diff --git a/bundle.Dockerfile b/bundle.Dockerfile
index ee2aa1d6..8877c0ff 100644
--- a/bundle.Dockerfile
+++ b/bundle.Dockerfile
@@ -8,7 +8,7 @@ LABEL operators.operatorframework.io.bundle.package.v1=falcon-operator
LABEL operators.operatorframework.io.bundle.channels.v1=alpha
LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.30.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
-LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v3
+LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4-alpha
# Labels for testing.
LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1
diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml
index 09d4430d..08e02b01 100644
--- a/bundle/manifests/falcon-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/falcon-operator.clusterserviceversion.yaml
@@ -101,7 +101,7 @@ metadata:
capabilities: Basic Install
categories: Security,Monitoring
containerImage: quay.io/crowdstrike/falcon-operator
- createdAt: "2023-10-25T21:27:38Z"
+ createdAt: "2023-10-30T20:05:26Z"
description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
operatorframework.io/suggested-namespace: falcon-operator
operators.operatorframework.io/builder: operator-sdk-v1.29.0
@@ -606,15 +606,16 @@ spec:
path: node.updateStrategy.type
version: v1alpha1
description: |-
- The CrowdStrike Falcon Operator installs the CrowdStrike Falcon Container Sensor or CrowdStrike Falcon Node Sensor on a Kubernetes cluster.
+ The CrowdStrike Falcon Operator installs CrowdStrike Falcon custom resources on a Kubernetes cluster.
## About the CrowdStrike Falcon Operator
- The CrowdStrike Falcon Operator deploys CrowdStrike Falcon Workload Protection to the cluster. The operator exposes 2 custom resources that allows you to deploy either the Falcon Container Sensor or Falcon Node Sensor.
+ The CrowdStrike Falcon Operator deploys CrowdStrike Falcon to the cluster. The operator exposes custom resources that allow you to protect your Kubernetes clusters when deployed.
## About Custom Resources
| Custom Resource | Description |
| :-------- | :------------ |
+ | [FalconAdmission](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/admission/README.md) | Manages installation of Falcon Admission Controller on the cluster |
| [FalconContainer](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/container/README.md) | Manages installation of Falcon Container Sensor on the cluster |
| [FalconNodeSensor](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/node/README.md) | Manages installation of Falcon Linux Sensor on the cluster nodes |
diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml
index eb7a61f2..50521026 100644
--- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml
@@ -509,15 +509,16 @@ spec:
path: node.updateStrategy.type
version: v1alpha1
description: |-
- The CrowdStrike Falcon Operator installs the CrowdStrike Falcon Container Sensor or CrowdStrike Falcon Node Sensor on a Kubernetes cluster.
+ The CrowdStrike Falcon Operator installs CrowdStrike Falcon custom resources on a Kubernetes cluster.
## About the CrowdStrike Falcon Operator
- The CrowdStrike Falcon Operator deploys CrowdStrike Falcon Workload Protection to the cluster. The operator exposes 2 custom resources that allows you to deploy either the Falcon Container Sensor or Falcon Node Sensor.
+ The CrowdStrike Falcon Operator deploys CrowdStrike Falcon to the cluster. The operator exposes custom resources that allow you to protect your Kubernetes clusters when deployed.
## About Custom Resources
| Custom Resource | Description |
| :-------- | :------------ |
+ | [FalconAdmission](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/admission/README.md) | Manages installation of Falcon Admission Controller on the cluster |
| [FalconContainer](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/container/README.md) | Manages installation of Falcon Container Sensor on the cluster |
| [FalconNodeSensor](https://github.com/CrowdStrike/falcon-operator/tree/main/docs/resources/node/README.md) | Manages installation of Falcon Linux Sensor on the cluster nodes |
diff --git a/docs/deployment/azure/README.md b/docs/deployment/azure/README.md
index a21245b2..ef859ca3 100644
--- a/docs/deployment/azure/README.md
+++ b/docs/deployment/azure/README.md
@@ -1,7 +1,8 @@
# Deployment Guide for Azure and AKS
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ACR (Azure Container Registry).
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to ACR (Azure Container Registry).
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to ACR (Azure Container Registry).
- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster.
## Prerequisites
@@ -18,6 +19,9 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
+
+ Click to expand
+
- Set up a new Kubernetes cluster or use an existing one.
- Install the Falcon Operator by running the following command:
@@ -25,21 +29,30 @@ This document will guide you through the installation of the Falcon Operator and
kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
### Deploying the Falcon Node Sensor
+
+ Click to expand
+
After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:
- Deploy FalconNodeSensor through the cli using the `kubectl` command:
```sh
kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
### Deploying the Falcon Container Sidecar Sensor
+
+
+ Click to expand
#### Configure ACR Registry
- Either create or use an existing ACR registry. Make sure to store the ACR registry name in an environment variable.
```sh
- ACR_NAME=my-acr-registy-name
+ ACR_NAME=my-acr-registry-name
```
#### Manual installation of ACR push secret
@@ -85,6 +98,20 @@ The Image push secret is used by the operator to mirror the Falcon Container sen
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+- Create a new FalconAdmission resource
+ ```sh
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/azure/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
> [!WARNING]
@@ -92,24 +119,52 @@ The Image push secret is used by the operator to mirror the Falcon Container sen
### Uninstalling the Falcon Node Sensor
+
+ Click to expand
+
Remove the FalconNodeSensor resource by running:
```sh
kubectl delete falconnodesensor -A --all
```
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
kubectl delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+kubectl delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
diff --git a/docs/deployment/azure/falconadmission.yaml b/docs/deployment/azure/falconadmission.yaml
new file mode 100644
index 00000000..531af854
--- /dev/null
+++ b/docs/deployment/azure/falconadmission.yaml
@@ -0,0 +1,14 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: acr
+ acr_name: PLEASE_FILL_IN
+ injector:
+ azureConfigPath: "/etc/kubernetes/azure.json"
diff --git a/docs/deployment/azure/falconcontainer.yaml b/docs/deployment/azure/falconcontainer.yaml
index 98d7921e..bd4a2787 100644
--- a/docs/deployment/azure/falconcontainer.yaml
+++ b/docs/deployment/azure/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/eks-fargate/README.md b/docs/deployment/eks-fargate/README.md
index 3265690e..abfb8626 100644
--- a/docs/deployment/eks-fargate/README.md
+++ b/docs/deployment/eks-fargate/README.md
@@ -1,7 +1,8 @@
# Deployment Guide for EKS Fargate and ECR
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry.
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
## Prerequisites
@@ -17,7 +18,11 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
-- Set up a new Kubernetes cluster or use an existing one.- Create an EKS Fargate profile for the operator:
+
+ Click to expand
+
+- Set up a new Kubernetes cluster or use an existing one.
+- Create an EKS Fargate profile for the operator:
```sh
eksctl create fargateprofile \
--region "$AWS_REGION" \
@@ -31,8 +36,13 @@ This document will guide you through the installation of the Falcon Operator and
kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
### Deploying the Falcon Container Sidecar Sensor
+
+ Click to expand
+
#### Create the FalconContainer resource
- Create an EKS Fargate profile for the FalconContainer resource deployment:
@@ -44,36 +54,91 @@ This document will guide you through the installation of the Falcon Operator and
--namespace falcon-system
```
+
- Create a new FalconContainer resource
```sh
- kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconcontainer.yaml --edit=true
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks-fargate/falconcontainer.yaml --edit=true
+ ```
+
+
+
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+- Create an EKS Fargate profile for the FalconAdmission resource deployment:
+ ```sh
+ eksctl create fargateprofile \
+ --region "$AWS_REGION" \
+ --cluster eks-fargate-cluster \
+ --name fp-falcon-kac \
+ --namespace falcon-kac
```
+- Create a new FalconAdmission resource
+ ```sh
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks-fargate/falconadmission.yaml --edit=true
+ ```
+
+
## Uninstalling
> [!WARNING]
> It is essential to uninstall ALL of the deployed custom resources before uninstalling the Falcon Operator to ensure proper cleanup.
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
kubectl delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+kubectl delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
## Configuring IAM Role to allow ECR Access on EKS Fargate
+### Configure IAM Role for ECR Access for the Sidecar Injector
+
+
+ Click to expand
+
When the Falcon Container Injector is installed on EKS Fargate, the following error message may appear in the injector logs:
```
@@ -87,10 +152,13 @@ Conceptually, the following tasks need to be done in order to enable ECR pull fr
- Create IAM Policy for ECR image pull
- Create IAM Role for the injector
-- Assign the IAM Role to the injector (and set-up a proper trust relationship on the role and OIDC indentity provider)
+- Assign the IAM Role to the injector (and set-up a proper trust relationship on the role and OIDC identity provider)
- Put IAM Role ARN into your Falcon Container resource for re-deployments
-### Assigning AWS IAM Role to Falcon Container Injector
+#### Assigning AWS IAM Role to Falcon Container Injector
+
+
+ Click to expand
Using `aws`, `eksctl`, and `kubectl` command-line tools, perform the following steps:
@@ -174,3 +242,110 @@ Using `aws`, `eksctl`, and `kubectl` command-line tools, perform the following s
```sh
kubectl create -f ./my-falcon-container.yaml
```
+
+
+
+
+### Configure IAM Role for ECR Access for the Admission Controller
+
+
+ Click to expand
+
+When the Falcon Admission Controller is installed on EKS Fargate, you may need to enable ECR access for the admission controller.
+Conceptually, the following tasks need to be done in order to enable ECR pull from the admission controller:
+
+- Create IAM Policy for ECR image pull
+- Create IAM Role for the admission controller
+- Assign the IAM Role to the admission controller (and set-up a proper trust relationship on the role and OIDC identity provider)
+- Put IAM Role ARN into your Falcon Admission resource for re-deployments
+
+#### Assigning AWS IAM Role to Falcon Admission Controller
+
+
+ Click to expand
+
+Using `aws`, `eksctl`, and `kubectl` command-line tools, perform the following steps:
+
+- Set up your shell environment variables
+ ```sh
+ export AWS_REGION="insert your region"
+ export EKS_CLUSTER_NAME="insert your cluster name"
+
+ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+ iam_policy_name="FalconAdmissionEcrPull"
+ iam_policy_arn="arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${iam_policy_name}"
+ ```
+
+- Create AWS IAM Policy for ECR image pulling
+ ```sh
+ cat <<__END__ > policy.json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowImagePull",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:BatchGetImage",
+ "ecr:DescribeImages",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:ListImages"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "AllowECRSetup",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:GetAuthorizationToken"
+ ],
+ "Resource": "*"
+ }
+ ]
+ }
+ __END__
+
+ aws iam create-policy \
+ --region "$AWS_REGION" \
+ --policy-name ${iam_policy_name} \
+ --policy-document 'file://policy.json' \
+ --description "Policy to enable Falcon Admission Controller to pull container image from ECR"
+ ```
+
+- Assign the newly created policy to the kubernetes ServiceAccount of Falcon Admission Controller
+ ```sh
+ eksctl create iamserviceaccount \
+ --name falcon-operator-admission-controller \
+ --namespace falcon-kac \
+ --region "$AWS_REGION" \
+ --cluster "${EKS_CLUSTER_NAME}" \
+ --attach-policy-arn "${iam_policy_arn}" \
+ --approve \
+ --override-existing-serviceaccounts
+ ```
+
+- Verify that the IAM Role (not to be confused with IAM Policy) has been assigned to the ServiceAccount by the previous command:
+ ```sh
+ kubectl get sa -n falcon-kac falcon-operator-admission-controller -o=jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}'
+ ```
+
+- Delete the previously deployed FalconAdmission resource:
+ ```sh
+ kubectl delete falconadmission --all
+ ```
+
+- Add Role ARN to your FalconAdmission yaml file:
+ ```yaml
+ admissionConfig:
+ serviceAccount:
+ annotations:
+ eks.amazonaws.com/role-arn: arn:aws:iam::12345678910:role/eksctl-demo-cluster-addon-iamservic-Role1-J78KUNY32R1
+ ```
+
+- Deploy the FalconAdmission resource with the IAM role changes:
+ ```sh
+ kubectl create -f ./my-falcon-admission.yaml
+ ```
+
+
+
diff --git a/docs/deployment/eks-fargate/falconadmission.yaml b/docs/deployment/eks-fargate/falconadmission.yaml
new file mode 100644
index 00000000..86c4421b
--- /dev/null
+++ b/docs/deployment/eks-fargate/falconadmission.yaml
@@ -0,0 +1,11 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: ecr
diff --git a/docs/deployment/eks-fargate/falconcontainer.yaml b/docs/deployment/eks-fargate/falconcontainer.yaml
index ae8acb47..e8c62fd4 100644
--- a/docs/deployment/eks-fargate/falconcontainer.yaml
+++ b/docs/deployment/eks-fargate/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/eks/README.md b/docs/deployment/eks/README.md
index 2495777e..3ff60385 100644
--- a/docs/deployment/eks/README.md
+++ b/docs/deployment/eks/README.md
@@ -1,7 +1,8 @@
# Deployment Guide for EKS and ECR
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry.
