mynamespace -v, --version Specify sensor version to retrieve from the registry -p, --platform Specify sensor platform to retrieve, e.g., x86_64, aarch64 - -t, --type Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs] (Default: falcon-container) + -t, --type Specify which sensor to download (Default: falcon-container) + + Available sensor types: + ----------------------- + falcon-container + falcon-sensor + falcon-kac + falcon-snapshot + falcon-imageanalyzer + kpagent + fcs + falcon-jobcontroller + falcon-registryassessmentexecutor --runtime Use a different container runtime [docker, podman, skopeo] (Default: docker) --dump-credentials Print registry credentials to stdout to copy/paste into container tools @@ -104,24 +116,24 @@ Help Options: > **Note**: **Settings can be passed to the script via CLI flags or environment variables:** -| Flags | Environment Variables | Default | Description | -| :--------------------------------------------- | ----------------------- | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `-f`, `--cid ` | `$FALCON_CID` | `None` (Optional) | CrowdStrike Customer ID (CID). *If not provided, CID will be auto-detected.* | -| `-u`, `--client-id ` | `$FALCON_CLIENT_ID` | `None` (Required) | CrowdStrike API Client ID | -| `-s`, `--client-secret ` | `$FALCON_CLIENT_SECRET` | `None` (Required) | CrowdStrike API Client Secret | -| `-r`, `--region ` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. \**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* | -| `-c`, `--copy ` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace` | -| `-v`, `--version ` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry | -| `-p`, `--platform ` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry | -| `-t`, `--type ` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`, `fcs`] ([see more details below](#sensor-types)) | -| `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. | -| `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools | -| `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. | -| `--get-pull-token` | N/A | `None` | Get the pull token of the selected `SENSOR_TYPE` for Kubernetes. | -| `--get-cid` | N/A | `None` | Get the CID assigned to the API Credentials. | -| `--list-tags` | `$LISTTAGS` | `False` (Optional) | List all tags available for the selected sensor | -| `--allow-legacy-curl` | `$ALLOW_LEGACY_CURL` | `False` (Optional) | Allow the script to run with an older version of cURL | -| `-h`, `--help` | N/A | `None` | Display help message | +| Flags | Environment Variables | Default | Description | +| :--------------------------------------------- | ----------------------- | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `-f`, `--cid ` | `$FALCON_CID` | `None` (Optional) | CrowdStrike Customer ID (CID). *If not provided, CID will be auto-detected.* | +| `-u`, `--client-id ` | `$FALCON_CLIENT_ID` | `None` (Required) | CrowdStrike API Client ID | +| `-s`, `--client-secret ` | `$FALCON_CLIENT_SECRET` | `None` (Required) | CrowdStrike API Client Secret | +| `-r`, `--region ` | `$FALCON_CLOUD` | `us-1` (Optional) | CrowdStrike Region. \**Auto-discovery is only available for [`us-1, us-2, eu-1`] regions.* | +| `-c`, `--copy ` | `$COPY` | `None` (Optional) | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace` | +| `-v`, `--version ` | `$SENSOR_VERSION` | `None` (Optional) | Specify sensor version to retrieve from the registry | +| `-p`, `--platform ` | `$SENSOR_PLATFORM` | `None` (Optional) | Specify sensor platform to retrieve from the registry | +| `-t`, `--type ` | `$SENSOR_TYPE` | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `falcon-imageanalyzer`, `kpagent`, `fcs`, `falcon-jobcontroller`, `falcon-registryassessmentexecutor`] ([see more details below](#sensor-types)) | +| `--runtime` | `$CONTAINER_TOOL` | `docker` (Optional) | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**. | +| `--dump-credentials` | `$CREDS` | `False` (Optional) | Print registry credentials to stdout to copy/paste into container tools | +| `--get-image-path` | N/A | `None` | Get the full image path including the registry, repository, and latest tag for the specified `SENSOR_TYPE`. | +| `--get-pull-token` | N/A | `None` | Get the pull token of the selected `SENSOR_TYPE` for Kubernetes. | +| `--get-cid` | N/A | `None` | Get the CID assigned to the API Credentials. | +| `--list-tags` | `$LISTTAGS` | `False` (Optional) | List all tags available for the selected sensor | +| `--allow-legacy-curl` | `$ALLOW_LEGACY_CURL` | `False` (Optional) | Allow the script to run with an older version of cURL | +| `-h`, `--help` | N/A | `None` | Display help message | --- > **Note**: **Internal flags are for CrowdStrike internal use only. Internal flags do not provide any functionality to end customers.