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster.
## Prerequisites
@@ -18,6 +19,9 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
+
+ Click to expand
+
- Set up a new Kubernetes cluster or use an existing one. The EKS cluster that runs Falcon Operator needs to have the [IAM OIDC provider](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) installed. The IAM OIDC provider associates AWS IAM roles with EKS workloads.
Please review [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) to understand how the IAM OIDC provider works before proceeding.
@@ -37,17 +41,26 @@ Please review [AWS documentation](https://docs.aws.amazon.com/eks/latest/usergui
kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
### Deploying the Falcon Node Sensor
+
+ Click to expand
+
After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:
- Deploy FalconNodeSensor through the cli using the `kubectl` command:
```sh
kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
### Deploying the Falcon Container Sidecar Sensor
+
+ Click to expand
+
#### Create the FalconContainer resource
- Create a new FalconContainer resource
@@ -67,6 +80,20 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
> [!NOTE]
> This script should be run as in the cloud shell session directly as some command line tools may be installed in the process.
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+- Create a new FalconAdmission resource
+ ```sh
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
> [!WARNING]
@@ -74,24 +101,52 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
### Uninstalling the Falcon Node Sensor
+
+ Click to expand
+
Remove the FalconNodeSensor resource by running:
```sh
kubectl delete falconnodesensor -A --all
```
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
kubectl delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+kubectl delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
diff --git a/docs/deployment/eks/falconadmission.yaml b/docs/deployment/eks/falconadmission.yaml
new file mode 100644
index 00000000..86c4421b
--- /dev/null
+++ b/docs/deployment/eks/falconadmission.yaml
@@ -0,0 +1,11 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: ecr
diff --git a/docs/deployment/eks/falconcontainer.yaml b/docs/deployment/eks/falconcontainer.yaml
index ae8acb47..e8c62fd4 100644
--- a/docs/deployment/eks/falconcontainer.yaml
+++ b/docs/deployment/eks/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/eks/run b/docs/deployment/eks/run
index a121f810..dc7ca2be 100644
--- a/docs/deployment/eks/run
+++ b/docs/deployment/eks/run
@@ -157,7 +157,7 @@ fi
kubectl wait --timeout=240s --for=condition=Available -n $OPERATOR_NAMESPACE deployment falcon-operator-controller-manager
# Let the user edit the falconcontainer configuration
-if ! kubectl get falconcontainers.falcon.crowdstrike.com default > /dev/null 2>&1; then
+if ! kubectl get falconcontainers.falcon.crowdstrike.com falcon-sidecar-sensor > /dev/null 2>&1; then
kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconcontainer.yaml --edit=true
fi
diff --git a/docs/deployment/generic/README.md b/docs/deployment/generic/README.md
index cd63c7f1..7f4cc189 100644
--- a/docs/deployment/generic/README.md
+++ b/docs/deployment/generic/README.md
@@ -1,7 +1,8 @@
# Deployment Guide for Kubernetes
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to .
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to .
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to .
- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster.
## Prerequisites
@@ -18,6 +19,9 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
+
+ Click to expand
+
- Set up a new Kubernetes cluster or use an existing one.
- Install the Falcon Operator by running the following command:
@@ -25,17 +29,26 @@ This document will guide you through the installation of the Falcon Operator and
kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
### Deploying the Falcon Node Sensor
+
+ Click to expand
+
After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:
- Deploy FalconNodeSensor through the cli using the `kubectl` command:
```sh
kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
### Deploying the Falcon Container Sidecar Sensor
+
+ Click to expand
+
#### Create the FalconContainer resource
- Create a new FalconContainer resource
@@ -45,6 +58,20 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+- Create a new FalconAdmission resource
+ ```sh
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/generic/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
> [!WARNING]
@@ -52,24 +79,52 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
### Uninstalling the Falcon Node Sensor
+
+ Click to expand
+
Remove the FalconNodeSensor resource by running:
```sh
kubectl delete falconnodesensor -A --all
```
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
kubectl delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+kubectl delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
diff --git a/docs/deployment/generic/falconadmission.yaml b/docs/deployment/generic/falconadmission.yaml
new file mode 100644
index 00000000..32547fac
--- /dev/null
+++ b/docs/deployment/generic/falconadmission.yaml
@@ -0,0 +1,11 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: crowdstrike
diff --git a/docs/deployment/generic/falconcontainer.yaml b/docs/deployment/generic/falconcontainer.yaml
index 5df3e78c..e1cec0a4 100644
--- a/docs/deployment/generic/falconcontainer.yaml
+++ b/docs/deployment/generic/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/gke/README.md b/docs/deployment/gke/README.md
index 5bd124a7..26dee642 100644
--- a/docs/deployment/gke/README.md
+++ b/docs/deployment/gke/README.md
@@ -1,7 +1,8 @@
# Deployment Guide for GKE and GCR
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created.
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created.
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created.
- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster.
## Prerequisites
@@ -18,6 +19,9 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
+
+ Click to expand
+
- Set up a new Kubernetes cluster or use an existing one.
- Install the Falcon Operator by running the following command:
@@ -25,16 +29,25 @@ This document will guide you through the installation of the Falcon Operator and
kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
### Deploying the Falcon Node Sensor
+
+ Click to expand
+
After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:
- Deploy FalconNodeSensor through the cli using the `kubectl` command:
```sh
kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
### Deploying the Falcon Container Sidecar Sensor
+
+
+ Click to expand
#### Create GCR push secret
An image push secret is used by the operator to mirror Falcon Container image from CrowdStrike registry to your GCR.
@@ -91,6 +104,20 @@ An image push secret is used by the operator to mirror Falcon Container image fr
bash -c 'source <(curl -s https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/gke/run)'
```
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+- Create a new FalconAdmission resource
+ ```sh
+ kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/gke/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
> [!WARNING]
@@ -98,28 +125,56 @@ An image push secret is used by the operator to mirror Falcon Container image fr
### Uninstalling the Falcon Node Sensor
+
+ Click to expand
+
Remove the FalconNodeSensor resource by running:
```sh
kubectl delete falconnodesensor -A --all
```
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
kubectl delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+kubectl delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
## GKE Autopilot configuration
### Setting the PriorityClass
@@ -160,6 +215,9 @@ The sensor resource limits are only enabled when `backend: bpf`, which is a requ
### Enabling GKE Autopilot
+
+ Click to expand
+
To enable GKE Autopilot and deploy the sensor running in user mode, configure the following settings:
1. Set the backend to run in user mode.
@@ -219,6 +277,8 @@ node:
value: amd64
```
+
+
## GKE Node Upgrades
If the sidecar sensor has been deployed to your GKE cluster, you will want to explicitly disable CrowdStrike Falcon from monitoring using labels for the kube-public, kube-system, falcon-operator, and falcon-system namespaces.
@@ -232,7 +292,12 @@ kubectl label namespace kube-public sensor.falcon-system.crowdstrike.com/injecti
Because the Falcon Container sensor injector is configured to monitor all namespaces, setting the above labels will ensure that any pod related to k8 control plane and CrowdStrike Falcon are not forwarded to the injector.
-## Granting GCP Workload Identity to Falcon Container Injector
+## Enabling GCP Workload Identity
+
+### Enabling GCP Workload Identity for the Falcon Sidecar Injector
+
+
+ Click to expand
The Falcon Container Injector may need [GCP Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
to read GCR or Artifact Registry. In many cases, the GCP Workload Identity is assigned or inherited automatically. However if you
@@ -249,8 +314,11 @@ Conceptually, the following tasks need to be done in order to enable GCR to pull
- Allow Falcon Container to use the newly created Service Account
- Put GCP Service Account handle into your Falcon Container resource for re-deployments
-### Assigning GCP Workload Identity to Falcon Container Injector
+#### Assigning GCP Workload Identity to Falcon Container Injector
+
+ Click to expand
+
Using both `gcloud` and `kubectl` command-line tools, perform the following steps:
- Set up your shell environment variables
@@ -272,12 +340,12 @@ Using both `gcloud` and `kubectl` command-line tools, perform the following step
--role roles/containerregistry.ServiceAgent
```
-- Allow Falcon Injector to use the newly created GCP Service Account
+- Allow Falcon Sidecar Injector to use the newly created GCP Service Account
```sh
gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
- --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-system/default]"
+ --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-system/falcon-operator-sidecar-sensor]"
```
- Delete the previously deployed FalconContainer resource:
@@ -289,7 +357,7 @@ Using both `gcloud` and `kubectl` command-line tools, perform the following step
```yaml
spec:
injector:
- sa_annotations:
+ annotations:
iam.gke.io/gcp-service-account: $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com
```
@@ -302,3 +370,80 @@ Using both `gcloud` and `kubectl` command-line tools, perform the following step
```sh
kubectl create -f ./my-falcon-container.yaml
```
+
+
+
+
+### Enabling GCP Workload Identity for the Falcon Admission Controller
+
+
+ Click to expand
+
+The Falcon Admission Controller may need [GCP Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+to read GCR or Artifact Registry. In many cases, the GCP Workload Identity is assigned or inherited automatically.
+Conceptually, the following tasks need to be done in order to enable GCR to pull from the injector:
+
+- Create GCP Service Account
+- Grant GCR permissions to the newly created Service Account
+- Allow Falcon Admission Controller to use the newly created Service Account
+- Put GCP Service Account handle into your Falcon Admission resource for re-deployments
+
+#### Assigning GCP Workload Identity to Falcon Admission Controller
+
+
+ Click to expand
+
+Using both `gcloud` and `kubectl` command-line tools, perform the following steps:
+
+- Set up your shell environment variables
+ ```sh
+ GCP_SERVICE_ACCOUNT=falcon-admission-controller
+
+ GCP_PROJECT_ID=$(gcloud config get-value core/project)
+ ```
+
+- Create new GCP Service Account
+ ```sh
+ gcloud iam service-accounts create $GCP_SERVICE_ACCOUNT
+ ```
+
+- Grant GCR permissions to the newly created Service Account
+ ```sh
+ gcloud projects add-iam-policy-binding $PROJECT_ID \
+ --member "serviceAccount:$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
+ --role roles/containerregistry.ServiceAgent
+ ```
+
+- Allow Falcon Admission Controller to use the newly created GCP Service Account
+ ```sh
+ gcloud iam service-accounts add-iam-policy-binding \
+ $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com \
+ --role roles/iam.workloadIdentityUser \
+ --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-kac/falcon-operator-admission-controller]"
+ ```
+
+- Delete the previously deployed FalconAdmission resource:
+ ```sh
+ kubectl delete falconadmission --all
+ ```
+
+- Add the newly created Service Account to your FalconAdmission yaml file:
+ ```yaml
+ spec:
+ admissionConfig:
+ annotations:
+ iam.gke.io/gcp-service-account: $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com
+ ```
+
+ Do not forget to replace the service account name template with actual name
+ ```sh
+ echo "$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com"
+ ```
+
+- Deploy the FalconAdmission resource with the IAM role changes:
+ ```sh
+ kubectl create -f ./my-falcon-admission.yaml
+ ```
+
+
+
diff --git a/docs/deployment/gke/falconadmission.yaml b/docs/deployment/gke/falconadmission.yaml
new file mode 100644
index 00000000..56a7840d
--- /dev/null
+++ b/docs/deployment/gke/falconadmission.yaml
@@ -0,0 +1,11 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: gcr
diff --git a/docs/deployment/gke/falconcontainer.yaml b/docs/deployment/gke/falconcontainer.yaml
index 0db7d854..26c2b28f 100644
--- a/docs/deployment/gke/falconcontainer.yaml
+++ b/docs/deployment/gke/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/gke/run b/docs/deployment/gke/run
index a80dd19a..71c7084e 100644
--- a/docs/deployment/gke/run
+++ b/docs/deployment/gke/run
@@ -86,7 +86,7 @@ if ! kubectl get secret builder -n $FALCON_SYSTEM > /dev/null 2>&1; then
kubectl create secret docker-registry -n $FALCON_SYSTEM builder --from-file .dockerconfigjson
fi
-if ! kubectl get falconcontainers.falcon.crowdstrike.com default > /dev/null 2>&1; then
+if ! kubectl get falconcontainers.falcon.crowdstrike.com falcon-sidecar-sensor > /dev/null 2>&1; then
kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/gke/falconcontainer.yaml --edit=true
fi
diff --git a/docs/deployment/openshift/README.md b/docs/deployment/openshift/README.md
index e1603d5d..c2308b5b 100644
--- a/docs/deployment/openshift/README.md
+++ b/docs/deployment/openshift/README.md
@@ -1,6 +1,8 @@
# Deployment Guide for OpenShift
-This document will guide you through the installation of falcon-operator and deployment of either the:
-- [FalconContainer](resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
+
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
+- [FalconContainer](resources/container/README.md) with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
- [FalconNodeSensor](resources/node/README.md) custom resource to the cluster.
You can choose to install the operator and custom resources through the [web console (GUI)](#installing-the-operator-through-the-web-console-gui) or through the [CLI](#installing-the-operator-through-the-cli).
@@ -20,6 +22,9 @@ If you want to automate the deployment of the operator, the CLI method is recomm
## Installing the operator through the Web Console (GUI)
+
+ Click to expand
+
- Authenticate to your OpenShift cluster
@@ -49,6 +54,9 @@ If you want to automate the deployment of the operator, the CLI method is recomm
### Deploy the Node Sensor
+
+ Click to expand
+
- To deploy the Falcon Node Sensor, click `Create Instance` for the `Falcon Node Sensor` Kind under the `Provided APIs` for the Falcon Operator.
@@ -63,8 +71,13 @@ If you want to automate the deployment of the operator, the CLI method is recomm
- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Falcon Sensor. `DaemonSet Configuration` provides more ways to configure deployment and behavior of the DaemonSet including the ability to deploy the sensor without having to use the CrowdStrike API.
+
+
### Deploy the Sidecar Sensor
+
+ Click to expand
+
- To deploy the Falon Sidecar Sensor, click `Create Instance` for the `Falcon Container` Kind under the `Provided APIs` for the Falcon Operator.
@@ -77,12 +90,43 @@ If you want to automate the deployment of the operator, the CLI method is recomm
2. Replace with your CrowdStrike API Client Secret value
3. Click `Create` to deploy the FalconContainer Kind
-- If more configuration is needed for your organization or deployment, `Installer Args` will provide additional ways to configure and deploy the CrowdStrike Falcon Sensor.
+- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Falcon Sensor.
+
+
+
+### Deploy the Admission Controller
+
+
+ Click to expand
+
+- To deploy the Falon Sidecar Sensor, click `Create Instance` for the `Falcon Admission` Kind under the `Provided APIs` for the Falcon Operator.
+
+ 
+
+- If using the CrowdStrike API method which connects to the CrowdStrike cloud and will attempt to discover your Falcon Customer ID as well as download the Falcon Admission container image, make sure that you have a new [CrowdStrike API key pair](#prerequisites) before continuing.
+
+ 
+
+ 1. Replace with your CrowdStrike API Client ID value
+ 2. Replace with your CrowdStrike API Client Secret value
+ 3. Click `Create` to deploy the FalconAdmission Kind
+
+- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Admission Controller. `Falcon Admission Controller Configuration` provides more ways to configure deployment and behavior of the admission controller.
+
+
+
+
## Installing the operator through the CLI
+
+ Click to expand
+
### Install using the Krew plugin (Preferred)
+
+ Click to expand
+
To easily uninstall the operator, install Krew if it is not already installed:
1. Install Krew. See https://krew.sigs.k8s.io/docs/user-guide/setup/install/
@@ -107,8 +151,13 @@ Once the Krew plugin is installed:
oc operator install falcon-operator-rhmp --create-operator-group -n falcon-operator
```
+
+
### Install using the Subscription/CSV method
+
+ Click to expand
+
- Authenticate to your OpenShift cluster
```
oc login --token=sha256~abcde-ABCDE-1 --server=https://openshift.example.com
@@ -184,8 +233,13 @@ Deploy the `subscription.yaml` that you create to the cluster for the operator t
oc create -f subscription.yaml -n falcon-operator
```
+
+
### Deploy the Node Sensor
+
+ Click to expand
+
Once the operator has deployed, you can now deploy the FalconNodeSensor.
- Deploy FalconNodeSensor through the cli using the `oc` command:
@@ -218,12 +272,31 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
oc create -n falcon-system -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
+
### Deploy the Sidecar Sensor
+
+ Click to expand
+
- Deploy FalconContainer through the cli using the `oc` command:
```
oc create -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/deployment/openshift/falconcontainer.yaml --edit=true
```
+
+
+### Deploy the Admission Controller
+
+
+ Click to expand
+
+- Deploy FalconAdmission through the cli using the `oc` command:
+ ```
+ oc create -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/deployment/openshift/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
@@ -232,6 +305,9 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
### Uninstall using the Web Console (GUI)
+
+ Click to expand
+
- To uninstall in the OpenShift Web Console (GUI), expand the `Operators` menu and click on `Installed Operators`.
@@ -256,6 +332,16 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
+#### Uninstall the Admission Controller
+
+- Click on the `CrowdStrike Falcon Platform - Operator` listing, followed by clicking on the `Falcon Admission` tab.
+
+ 
+
+- On the deployed `FalconAdmission` Kind, click the 3 vertical dot action menu on the far right, and click `Delete FalconAdmission`.
+
+ 
+
#### Uninstall the Operator
- In the list of `Installed Operators`, click the 3 vertical dot action menu on the far right of the `CrowdStrike Falcon Platform - Operator` listing, and click `Uninstall Operator`.
@@ -264,10 +350,18 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
This will open an uninstall confirmation box, click `Uninstall` to complete the uninstall.
+
+
### Uninstall using the CLI
+
+ Click to expand
+
#### Uninstall using the Krew plugin (Preferred)
+
+ Click to expand
+
To easily uninstall the operator, install Krew if it is not already installed:
1. Install Krew. See https://krew.sigs.k8s.io/docs/user-guide/setup/install/
@@ -282,8 +376,13 @@ Once the Krew plugin is installed:
oc operator uninstall falcon-operator-rhmp -n falcon-operator -X
```
+
+
#### Uninstall using the Subscription/CSV method
+
+ Click to expand
+
##### Uninstall the Node Sensor
- To uninstall the node sensor, simply remove the FalconNodeSensor resource.
@@ -295,7 +394,14 @@ Once the Krew plugin is installed:
- To uninstall Falcon Container simply remove FalconContainer resource. The operator will uninstall Falcon Container product from the cluster.
```
- oc delete falconcontainers.falcon.crowdstrike.com default
+ oc delete falconadmissions falcon-sidecar-sensor
+ ```
+
+##### Uninstall the Admission Controller
+
+- To uninstall Falcon Container simply remove FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+ ```
+ oc delete falconadmissions falcon-admission
```
##### Uninstall the Operator
@@ -319,3 +425,6 @@ Once the Krew plugin is installed:
```
oc delete csv falcon-operator.v0.8.0 -n falcon-operator
```
+
+
+
diff --git a/docs/deployment/openshift/falconadmission.yaml b/docs/deployment/openshift/falconadmission.yaml
new file mode 100644
index 00000000..82e3b50c
--- /dev/null
+++ b/docs/deployment/openshift/falconadmission.yaml
@@ -0,0 +1,13 @@
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: openshift
+ tls:
+ insecure_skip_verify: false
diff --git a/docs/deployment/openshift/falconcontainer.yaml b/docs/deployment/openshift/falconcontainer.yaml
index ac13f9e5..a0202cbd 100644
--- a/docs/deployment/openshift/falconcontainer.yaml
+++ b/docs/deployment/openshift/falconcontainer.yaml
@@ -1,7 +1,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/deployment/openshift/images/ocp-containerdel.png b/docs/deployment/openshift/images/ocp-containerdel.png
index ebb5762a..bb7e6dec 100644
Binary files a/docs/deployment/openshift/images/ocp-containerdel.png and b/docs/deployment/openshift/images/ocp-containerdel.png differ
diff --git a/docs/deployment/openshift/images/ocp-containertab.png b/docs/deployment/openshift/images/ocp-containertab.png
index 903bbb8c..d60bb2fc 100644
Binary files a/docs/deployment/openshift/images/ocp-containertab.png and b/docs/deployment/openshift/images/ocp-containertab.png differ
diff --git a/docs/deployment/openshift/images/ocp-fcs.png b/docs/deployment/openshift/images/ocp-fcs.png
index c9c01e86..44a8f506 100644
Binary files a/docs/deployment/openshift/images/ocp-fcs.png and b/docs/deployment/openshift/images/ocp-fcs.png differ
diff --git a/docs/deployment/openshift/images/ocp-fkac.png b/docs/deployment/openshift/images/ocp-fkac.png
new file mode 100644
index 00000000..229bb42d
Binary files /dev/null and b/docs/deployment/openshift/images/ocp-fkac.png differ
diff --git a/docs/deployment/openshift/images/ocp-fkacdel.png b/docs/deployment/openshift/images/ocp-fkacdel.png
new file mode 100644
index 00000000..3284a3f9
Binary files /dev/null and b/docs/deployment/openshift/images/ocp-fkacdel.png differ
diff --git a/docs/deployment/openshift/images/ocp-fkacinstall.png b/docs/deployment/openshift/images/ocp-fkacinstall.png
new file mode 100644
index 00000000..2e170a06
Binary files /dev/null and b/docs/deployment/openshift/images/ocp-fkacinstall.png differ
diff --git a/docs/deployment/openshift/images/ocp-fkactab.png b/docs/deployment/openshift/images/ocp-fkactab.png
new file mode 100644
index 00000000..0ae395ae
Binary files /dev/null and b/docs/deployment/openshift/images/ocp-fkactab.png differ
diff --git a/docs/deployment/openshift/images/ocp-fns.png b/docs/deployment/openshift/images/ocp-fns.png
index 5b8bfa64..6b340974 100644
Binary files a/docs/deployment/openshift/images/ocp-fns.png and b/docs/deployment/openshift/images/ocp-fns.png differ
diff --git a/docs/deployment/openshift/images/ocp-nodedel.png b/docs/deployment/openshift/images/ocp-nodedel.png
index 5db345ed..dafdf2d6 100644
Binary files a/docs/deployment/openshift/images/ocp-nodedel.png and b/docs/deployment/openshift/images/ocp-nodedel.png differ
diff --git a/docs/deployment/openshift/images/ocp-nodetab.png b/docs/deployment/openshift/images/ocp-nodetab.png
index ecdcaf05..4b5ac03e 100644
Binary files a/docs/deployment/openshift/images/ocp-nodetab.png and b/docs/deployment/openshift/images/ocp-nodetab.png differ
diff --git a/docs/deployment/openshift/images/ocp-opresources.png b/docs/deployment/openshift/images/ocp-opresources.png
index be5ed853..f61f6c76 100644
Binary files a/docs/deployment/openshift/images/ocp-opresources.png and b/docs/deployment/openshift/images/ocp-opresources.png differ
diff --git a/docs/deployment/openshift/images/ocp-uninstall2.png b/docs/deployment/openshift/images/ocp-uninstall2.png
index c995e920..0a6685af 100644
Binary files a/docs/deployment/openshift/images/ocp-uninstall2.png and b/docs/deployment/openshift/images/ocp-uninstall2.png differ
diff --git a/docs/deployment/openshift/resources/admission/README.md b/docs/deployment/openshift/resources/admission/README.md
new file mode 100644
index 00000000..e481b8ae
--- /dev/null
+++ b/docs/deployment/openshift/resources/admission/README.md
@@ -0,0 +1,191 @@
+# Falcon Admission Controller
+
+## About FalconAdmission Custom Resource (CR)
+Falcon Operator introduces the FalconAdmission Custom Resource (CR) to the cluster. The resource is meant to install, configure, and uninstall the Falcon Admission Controller on the cluster.