** @@ -136,15 +148,17 @@ Help Options: The following sensor types are available to download: -| Sensor Image Name | Description | -| :------------------------------- | :---------------------------------------------------- | -| `falcon-sensor` | The Falcon sensor for Linux as a DaemonSet deployment | -| `falcon-container` **(default)** | The Falcon Container sensor for Linux | -| `falcon-kac` | The Falcon Kubernetes Admission Controller | -| `falcon-snapshot` | The Falcon Snapshot scanner | -| `falcon-imageanalyzer` | The Falcon Image Assessment at Runtime | -| `kpagent` | The Falcon Kubernetes Protection Agent | -| `fcs` | The Falcon Cloud Security CLI tool | +| Sensor Image Name | Description | +| :---------------------------------- | :---------------------------------------------------- | +| `falcon-sensor` | The Falcon sensor for Linux as a DaemonSet deployment | +| `falcon-container` **(default)** | The Falcon Container sensor for Linux | +| `falcon-kac` | The Falcon Kubernetes Admission Controller | +| `falcon-snapshot` | The Falcon Snapshot scanner | +| `falcon-imageanalyzer` | The Falcon Image Assessment at Runtime | +| `kpagent` | The Falcon Kubernetes Protection Agent | +| `fcs` | The Falcon Cloud Security CLI tool | +| `falcon-jobcontroller` | The Self Hosted Registry Assessment Jobs Controller | +| `falcon-registryassessmentexecutor` | The Self Hosted Registry Assessment Executor | ### Examples diff --git a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh index 085104c..90a76b9 100755 --- a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh +++ b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh @@ -22,7 +22,19 @@ Optional Flags: -c, --copy Registry to copy the image to, e.g., myregistry.com/mynamespace -v, --version Specify sensor version to retrieve from the registry -p, --platform Specify sensor platform to retrieve, e.g., x86_64, aarch64 - -t, --type Specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs] (Default: falcon-container) + -t, --type Specify which sensor to download (Default: falcon-container) + + Available sensor types: + ----------------------- + falcon-container + falcon-sensor + falcon-kac + falcon-snapshot + falcon-imageanalyzer + kpagent + fcs + falcon-jobcontroller + falcon-registryassessmentexecutor --runtime Use a different container runtime [docker, podman, skopeo] (Default: docker) --dump-credentials Print registry credentials to stdout to copy/paste into container tools @@ -278,7 +290,7 @@ format_tags() { local all_tags=$1 case "${SENSOR_TYPE}" in - "kpagent" | "falcon-snapshot" | "falcon-imageanalyzer" | "fcs") + "kpagent" | "falcon-snapshot" | "falcon-imageanalyzer" | "fcs" | "falcon-jobcontroller" | "falcon-registryassessmentexecutor") echo "$all_tags" | sed -n 's/.*"tags" : \[\(.*\)\].*/\1/p' | tr -d '"' | tr ',' '\n' | @@ -416,7 +428,7 @@ detect_container_tool() { display_api_scopes() { local sensor_type=$1 case "${sensor_type}" in - falcon-sensor | falcon-container | falcon-kac | falcon-imageanalyzer) + falcon-sensor | falcon-container | falcon-kac | falcon-imageanalyzer | falcon-jobcontroller | falcon-registryassessmentexecutor) echo "Sensor Download [read], Falcon Images Download [read]" ;; kpagent) @@ -459,10 +471,19 @@ fi # Check if SENSOR_TYPE is set to a valid value case "${SENSOR_TYPE}" in - falcon-container | falcon-sensor | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs) ;; + falcon-container | falcon-sensor | falcon-kac | falcon-snapshot | falcon-imageanalyzer | kpagent | fcs | falcon-jobcontroller | falcon-registryassessmentexecutor) ;; *) die """ Unrecognized sensor type: ${SENSOR_TYPE} - Valid values are [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|falcon-imageanalyzer|kpagent|fcs]""" ;; + Valid values are: + falcon-container + falcon-sensor + falcon-kac + falcon-snapshot + falcon-imageanalyzer + kpagent + fcs + falcon-jobcontroller + falcon-registryassessmentexecutor""" ;; esac #Check all mandatory variables set @@ -586,6 +607,16 @@ elif [ "${SENSOR_TYPE}" = "fcs" ]; then IMAGE_NAME="fcs" repository_name="$BUILD_STAGE/cs-fcs" registry_type="iac" +elif [ "${SENSOR_TYPE}" = "falcon-jobcontroller" ]; then + # overrides for Job Controller + IMAGE_NAME="falcon-jobcontroller" + repository_name="$BUILD_STAGE/falcon-jobcontroller" + registry_opts="falcon-selfhostedregistryassessment" +elif [ "${SENSOR_TYPE}" = "falcon-registryassessmentexecutor" ]; then + # overrides for Registry Assessment Executor + IMAGE_NAME="falcon-registryassessmentexecutor" + repository_name="$BUILD_STAGE/falcon-registryassessmentexecutor" + registry_opts="falcon-selfhostedregistryassessment" fi #Set Docker token using the BEARER token captured earlier