+
+### FalconAdmission CR Configuration using CrowdStrike API Keys
+To start the FalconAdmission installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Admission Controller image, please create the following FalconAdmission resource to your cluster.
+
+> [!IMPORTANT]
+> You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
+
+Example:
+
+```yaml
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon:
+ tags: 'test-cluster,dev'
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: crowdstrike
+```
+
+### FalconAdmission Reference Manual
+
+#### Falcon API Settings
+| Spec | Description |
+| :------------------------- | :------------------------------------------------------------------------------------------------------- |
+| falcon_api.client_id | CrowdStrike API Client ID |
+| falcon_api.client_secret | CrowdStrike API Client Secret |
+| falcon_api.cloud_region | CrowdStrike cloud region (allowed values: autodiscover, us-1, us-2, eu-1, us-gov-1) |
+| falcon_api.cid | (optional) CrowdStrike Falcon CID API override |
+
+#### Admission Controller Configuration Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| installNamespace | (optional) Override the default namespace of falcon-kac |
+| image | (optional) Leverage a Falcon Admission Controller Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require admissionConfig.imagePullSecrets to be set |
+| version | (optional) Enforce particular Falcon Admission Controller version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") |
+| registry.type | Registry to mirror Falcon Admission Controller (allowed values: acr, ecr, crowdstrike, gcr, openshift) |
+| registry.tls.insecure_skip_verify | (optional) Skip TLS check when pushing Falcon Admission to target registry (only for demoing purposes on self-signed openshift clusters) |
+| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates |
+| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set) |
+| registry.acr_name | (optional) Name of ACR for the Falcon Admission push. Only applicable to Azure cloud. (`registry.type="acr"`) |
+| resourcequota.pods | (optional) Configure the maximum number of pods that can be created in the falcon-kac namespace |
+| admissionConfig.serviceAccount.annotations| (optional) Configure annotations for the falcon-kac service account (e.g. for IAM role association) |
+| admissionConfig.port | (optional) Configure the port the Falcon Admission Controller Service listens on |
+| admissionConfig.containerPort | (optional) Configure the port the Falcon Admission Controller container listens on |
+| admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller |
+| admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller |
+| admissionConfig.disabledNamespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore |
+| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller |
+| admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller |
+| admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller |
+| admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller |
+| admissionConfig.resources | (optional) Configure the resources of the Falcon Admission Controller |
+| admissionConfig.updateStrategy | (optional) Configure the deployment update strategy of the Falcon Admission Controller |
+
+
+#### Falcon Sensor Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| falcon.apd | (optional) Configure Falcon Sensor to leverage a proxy host |
+| falcon.aph | (optional) Configure the host Falcon Sensor should leverage for proxying |
+| falcon.app | (optional) Configure the port Falcon Sensor should leverage for proxying |
+| falcon.billing | (optional) Configure Pay-as-You-Go (metered) billing rather than default billing |
+| falcon.provisioning_token | (optional) Configure a Provisioning Token for CIDs with restricted AID provisioning enabled |
+| falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited |
+| falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) |
+
+All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+
+### Auto Proxy Configuration
+
+The operator will automatically configure the sensor's proxy configuration when the cluster proxy is configured on OpenShift via OLM. See the following documentation for more information:
+* [Configuring cluster-wide proxy](https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html)
+* [Overriding proxy settings of an Operator](https://docs.openshift.com/container-platform/4.13/operators/admin/olm-configuring-proxy-support.html#olm-overriding-proxy-settings_olm-configuring-proxy-support)
+
+When not running on OpenShift, adding the proxy configuration via environment variables will also configure the sensor's proxy information.
+```yaml
+- args:
+ - --leader-elect
+ command:
+ - /manager
+ env:
+ - name: WATCH_NAMESPACE
+ value: null
+ - name: OPERATOR_NAME
+ value: falcon-operator
+ - name: HTTP_PROXY
+ value: http://proxy.example.com:8080
+ - name: HTTPS_PROXY
+ value: http://proxy.example.com:8080
+ image: quay.io/crowdstrike/falcon-operator:latest
+```
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+
+
+### Image Registry considerations
+
+Falcon Admission Image is distributed by CrowdStrike through CrowdStrike Falcon registry. Operator supports two modes of deployment:
+
+#### (Option 1) Use CrowdStrike registry directly
+
+Does not require any advanced setup. Users are advised to use the following except in their FalconAdmission custom resource definition.
+
+```yaml
+registry:
+ type: crowdstrike
+```
+
+Falcon Admission product will then be installed directly from CrowdStrike registry. Any new deployment to the cluster may contact CrowdStrike registry for the image download.
+
+#### (Option 2) Let operator mirror Falcon Admission Controller image to your local registry
+
+Requires advanced setup to grant the operator push access to your local registry. The operator will then mirror the Falcon Admission image from CrowdStrike registry to your local registry of choice.
+Supported registries are: acr, ecr, gcr, and openshift. Each registry type requires advanced setup enable image push.
+
+Consult specific deployment guides to learn about the steps needed for image mirroring.
+
+- [Deployment Guide for OpenShift](../../README.md)
+
+#### (Option 3) Use a custom Image URI
+
+Image must be available at the specified URI; setting the image attribute will cause registry settings to be ignored. No image mirroring will be leveraged.
+
+Example:
+```yaml
+image: myprivateregistry.internal.lan/falcon-admission/falcon-sensor:6.47.0-3003.container.x86_64.Release.US-1
+```
+
+### Install Steps
+To install Falcon Admission Controller, run the following command to install the FalconAdmission CR:
+```sh
+oc create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconadmission.yaml --edit=true
+```
+
+### Uninstall Steps
+To uninstall Falcon Admission Controller simply remove the FalconAdmission resource. The operator will uninstall the Falcon Admission Controller from the cluster.
+
+```sh
+oc delete falconadmission --all
+```
+
+### Troubleshooting
+
+- Falcon Operator modifies the FalconAdmission CR based on what is happening in the cluster. You can get list the CR, Operator Version, and Sensor version by running the following:
+
+ ```sh
+ $ oc get falconadmission
+ NAME OPERATOR VERSION FALCON SENSOR
+ falcon-admission 0.8.0 6.51.0-3401.container.x86_64.Release.US-1
+ ```
+
+ This is helpful information to use as a starting point for troubleshooting.
+ You can get more insight by viewing the FalconAdmission CRD in full detail by running the following command:
+
+ ```sh
+ oc get falconadmission -o yaml
+ ```
+
+- To review the logs of Falcon Operator:
+ ```sh
+ oc -n falcon-operator logs -f deploy/falcon-operator-controller-manager -c manager
+ ```
+
+- To review the logs of Falcon Admission controller service:
+ ```sh
+ oc logs -n falcon-kac -l "crowdstrike.com/provider=crowdstrike"
+ ```
+
+- To review the currently deployed version of the operator:
+ ```sh
+ oc get falconadmission -A -o=jsonpath='{.items[].status.version}'
+ ```
+
+
+### Additional Documentation
+End-to-end guide(s) to install Falcon-operator together with FalconAdmission resource.
+ - [Deployment Guide for OpenShift](../../README.md)
+
+
+
diff --git a/docs/deployment/openshift/resources/container/README.md b/docs/deployment/openshift/resources/container/README.md
index 1e1a4d94..28e11a65 100644
--- a/docs/deployment/openshift/resources/container/README.md
+++ b/docs/deployment/openshift/resources/container/README.md
@@ -1,6 +1,5 @@
# Falcon Container Sensor
-
## About Falcon Container Sensor
The Falcon Container sensor for Linux extends runtime security to container workloads in Kubernetes clusters that don’t allow you to deploy the kernel-based Falcon sensor for Linux. The Falcon Container sensor runs as an unprivileged container in user space with no code running in the kernel of the worker node OS. This allows it to secure Kubernetes pods in clusters where it isn’t possible to deploy the kernel-based Falcon sensor for Linux on the worker node, as with AWS Fargate where organizations don’t have access to the kernel and where privileged containers are disallowed. The Falcon Container sensor can also secure container workloads on clusters where worker node security is managed separately.
@@ -20,8 +19,8 @@ Falcon Operator introduces FalconContainer Custom Resource to the cluster. The r
> [!IMPORTANT]
> To start the Falcon Container installation please push the following FalconContainer resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
No other permissions shall be granted to the new API key pair.
@@ -61,7 +60,6 @@ spec:
| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates
| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set)
| registry.acr_name | (optional) Name of ACR for the Falcon Container push. Only applicable to Azure cloud. (`registry.type="acr"`) |
-| registry.ecr_iam_role_arn | (optional) ARN of AWS IAM Role to be assigned to the Injector (only needed when injector runs on EKS Fargate) |
| injector.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| injector.listenPort | (optional) Override the default Injector Listen Port of 4433 |
| injector.replicas | (optional) Override the default Injector Replica count of 2 |
@@ -91,14 +89,14 @@ spec:
| conditions.["NamespaceReady"] | Displays the most recent reconciliation operation for the Namespace used by the Falcon Container Sensor (Created, Updated, Deleted) |
| conditions.["ImageReady"] | Informs about readiness of Falcon Container image. Custom message refers to image URI that will be used during the deployment (Pushed, Discovered) |
| conditions.["ImageStreamReady"] | Displays the most recent successful reconciliation operation for the image stream used by the falcon container in openshift environments (created, updated, deleted) |
-| conditions.["ServiceAccountReady"] | Displays the most recent sucreconciliation operation for the service account used by the falcon container (created, updated, deleted) |
-| conditions.["ClusterRoleReady"] | Displays the most recent sucreconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ClusterRoleBindingReady"] | Displays the most recent sucreconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
-| conditions.["SecretReady"] | Displays the most recent sucreconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ConfigMapReady"] | Displays the most recent sucreconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
-| conditions.["DeploymentReady"] | Displays the most recent sucreconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["ServiceReady"] | Displays the most recent sucreconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent sucreconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceAccountReady"] | Displays the most recent successful reconciliation operation for the service account used by the falcon container (created, updated, deleted) |
+| conditions.["ClusterRoleReady"] | Displays the most recent successful reconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ClusterRoleBindingReady"] | Displays the most recent successful reconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
+| conditions.["SecretReady"] | Displays the most recent successful reconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ConfigMapReady"] | Displays the most recent successful reconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
+| conditions.["DeploymentReady"] | Displays the most recent successful reconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceReady"] | Displays the most recent successful reconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent successful reconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
### Enabling and Disabling Falcon Container injection
@@ -196,10 +194,6 @@ To uninstall Falcon Container simply remove the FalconContainer resource. The op
oc delete falconcontainers.falcon.crowdstrike.com --all
```
-### Sensor Upgrades
-
-The current version of the operator will update the Falcon Container Sensor version upon Operator Reconciliation unless `version` is set to a specific tag or update. Note that this will only impact future Sensor injections, and will not cause any changes to running pods.
-
### Namespace Reference
The following namespaces will be used by Falcon Operator.
diff --git a/docs/deployment/openshift/resources/node/README.md b/docs/deployment/openshift/resources/node/README.md
index a74599e0..ed955b24 100644
--- a/docs/deployment/openshift/resources/node/README.md
+++ b/docs/deployment/openshift/resources/node/README.md
@@ -11,8 +11,8 @@ Falcon Operator introduces the FalconNodeSensor Custom Resource (CR) to the clus
> [!IMPORTANT]
> To start the FalconNodeSensor installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Sensor container image, please create the following FalconNodeSensor resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
Example:
```yaml
@@ -62,7 +62,7 @@ spec:
| node.image | (optional) Location of the Falcon Sensor Image. Specify only when you mirror the original image to your own image repository |
| node.imagePullPolicy | (optional) Override the default Falcon Container image pull policy of Always |
| node.imagePullSecrets | (optional) list of references to secrets to use for pulling image from image_override location. |
-| node.terminationGracePeriod | (optional) Kills pod after a specificed amount of time (in seconds). Default is 30 seconds. |
+| node.terminationGracePeriod | (optional) Kills pod after a specified amount of time (in seconds). Default is 30 seconds. |
| node.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| node.backend | (optional) Configure the backend mode for Falcon Sensor (allowed values: kernel, bpf) |
| node.disableCleanup | (optional) Cleans up `/opt/CrowdStrike` on the nodes by deleting the files and directory. |
diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md
new file mode 100644
index 00000000..e7dce943
--- /dev/null
+++ b/docs/resources/admission/README.md
@@ -0,0 +1,199 @@
+# Falcon Admission Controller
+
+## About FalconAdmission Custom Resource (CR)
+Falcon Operator introduces the FalconAdmission Custom Resource (CR) to the cluster. The resource is meant to install, configure, and uninstall the Falcon Admission Controller on the cluster.
+
+### FalconAdmission CR Configuration using CrowdStrike API Keys
+To start the FalconAdmission installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Admission Controller image, please create the following FalconAdmission resource to your cluster.
+
+> [!IMPORTANT]
+> You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
+
+Example:
+
+```yaml
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon:
+ tags: 'test-cluster,dev'
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: crowdstrike
+```
+
+### FalconAdmission Reference Manual
+
+#### Falcon API Settings
+| Spec | Description |
+| :------------------------- | :------------------------------------------------------------------------------------------------------- |
+| falcon_api.client_id | CrowdStrike API Client ID |
+| falcon_api.client_secret | CrowdStrike API Client Secret |
+| falcon_api.cloud_region | CrowdStrike cloud region (allowed values: autodiscover, us-1, us-2, eu-1, us-gov-1) |
+| falcon_api.cid | (optional) CrowdStrike Falcon CID API override |
+
+#### Admission Controller Configuration Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| installNamespace | (optional) Override the default namespace of falcon-kac |
+| image | (optional) Leverage a Falcon Admission Controller Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require admissionConfig.imagePullSecrets to be set |
+| version | (optional) Enforce particular Falcon Admission Controller version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") |
+| registry.type | Registry to mirror Falcon Admission Controller (allowed values: acr, ecr, crowdstrike, gcr, openshift) |
+| registry.tls.insecure_skip_verify | (optional) Skip TLS check when pushing Falcon Admission to target registry (only for demoing purposes on self-signed openshift clusters) |
+| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates |
+| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set) |
+| registry.acr_name | (optional) Name of ACR for the Falcon Admission push. Only applicable to Azure cloud. (`registry.type="acr"`) |
+| resourcequota.pods | (optional) Configure the maximum number of pods that can be created in the falcon-kac namespace |
+| admissionConfig.serviceAccount.annotations| (optional) Configure annotations for the falcon-kac service account (e.g. for IAM role association) |
+| admissionConfig.port | (optional) Configure the port the Falcon Admission Controller Service listens on |
+| admissionConfig.containerPort | (optional) Configure the port the Falcon Admission Controller container listens on |
+| admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller |
+| admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller |
+| admissionConfig.disabledNamespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore |
+| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller |
+| admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller |
+| admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller |
+| admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller |
+| admissionConfig.resources | (optional) Configure the resources of the Falcon Admission Controller |
+| admissionConfig.updateStrategy | (optional) Configure the deployment update strategy of the Falcon Admission Controller |
+
+
+#### Falcon Sensor Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| falcon.apd | (optional) Configure Falcon Sensor to leverage a proxy host |
+| falcon.aph | (optional) Configure the host Falcon Sensor should leverage for proxying |
+| falcon.app | (optional) Configure the port Falcon Sensor should leverage for proxying |
+| falcon.billing | (optional) Configure Pay-as-You-Go (metered) billing rather than default billing |
+| falcon.provisioning_token | (optional) Configure a Provisioning Token for CIDs with restricted AID provisioning enabled |
+| falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited |
+| falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) |
+
+All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+
+### Auto Proxy Configuration
+
+The operator will automatically configure the sensor's proxy configuration when the cluster proxy is configured on OpenShift via OLM. See the following documentation for more information:
+* [Configuring cluster-wide proxy](https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html)
+* [Overriding proxy settings of an Operator](https://docs.openshift.com/container-platform/4.13/operators/admin/olm-configuring-proxy-support.html#olm-overriding-proxy-settings_olm-configuring-proxy-support)
+
+When not running on OpenShift, adding the proxy configuration via environment variables will also configure the sensor's proxy information.
+```yaml
+- args:
+ - --leader-elect
+ command:
+ - /manager
+ env:
+ - name: WATCH_NAMESPACE
+ value: null
+ - name: OPERATOR_NAME
+ value: falcon-operator
+ - name: HTTP_PROXY
+ value: http://proxy.example.com:8080
+ - name: HTTPS_PROXY
+ value: http://proxy.example.com:8080
+ image: quay.io/crowdstrike/falcon-operator:latest
+```
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+
+
+### Image Registry considerations
+
+Falcon Admission Image is distributed by CrowdStrike through CrowdStrike Falcon registry. Operator supports two modes of deployment:
+
+#### (Option 1) Use CrowdStrike registry directly
+
+Does not require any advanced setup. Users are advised to use the following except in their FalconAdmission custom resource definition.
+
+```yaml
+registry:
+ type: crowdstrike
+```
+
+Falcon Admission product will then be installed directly from CrowdStrike registry. Any new deployment to the cluster may contact CrowdStrike registry for the image download.
+
+#### (Option 2) Let operator mirror Falcon Admission Controller image to your local registry
+
+Requires advanced setup to grant the operator push access to your local registry. The operator will then mirror the Falcon Admission image from CrowdStrike registry to your local registry of choice.
+Supported registries are: acr, ecr, gcr, and openshift. Each registry type requires advanced setup enable image push.
+
+Consult specific deployment guides to learn about the steps needed for image mirroring.
+
+ - [Deployment Guide for AKS/ACR](../../deployment/azure/README.md)
+ - [Deployment Guide for EKS/ECR](../../deployment/eks/README.md)
+ - [Deployment Guide for EKS Fargate](../../deployment/eks-fargate/README.md)
+ - [Deployment Guide for GKE/GCR](../../deployment/gke/README.md)
+ - [Deployment Guide for OpenShift](../../deployment/openshift/README.md)
+
+#### (Option 3) Use a custom Image URI
+
+Image must be available at the specified URI; setting the image attribute will cause registry settings to be ignored. No image mirroring will be leveraged.
+
+Example:
+```yaml
+image: myprivateregistry.internal.lan/falcon-admission/falcon-sensor:6.47.0-3003.container.x86_64.Release.US-1
+```
+
+### Install Steps
+To install Falcon Admission Controller, run the following command to install the FalconAdmission CR:
+```sh
+kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconadmission.yaml --edit=true
+```
+
+### Uninstall Steps
+To uninstall Falcon Admission Controller simply remove the FalconAdmission resource. The operator will uninstall the Falcon Admission Controller from the cluster.
+
+```sh
+kubectl delete falconadmission --all
+```
+
+### Troubleshooting
+
+- Falcon Operator modifies the FalconAdmission CR based on what is happening in the cluster. You can get list the CR, Operator Version, and Sensor version by running the following:
+
+ ```sh
+ $ kubectl get falconadmission
+ NAME OPERATOR VERSION FALCON SENSOR
+ falcon-admission 0.8.0 6.51.0-3401.container.x86_64.Release.US-1
+ ```
+
+ This is helpful information to use as a starting point for troubleshooting.
+ You can get more insight by viewing the FalconAdmission CRD in full detail by running the following command:
+
+ ```sh
+ kubectl get falconadmission -o yaml
+ ```
+
+- To review the logs of Falcon Operator:
+ ```sh
+ kubectl -n falcon-operator logs -f deploy/falcon-operator-controller-manager -c manager
+ ```
+
+- To review the logs of Falcon Admission controller service:
+ ```sh
+ kubectl logs -n falcon-kac -l "crowdstrike.com/provider=crowdstrike"
+ ```
+
+- To review the currently deployed version of the operator:
+ ```sh
+ kubectl get falconadmission -A -o=jsonpath='{.items[].status.version}'
+ ```
+
+
+### Additional Documentation
+End-to-end guide(s) to install Falcon-operator together with FalconAdmission resource.
+ - [Deployment Guide for AKS/ACR](../../deployment/azure/README.md)
+ - [Deployment Guide for EKS/ECR](../../deployment/eks/README.md)
+ - [Deployment Guide for EKS Fargate](../../deployment/eks-fargate/README.md)
+ - [Deployment Guide for GKE/GCR](../../deployment/gke/README.md)
+ - [Deployment Guide for OpenShift](../../deployment/openshift/README.md)
+
+
+
diff --git a/docs/resources/container/README.md b/docs/resources/container/README.md
index 24711961..44870ad0 100644
--- a/docs/resources/container/README.md
+++ b/docs/resources/container/README.md
@@ -1,6 +1,5 @@
# Falcon Container Sensor
-
## About Falcon Container Sensor
The Falcon Container sensor for Linux extends runtime security to container workloads in Kubernetes clusters that don’t allow you to deploy the kernel-based Falcon sensor for Linux. The Falcon Container sensor runs as an unprivileged container in user space with no code running in the kernel of the worker node OS. This allows it to secure Kubernetes pods in clusters where it isn’t possible to deploy the kernel-based Falcon sensor for Linux on the worker node, as with AWS Fargate where organizations don’t have access to the kernel and where privileged containers are disallowed. The Falcon Container sensor can also secure container workloads on clusters where worker node security is managed separately.
@@ -20,8 +19,8 @@ Falcon Operator introduces FalconContainer Custom Resource to the cluster. The r
> [!IMPORTANT]
> To start the Falcon Container installation please push the following FalconContainer resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
No other permissions shall be granted to the new API key pair.
@@ -61,7 +60,6 @@ spec:
| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates
| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set)
| registry.acr_name | (optional) Name of ACR for the Falcon Container push. Only applicable to Azure cloud. (`registry.type="acr"`) |
-| registry.ecr_iam_role_arn | (optional) ARN of AWS IAM Role to be assigned to the Injector (only needed when injector runs on EKS Fargate) |
| injector.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| injector.listenPort | (optional) Override the default Injector Listen Port of 4433 |
| injector.replicas | (optional) Override the default Injector Replica count of 2 |
@@ -91,14 +89,14 @@ spec:
| conditions.["NamespaceReady"] | Displays the most recent reconciliation operation for the Namespace used by the Falcon Container Sensor (Created, Updated, Deleted) |
| conditions.["ImageReady"] | Informs about readiness of Falcon Container image. Custom message refers to image URI that will be used during the deployment (Pushed, Discovered) |
| conditions.["ImageStreamReady"] | Displays the most recent successful reconciliation operation for the image stream used by the falcon container in openshift environments (created, updated, deleted) |
-| conditions.["ServiceAccountReady"] | Displays the most recent sucreconciliation operation for the service account used by the falcon container (created, updated, deleted) |
-| conditions.["ClusterRoleReady"] | Displays the most recent sucreconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ClusterRoleBindingReady"] | Displays the most recent sucreconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
-| conditions.["SecretReady"] | Displays the most recent sucreconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ConfigMapReady"] | Displays the most recent sucreconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
-| conditions.["DeploymentReady"] | Displays the most recent sucreconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["ServiceReady"] | Displays the most recent sucreconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent sucreconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceAccountReady"] | Displays the most recent successful reconciliation operation for the service account used by the falcon container (created, updated, deleted) |
+| conditions.["ClusterRoleReady"] | Displays the most recent successful reconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ClusterRoleBindingReady"] | Displays the most recent successful reconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
+| conditions.["SecretReady"] | Displays the most recent successful reconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ConfigMapReady"] | Displays the most recent successful reconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
+| conditions.["DeploymentReady"] | Displays the most recent successful reconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceReady"] | Displays the most recent successful reconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent successful reconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
### Enabling and Disabling Falcon Container injection
@@ -200,10 +198,6 @@ To uninstall Falcon Container simply remove the FalconContainer resource. The op
kubectl delete falconcontainers.falcon.crowdstrike.com --all
```
-### Sensor Upgrades
-
-The current version of the operator will update the Falcon Container Sensor version upon Operator Reconciliation unless `version` is set to a specific tag or update. Note that this will only impact future Sensor injections, and will not cause any changes to running pods.
-
### Namespace Reference
The following namespaces will be used by Falcon Operator.
diff --git a/docs/resources/node/README.md b/docs/resources/node/README.md
index d8e1c903..b9379595 100644
--- a/docs/resources/node/README.md
+++ b/docs/resources/node/README.md
@@ -11,8 +11,8 @@ Falcon Operator introduces the FalconNodeSensor Custom Resource (CR) to the clus
> [!IMPORTANT]
> To start the FalconNodeSensor installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Sensor container image, please create the following FalconNodeSensor resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
Example:
```yaml
@@ -62,7 +62,7 @@ spec:
| node.image | (optional) Location of the Falcon Sensor Image. Specify only when you mirror the original image to your own image repository |
| node.imagePullPolicy | (optional) Override the default Falcon Container image pull policy of Always |
| node.imagePullSecrets | (optional) list of references to secrets to use for pulling image from image_override location. |
-| node.terminationGracePeriod | (optional) Kills pod after a specificed amount of time (in seconds). Default is 30 seconds. |
+| node.terminationGracePeriod | (optional) Kills pod after a specified amount of time (in seconds). Default is 30 seconds. |
| node.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| node.backend | (optional) Configure the backend mode for Falcon Sensor (allowed values: kernel, bpf) |
| node.disableCleanup | (optional) Cleans up `/opt/CrowdStrike` on the nodes by deleting the files and directory. |
diff --git a/docs/src/deployment/README.md.tmpl b/docs/src/deployment/README.md.tmpl
index 85682f40..4aac56ce 100644
--- a/docs/src/deployment/README.md.tmpl
+++ b/docs/src/deployment/README.md.tmpl
@@ -1,10 +1,11 @@
{{- $name := dict "azure" "Azure and AKS" "eks" "EKS and ECR" "eks-fargate" "EKS Fargate and ECR" "generic" "Kubernetes" "gke" "GKE and GCR" -}}
-{{- $registry := dict "azure" "ACR (Azure Container Registry)" "eks" "ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry" "eks-fargate" "ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry" "gke" "GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created" -}}
+{{- $registry := dict "azure" "ACR (Azure Container Registry)" "eks" "ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry" "eks-fargate" "ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry" "gke" "GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created" -}}
# Deployment Guide for {{ get $name .Distro }}
-This document will guide you through the installation of the Falcon Operator and deployment of the following resources provdied by the Falcon Operator:
-- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to {{ get $registry .Distro }}.
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to {{ get $registry .Distro }}.
+- [FalconContainer](../../resources/container/README.md) with the Falcon Container image being mirrored from CrowdStrike container registry to {{ get $registry .Distro }}.
{{- if ne .Distro "eks-fargate" }}
- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster.
{{- end }}
@@ -23,6 +24,9 @@ This document will guide you through the installation of the Falcon Operator and
## Installing the Falcon Operator
+
+ Click to expand
+
- Set up a new Kubernetes cluster or use an existing one.
{{- template "eks.tmpl" . }}
@@ -31,20 +35,30 @@ This document will guide you through the installation of the Falcon Operator and
{{ .KubeCmd }} apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
{{- if ne .Distro "eks-fargate" }}
### Deploying the Falcon Node Sensor
+
+ Click to expand
+
After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:
- Deploy FalconNodeSensor through the cli using the `{{ .KubeCmd }}` command:
```sh
{{ .KubeCmd }} create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
+
{{- end }}
### Deploying the Falcon Container Sidecar Sensor
+
+ Click to expand
+
{{- template "presidecar.tmpl" . }}
#### Create the FalconContainer resource
@@ -59,15 +73,41 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
--name fp-falcon-system \
--namespace falcon-system
```
-{{- end}}
+{{ end}}
- Create a new FalconContainer resource
```sh
- {{ .KubeCmd }} create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/{{ trimSuffix "-fargate" .Distro }}/falconcontainer.yaml --edit=true
+ {{ .KubeCmd }} create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/{{ .Distro }}/falconcontainer.yaml --edit=true
```
{{ template "cloudshell.tmpl" . }}
+
+
+### Deploying the Falcon Admission Controller
+
+
+ Click to expand
+
+ {{- if eq .Distro "eks-fargate" }}
+
+- Create an EKS Fargate profile for the FalconAdmission resource deployment:
+ ```sh
+ eksctl create fargateprofile \
+ --region "$AWS_REGION" \
+ --cluster eks-fargate-cluster \
+ --name fp-falcon-kac \
+ --namespace falcon-kac
+ ```
+{{ end}}
+
+- Create a new FalconAdmission resource
+ ```sh
+ {{ .KubeCmd }} create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/{{ .Distro }}/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
> [!WARNING]
@@ -77,6 +117,9 @@ After the Falcon Operator has deployed, you can now deploy the Falcon Node Senso
### Uninstalling the Falcon Node Sensor
+
+ Click to expand
+
Remove the FalconNodeSensor resource by running:
```sh
@@ -84,22 +127,47 @@ Remove the FalconNodeSensor resource by running:
```
{{- end }}
+
+
### Uninstalling the Falcon Container Sidecar Sensor
+
+ Click to expand
+
Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:
```sh
{{ .KubeCmd }} delete falconcontainers --all
```
+
+
+### Uninstalling the Falcon Admission Controller
+
+
+ Click to expand
+
+Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+
+```sh
+{{ .KubeCmd }} delete falconadmission --all
+```
+
+
+
### Uninstalling the Falcon Operator
+
+ Click to expand
+
Delete the Falcon Operator deployment by running:
```sh
{{ .KubeCmd }} delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml
```
+
+
{{- template "eksiam.tmpl" . }}
{{- template "gkeautopilot.tmpl" . }}
{{- template "gkenode.tmpl" . }}
diff --git a/docs/src/deployment/eks/run b/docs/src/deployment/eks/run
index a121f810..dc7ca2be 100644
--- a/docs/src/deployment/eks/run
+++ b/docs/src/deployment/eks/run
@@ -157,7 +157,7 @@ fi
kubectl wait --timeout=240s --for=condition=Available -n $OPERATOR_NAMESPACE deployment falcon-operator-controller-manager
# Let the user edit the falconcontainer configuration
-if ! kubectl get falconcontainers.falcon.crowdstrike.com default > /dev/null 2>&1; then
+if ! kubectl get falconcontainers.falcon.crowdstrike.com falcon-sidecar-sensor > /dev/null 2>&1; then
kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconcontainer.yaml --edit=true
fi
diff --git a/docs/src/deployment/falconadmission.yaml.tmpl b/docs/src/deployment/falconadmission.yaml.tmpl
new file mode 100644
index 00000000..df098a0c
--- /dev/null
+++ b/docs/src/deployment/falconadmission.yaml.tmpl
@@ -0,0 +1,21 @@
+{{- $registry := dict "azure" "acr" "gke" "gcr" "eks" "ecr" "generic" "crowdstrike" "openshift" "openshift" "eks-fargate" "ecr" -}}
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: {{ get $registry .Distro }}
+{{- if eq .Distro "azure" }}
+ acr_name: PLEASE_FILL_IN
+ injector:
+ azureConfigPath: "/etc/kubernetes/azure.json"
+{{- end }}
+{{- if eq .Distro "openshift" }}
+ tls:
+ insecure_skip_verify: false
+{{- end }}
diff --git a/docs/src/deployment/falconcontainer.yaml.tmpl b/docs/src/deployment/falconcontainer.yaml.tmpl
index bd624b1b..396265d8 100644
--- a/docs/src/deployment/falconcontainer.yaml.tmpl
+++ b/docs/src/deployment/falconcontainer.yaml.tmpl
@@ -2,7 +2,7 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconContainer
metadata:
- name: default
+ name: falcon-sidecar-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
diff --git a/docs/src/deployment/gke/run b/docs/src/deployment/gke/run
index a80dd19a..71c7084e 100644
--- a/docs/src/deployment/gke/run
+++ b/docs/src/deployment/gke/run
@@ -86,7 +86,7 @@ if ! kubectl get secret builder -n $FALCON_SYSTEM > /dev/null 2>&1; then
kubectl create secret docker-registry -n $FALCON_SYSTEM builder --from-file .dockerconfigjson
fi
-if ! kubectl get falconcontainers.falcon.crowdstrike.com default > /dev/null 2>&1; then
+if ! kubectl get falconcontainers.falcon.crowdstrike.com falcon-sidecar-sensor > /dev/null 2>&1; then
kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/gke/falconcontainer.yaml --edit=true
fi
diff --git a/docs/src/deployment/openshift/README.md b/docs/src/deployment/openshift/README.md
index e1603d5d..c2308b5b 100644
--- a/docs/src/deployment/openshift/README.md
+++ b/docs/src/deployment/openshift/README.md
@@ -1,6 +1,8 @@
# Deployment Guide for OpenShift
-This document will guide you through the installation of falcon-operator and deployment of either the:
-- [FalconContainer](resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
+
+This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:
+- [FalconAdmission](../../resources/admission/README.md) with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
+- [FalconContainer](resources/container/README.md) with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry).
- [FalconNodeSensor](resources/node/README.md) custom resource to the cluster.
You can choose to install the operator and custom resources through the [web console (GUI)](#installing-the-operator-through-the-web-console-gui) or through the [CLI](#installing-the-operator-through-the-cli).
@@ -20,6 +22,9 @@ If you want to automate the deployment of the operator, the CLI method is recomm
## Installing the operator through the Web Console (GUI)
+
+ Click to expand
+
- Authenticate to your OpenShift cluster
@@ -49,6 +54,9 @@ If you want to automate the deployment of the operator, the CLI method is recomm
### Deploy the Node Sensor
+
+ Click to expand
+
- To deploy the Falcon Node Sensor, click `Create Instance` for the `Falcon Node Sensor` Kind under the `Provided APIs` for the Falcon Operator.
@@ -63,8 +71,13 @@ If you want to automate the deployment of the operator, the CLI method is recomm
- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Falcon Sensor. `DaemonSet Configuration` provides more ways to configure deployment and behavior of the DaemonSet including the ability to deploy the sensor without having to use the CrowdStrike API.
+
+
### Deploy the Sidecar Sensor
+
+ Click to expand
+
- To deploy the Falon Sidecar Sensor, click `Create Instance` for the `Falcon Container` Kind under the `Provided APIs` for the Falcon Operator.
@@ -77,12 +90,43 @@ If you want to automate the deployment of the operator, the CLI method is recomm
2. Replace with your CrowdStrike API Client Secret value
3. Click `Create` to deploy the FalconContainer Kind
-- If more configuration is needed for your organization or deployment, `Installer Args` will provide additional ways to configure and deploy the CrowdStrike Falcon Sensor.
+- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Falcon Sensor.
+
+
+
+### Deploy the Admission Controller
+
+
+ Click to expand
+
+- To deploy the Falon Sidecar Sensor, click `Create Instance` for the `Falcon Admission` Kind under the `Provided APIs` for the Falcon Operator.
+
+ 
+
+- If using the CrowdStrike API method which connects to the CrowdStrike cloud and will attempt to discover your Falcon Customer ID as well as download the Falcon Admission container image, make sure that you have a new [CrowdStrike API key pair](#prerequisites) before continuing.
+
+ 
+
+ 1. Replace with your CrowdStrike API Client ID value
+ 2. Replace with your CrowdStrike API Client Secret value
+ 3. Click `Create` to deploy the FalconAdmission Kind
+
+- If more configuration is needed for your organization or deployment, `Falcon Sensor Configuration` will provide additional ways to configure the CrowdStrike Admission Controller. `Falcon Admission Controller Configuration` provides more ways to configure deployment and behavior of the admission controller.
+
+
+
+
## Installing the operator through the CLI
+
+ Click to expand
+
### Install using the Krew plugin (Preferred)
+
+ Click to expand
+
To easily uninstall the operator, install Krew if it is not already installed:
1. Install Krew. See https://krew.sigs.k8s.io/docs/user-guide/setup/install/
@@ -107,8 +151,13 @@ Once the Krew plugin is installed:
oc operator install falcon-operator-rhmp --create-operator-group -n falcon-operator
```
+
+
### Install using the Subscription/CSV method
+
+ Click to expand
+
- Authenticate to your OpenShift cluster
```
oc login --token=sha256~abcde-ABCDE-1 --server=https://openshift.example.com
@@ -184,8 +233,13 @@ Deploy the `subscription.yaml` that you create to the cluster for the operator t
oc create -f subscription.yaml -n falcon-operator
```
+
+
### Deploy the Node Sensor
+
+ Click to expand
+
Once the operator has deployed, you can now deploy the FalconNodeSensor.
- Deploy FalconNodeSensor through the cli using the `oc` command:
@@ -218,12 +272,31 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
oc create -n falcon-system -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true
```
+
+
### Deploy the Sidecar Sensor
+
+ Click to expand
+
- Deploy FalconContainer through the cli using the `oc` command:
```
oc create -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/deployment/openshift/falconcontainer.yaml --edit=true
```
+
+
+### Deploy the Admission Controller
+
+
+ Click to expand
+
+- Deploy FalconAdmission through the cli using the `oc` command:
+ ```
+ oc create -f https://raw.githubusercontent.com/CrowdStrike/falcon-operator/main/docs/deployment/openshift/falconadmission.yaml --edit=true
+ ```
+
+
+
## Uninstalling
@@ -232,6 +305,9 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
### Uninstall using the Web Console (GUI)
+
+ Click to expand
+
- To uninstall in the OpenShift Web Console (GUI), expand the `Operators` menu and click on `Installed Operators`.
@@ -256,6 +332,16 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
+#### Uninstall the Admission Controller
+
+- Click on the `CrowdStrike Falcon Platform - Operator` listing, followed by clicking on the `Falcon Admission` tab.
+
+ 
+
+- On the deployed `FalconAdmission` Kind, click the 3 vertical dot action menu on the far right, and click `Delete FalconAdmission`.
+
+ 
+
#### Uninstall the Operator
- In the list of `Installed Operators`, click the 3 vertical dot action menu on the far right of the `CrowdStrike Falcon Platform - Operator` listing, and click `Uninstall Operator`.
@@ -264,10 +350,18 @@ To deploy to a custom namespace (replacing `falcon-system` as desired):
This will open an uninstall confirmation box, click `Uninstall` to complete the uninstall.
+
+
### Uninstall using the CLI
+
+ Click to expand
+
#### Uninstall using the Krew plugin (Preferred)
+
+ Click to expand
+
To easily uninstall the operator, install Krew if it is not already installed:
1. Install Krew. See https://krew.sigs.k8s.io/docs/user-guide/setup/install/
@@ -282,8 +376,13 @@ Once the Krew plugin is installed:
oc operator uninstall falcon-operator-rhmp -n falcon-operator -X
```
+
+
#### Uninstall using the Subscription/CSV method
+
+ Click to expand
+
##### Uninstall the Node Sensor
- To uninstall the node sensor, simply remove the FalconNodeSensor resource.
@@ -295,7 +394,14 @@ Once the Krew plugin is installed:
- To uninstall Falcon Container simply remove FalconContainer resource. The operator will uninstall Falcon Container product from the cluster.
```
- oc delete falconcontainers.falcon.crowdstrike.com default
+ oc delete falconadmissions falcon-sidecar-sensor
+ ```
+
+##### Uninstall the Admission Controller
+
+- To uninstall Falcon Container simply remove FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:
+ ```
+ oc delete falconadmissions falcon-admission
```
##### Uninstall the Operator
@@ -319,3 +425,6 @@ Once the Krew plugin is installed:
```
oc delete csv falcon-operator.v0.8.0 -n falcon-operator
```
+
+
+
diff --git a/docs/src/deployment/openshift/images/ocp-containerdel.png b/docs/src/deployment/openshift/images/ocp-containerdel.png
index ebb5762a..bb7e6dec 100644
Binary files a/docs/src/deployment/openshift/images/ocp-containerdel.png and b/docs/src/deployment/openshift/images/ocp-containerdel.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-containertab.png b/docs/src/deployment/openshift/images/ocp-containertab.png
index 903bbb8c..d60bb2fc 100644
Binary files a/docs/src/deployment/openshift/images/ocp-containertab.png and b/docs/src/deployment/openshift/images/ocp-containertab.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fcs.png b/docs/src/deployment/openshift/images/ocp-fcs.png
index c9c01e86..44a8f506 100644
Binary files a/docs/src/deployment/openshift/images/ocp-fcs.png and b/docs/src/deployment/openshift/images/ocp-fcs.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fkac.png b/docs/src/deployment/openshift/images/ocp-fkac.png
new file mode 100644
index 00000000..229bb42d
Binary files /dev/null and b/docs/src/deployment/openshift/images/ocp-fkac.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fkacdel.png b/docs/src/deployment/openshift/images/ocp-fkacdel.png
new file mode 100644
index 00000000..3284a3f9
Binary files /dev/null and b/docs/src/deployment/openshift/images/ocp-fkacdel.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fkacinstall.png b/docs/src/deployment/openshift/images/ocp-fkacinstall.png
new file mode 100644
index 00000000..2e170a06
Binary files /dev/null and b/docs/src/deployment/openshift/images/ocp-fkacinstall.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fkactab.png b/docs/src/deployment/openshift/images/ocp-fkactab.png
new file mode 100644
index 00000000..0ae395ae
Binary files /dev/null and b/docs/src/deployment/openshift/images/ocp-fkactab.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-fns.png b/docs/src/deployment/openshift/images/ocp-fns.png
index 5b8bfa64..6b340974 100644
Binary files a/docs/src/deployment/openshift/images/ocp-fns.png and b/docs/src/deployment/openshift/images/ocp-fns.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-nodedel.png b/docs/src/deployment/openshift/images/ocp-nodedel.png
index 5db345ed..dafdf2d6 100644
Binary files a/docs/src/deployment/openshift/images/ocp-nodedel.png and b/docs/src/deployment/openshift/images/ocp-nodedel.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-nodetab.png b/docs/src/deployment/openshift/images/ocp-nodetab.png
index ecdcaf05..4b5ac03e 100644
Binary files a/docs/src/deployment/openshift/images/ocp-nodetab.png and b/docs/src/deployment/openshift/images/ocp-nodetab.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-opresources.png b/docs/src/deployment/openshift/images/ocp-opresources.png
index be5ed853..f61f6c76 100644
Binary files a/docs/src/deployment/openshift/images/ocp-opresources.png and b/docs/src/deployment/openshift/images/ocp-opresources.png differ
diff --git a/docs/src/deployment/openshift/images/ocp-uninstall2.png b/docs/src/deployment/openshift/images/ocp-uninstall2.png
index c995e920..0a6685af 100644
Binary files a/docs/src/deployment/openshift/images/ocp-uninstall2.png and b/docs/src/deployment/openshift/images/ocp-uninstall2.png differ
diff --git a/docs/src/resources/admission.md.tmpl b/docs/src/resources/admission.md.tmpl
new file mode 100644
index 00000000..a1db227e
--- /dev/null
+++ b/docs/src/resources/admission.md.tmpl
@@ -0,0 +1,188 @@
+# Falcon Admission Controller
+
+## About FalconAdmission Custom Resource (CR)
+Falcon Operator introduces the FalconAdmission Custom Resource (CR) to the cluster. The resource is meant to install, configure, and uninstall the Falcon Admission Controller on the cluster.
+
+### FalconAdmission CR Configuration using CrowdStrike API Keys
+To start the FalconAdmission installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Admission Controller image, please create the following FalconAdmission resource to your cluster.
+
+> [!IMPORTANT]
+> You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
+
+Example:
+
+```yaml
+apiVersion: falcon.crowdstrike.com/v1alpha1
+kind: FalconAdmission
+metadata:
+ name: falcon-admission
+spec:
+ falcon:
+ tags: 'test-cluster,dev'
+ falcon_api:
+ client_id: PLEASE_FILL_IN
+ client_secret: PLEASE_FILL_IN
+ cloud_region: autodiscover
+ registry:
+ type: crowdstrike
+```
+
+### FalconAdmission Reference Manual
+
+#### Falcon API Settings
+| Spec | Description |
+| :------------------------- | :------------------------------------------------------------------------------------------------------- |
+| falcon_api.client_id | CrowdStrike API Client ID |
+| falcon_api.client_secret | CrowdStrike API Client Secret |
+| falcon_api.cloud_region | CrowdStrike cloud region (allowed values: autodiscover, us-1, us-2, eu-1, us-gov-1) |
+| falcon_api.cid | (optional) CrowdStrike Falcon CID API override |
+
+#### Admission Controller Configuration Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| installNamespace | (optional) Override the default namespace of falcon-kac |
+| image | (optional) Leverage a Falcon Admission Controller Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require admissionConfig.imagePullSecrets to be set |
+| version | (optional) Enforce particular Falcon Admission Controller version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") |
+| registry.type | Registry to mirror Falcon Admission Controller (allowed values: acr, ecr, crowdstrike, gcr, openshift) |
+| registry.tls.insecure_skip_verify | (optional) Skip TLS check when pushing Falcon Admission to target registry (only for demoing purposes on self-signed openshift clusters) |
+| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates |
+| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set) |
+| registry.acr_name | (optional) Name of ACR for the Falcon Admission push. Only applicable to Azure cloud. (`registry.type="acr"`) |
+| resourcequota.pods | (optional) Configure the maximum number of pods that can be created in the falcon-kac namespace |
+| admissionConfig.serviceAccount.annotations| (optional) Configure annotations for the falcon-kac service account (e.g. for IAM role association) |
+| admissionConfig.port | (optional) Configure the port the Falcon Admission Controller Service listens on |
+| admissionConfig.containerPort | (optional) Configure the port the Falcon Admission Controller container listens on |
+| admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller |
+| admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller |
+| admissionConfig.disabledNamespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore |
+| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller |
+| admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller |
+| admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller |
+| admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller |
+| admissionConfig.resources | (optional) Configure the resources of the Falcon Admission Controller |
+| admissionConfig.updateStrategy | (optional) Configure the deployment update strategy of the Falcon Admission Controller |
+
+
+#### Falcon Sensor Settings
+| Spec | Description |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- |
+| falcon.apd | (optional) Configure Falcon Sensor to leverage a proxy host |
+| falcon.aph | (optional) Configure the host Falcon Sensor should leverage for proxying |
+| falcon.app | (optional) Configure the port Falcon Sensor should leverage for proxying |
+| falcon.billing | (optional) Configure Pay-as-You-Go (metered) billing rather than default billing |
+| falcon.provisioning_token | (optional) Configure a Provisioning Token for CIDs with restricted AID provisioning enabled |
+| falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited |
+| falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) |
+
+All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+
+### Auto Proxy Configuration
+
+{{ template "proxy.tmpl" . }}
+
+### Image Registry considerations
+
+Falcon Admission Image is distributed by CrowdStrike through CrowdStrike Falcon registry. Operator supports two modes of deployment:
+
+#### (Option 1) Use CrowdStrike registry directly
+
+Does not require any advanced setup. Users are advised to use the following except in their FalconAdmission custom resource definition.
+
+```yaml
+registry:
+ type: crowdstrike
+```
+
+Falcon Admission product will then be installed directly from CrowdStrike registry. Any new deployment to the cluster may contact CrowdStrike registry for the image download.
+
+#### (Option 2) Let operator mirror Falcon Admission Controller image to your local registry
+
+Requires advanced setup to grant the operator push access to your local registry. The operator will then mirror the Falcon Admission image from CrowdStrike registry to your local registry of choice.
+Supported registries are: acr, ecr, gcr, and openshift. Each registry type requires advanced setup enable image push.
+
+Consult specific deployment guides to learn about the steps needed for image mirroring.
+
+{{- if ne .Distro "openshift" }}
+
+ - [Deployment Guide for AKS/ACR](../../deployment/azure/README.md)
+ - [Deployment Guide for EKS/ECR](../../deployment/eks/README.md)
+ - [Deployment Guide for EKS Fargate](../../deployment/eks-fargate/README.md)
+ - [Deployment Guide for GKE/GCR](../../deployment/gke/README.md)
+ - [Deployment Guide for OpenShift](../../deployment/openshift/README.md)
+{{- else if eq .Distro "openshift" }}
+
+- [Deployment Guide for OpenShift](../../README.md)
+{{- end }}
+
+#### (Option 3) Use a custom Image URI
+
+Image must be available at the specified URI; setting the image attribute will cause registry settings to be ignored. No image mirroring will be leveraged.
+
+Example:
+```yaml
+image: myprivateregistry.internal.lan/falcon-admission/falcon-sensor:6.47.0-3003.container.x86_64.Release.US-1
+```
+
+### Install Steps
+To install Falcon Admission Controller, run the following command to install the FalconAdmission CR:
+```sh
+{{ .KubeCmd }} create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconadmission.yaml --edit=true
+```
+
+### Uninstall Steps
+To uninstall Falcon Admission Controller simply remove the FalconAdmission resource. The operator will uninstall the Falcon Admission Controller from the cluster.
+
+```sh
+{{ .KubeCmd }} delete falconadmission --all
+```
+
+### Troubleshooting
+
+- Falcon Operator modifies the FalconAdmission CR based on what is happening in the cluster. You can get list the CR, Operator Version, and Sensor version by running the following:
+
+ ```sh
+ $ {{ .KubeCmd }} get falconadmission
+ NAME OPERATOR VERSION FALCON SENSOR
+ falcon-admission 0.8.0 6.51.0-3401.container.x86_64.Release.US-1
+ ```
+
+ This is helpful information to use as a starting point for troubleshooting.
+ You can get more insight by viewing the FalconAdmission CRD in full detail by running the following command:
+
+ ```sh
+ {{ .KubeCmd }} get falconadmission -o yaml
+ ```
+
+- To review the logs of Falcon Operator:
+ ```sh
+ {{ .KubeCmd }} -n falcon-operator logs -f deploy/falcon-operator-controller-manager -c manager
+ ```
+
+- To review the logs of Falcon Admission controller service:
+ ```sh
+ {{ .KubeCmd }} logs -n falcon-kac -l "crowdstrike.com/provider=crowdstrike"
+ ```
+
+- To review the currently deployed version of the operator:
+ ```sh
+ {{ .KubeCmd }} get falconadmission -A -o=jsonpath='{.items[].status.version}'
+ ```
+
+
+### Additional Documentation
+End-to-end guide(s) to install Falcon-operator together with FalconAdmission resource.
+
+{{- if ne .Distro "openshift" }}
+ - [Deployment Guide for AKS/ACR](../../deployment/azure/README.md)
+ - [Deployment Guide for EKS/ECR](../../deployment/eks/README.md)
+ - [Deployment Guide for EKS Fargate](../../deployment/eks-fargate/README.md)
+ - [Deployment Guide for GKE/GCR](../../deployment/gke/README.md)
+ - [Deployment Guide for OpenShift](../../deployment/openshift/README.md)
+{{- else if eq .Distro "openshift" }}
+ - [Deployment Guide for OpenShift](../../README.md)
+{{- end }}
+
+
+
diff --git a/docs/src/resources/container.md.tmpl b/docs/src/resources/container.md.tmpl
index 489e5f21..ab43bc93 100644
--- a/docs/src/resources/container.md.tmpl
+++ b/docs/src/resources/container.md.tmpl
@@ -1,6 +1,5 @@
# Falcon Container Sensor
-
## About Falcon Container Sensor
The Falcon Container sensor for Linux extends runtime security to container workloads in Kubernetes clusters that don’t allow you to deploy the kernel-based Falcon sensor for Linux. The Falcon Container sensor runs as an unprivileged container in user space with no code running in the kernel of the worker node OS. This allows it to secure Kubernetes pods in clusters where it isn’t possible to deploy the kernel-based Falcon sensor for Linux on the worker node, as with AWS Fargate where organizations don’t have access to the kernel and where privileged containers are disallowed. The Falcon Container sensor can also secure container workloads on clusters where worker node security is managed separately.
@@ -20,8 +19,8 @@ Falcon Operator introduces FalconContainer Custom Resource to the cluster. The r
> [!IMPORTANT]
> To start the Falcon Container installation please push the following FalconContainer resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
No other permissions shall be granted to the new API key pair.
@@ -61,7 +60,6 @@ spec:
| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates
| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set)
| registry.acr_name | (optional) Name of ACR for the Falcon Container push. Only applicable to Azure cloud. (`registry.type="acr"`) |
-| registry.ecr_iam_role_arn | (optional) ARN of AWS IAM Role to be assigned to the Injector (only needed when injector runs on EKS Fargate) |
| injector.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| injector.listenPort | (optional) Override the default Injector Listen Port of 4433 |
| injector.replicas | (optional) Override the default Injector Replica count of 2 |
@@ -91,14 +89,14 @@ spec:
| conditions.["NamespaceReady"] | Displays the most recent reconciliation operation for the Namespace used by the Falcon Container Sensor (Created, Updated, Deleted) |
| conditions.["ImageReady"] | Informs about readiness of Falcon Container image. Custom message refers to image URI that will be used during the deployment (Pushed, Discovered) |
| conditions.["ImageStreamReady"] | Displays the most recent successful reconciliation operation for the image stream used by the falcon container in openshift environments (created, updated, deleted) |
-| conditions.["ServiceAccountReady"] | Displays the most recent sucreconciliation operation for the service account used by the falcon container (created, updated, deleted) |
-| conditions.["ClusterRoleReady"] | Displays the most recent sucreconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ClusterRoleBindingReady"] | Displays the most recent sucreconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
-| conditions.["SecretReady"] | Displays the most recent sucreconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
-| conditions.["ConfigMapReady"] | Displays the most recent sucreconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
-| conditions.["DeploymentReady"] | Displays the most recent sucreconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["ServiceReady"] | Displays the most recent sucreconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
-| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent sucreconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceAccountReady"] | Displays the most recent successful reconciliation operation for the service account used by the falcon container (created, updated, deleted) |
+| conditions.["ClusterRoleReady"] | Displays the most recent successful reconciliation operation for the cluster role used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ClusterRoleBindingReady"] | Displays the most recent successful reconciliation operation for the cluster role binding used by the falcon container sensor (created, updated, deleted) |
+| conditions.["SecretReady"] | Displays the most recent successful reconciliation operation for the secrets used by the falcon container sensor (created, updated, deleted) |
+| conditions.["ConfigMapReady"] | Displays the most recent successful reconciliation operation for the config map used by the falcon container sensor (created, updated, deleted) |
+| conditions.["DeploymentReady"] | Displays the most recent successful reconciliation operation for the deployment used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["ServiceReady"] | Displays the most recent successful reconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted) |
+| conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent successful reconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted) |
### Enabling and Disabling Falcon Container injection
@@ -184,10 +182,6 @@ To uninstall Falcon Container simply remove the FalconContainer resource. The op
{{ .KubeCmd }} delete falconcontainers.falcon.crowdstrike.com --all
```
-### Sensor Upgrades
-
-The current version of the operator will update the Falcon Container Sensor version upon Operator Reconciliation unless `version` is set to a specific tag or update. Note that this will only impact future Sensor injections, and will not cause any changes to running pods.
-
### Namespace Reference
The following namespaces will be used by Falcon Operator.
diff --git a/docs/src/resources/node.md.tmpl b/docs/src/resources/node.md.tmpl
index e8ec5b80..e63a5d19 100644
--- a/docs/src/resources/node.md.tmpl
+++ b/docs/src/resources/node.md.tmpl
@@ -11,8 +11,8 @@ Falcon Operator introduces the FalconNodeSensor Custom Resource (CR) to the clus
> [!IMPORTANT]
> To start the FalconNodeSensor installation using CrowdStrike API Keys to allow the operator to determine your Falcon Customer ID (CID) as well as pull down the CrowdStrike Falcon Sensor container image, please create the following FalconNodeSensor resource to your cluster. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, required permissions are:
-> * Falcon Images Download: Read
-> * Sensor Download: Read
+> * Falcon Images Download: **Read**
+> * Sensor Download: **Read**
Example:
```yaml
@@ -62,7 +62,7 @@ spec:
| node.image | (optional) Location of the Falcon Sensor Image. Specify only when you mirror the original image to your own image repository |
| node.imagePullPolicy | (optional) Override the default Falcon Container image pull policy of Always |
| node.imagePullSecrets | (optional) list of references to secrets to use for pulling image from image_override location. |
-| node.terminationGracePeriod | (optional) Kills pod after a specificed amount of time (in seconds). Default is 30 seconds. |
+| node.terminationGracePeriod | (optional) Kills pod after a specified amount of time (in seconds). Default is 30 seconds. |
| node.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) |
| node.backend | (optional) Configure the backend mode for Falcon Sensor (allowed values: kernel, bpf) |
| node.disableCleanup | (optional) Cleans up `/opt/CrowdStrike` on the nodes by deleting the files and directory. |
diff --git a/docs/src/templates/eks.tmpl b/docs/src/templates/eks.tmpl
index a622f7e3..d59c62df 100644
--- a/docs/src/templates/eks.tmpl
+++ b/docs/src/templates/eks.tmpl
@@ -11,7 +11,7 @@ Please review [AWS documentation](https://docs.aws.amazon.com/eks/latest/usergui
```sh
eksctl utils associate-iam-oidc-provider --region "$AWS_REGION" --cluster "$EKS_CLUSTER_NAME" --approve
```
-{{- else if eq .Distro "eks-fargate" -}}
+{{- else if eq .Distro "eks-fargate" }}
- Create an EKS Fargate profile for the operator:
```sh
eksctl create fargateprofile \
diff --git a/docs/src/templates/eksiam.tmpl b/docs/src/templates/eksiam.tmpl
index 5c9c4699..4f7cfd39 100644
--- a/docs/src/templates/eksiam.tmpl
+++ b/docs/src/templates/eksiam.tmpl
@@ -2,6 +2,11 @@
## Configuring IAM Role to allow ECR Access on EKS Fargate
+### Configure IAM Role for ECR Access for the Sidecar Injector
+
+
+ Click to expand
+
When the Falcon Container Injector is installed on EKS Fargate, the following error message may appear in the injector logs:
```
@@ -15,10 +20,13 @@ Conceptually, the following tasks need to be done in order to enable ECR pull fr
- Create IAM Policy for ECR image pull
- Create IAM Role for the injector
-- Assign the IAM Role to the injector (and set-up a proper trust relationship on the role and OIDC indentity provider)
+- Assign the IAM Role to the injector (and set-up a proper trust relationship on the role and OIDC identity provider)
- Put IAM Role ARN into your Falcon Container resource for re-deployments
-### Assigning AWS IAM Role to Falcon Container Injector
+#### Assigning AWS IAM Role to Falcon Container Injector
+
+
+ Click to expand
Using `aws`, `eksctl`, and `{{ .KubeCmd }}` command-line tools, perform the following steps:
@@ -102,5 +110,112 @@ Using `aws`, `eksctl`, and `{{ .KubeCmd }}` command-line tools, perform the foll
```sh
{{ .KubeCmd }} create -f ./my-falcon-container.yaml
```
+
+
+
+
+### Configure IAM Role for ECR Access for the Admission Controller
+
+
+ Click to expand
+
+When the Falcon Admission Controller is installed on EKS Fargate, you may need to enable ECR access for the admission controller.
+Conceptually, the following tasks need to be done in order to enable ECR pull from the admission controller:
+
+- Create IAM Policy for ECR image pull
+- Create IAM Role for the admission controller
+- Assign the IAM Role to the admission controller (and set-up a proper trust relationship on the role and OIDC identity provider)
+- Put IAM Role ARN into your Falcon Admission resource for re-deployments
+
+#### Assigning AWS IAM Role to Falcon Admission Controller
+
+
+ Click to expand
+
+Using `aws`, `eksctl`, and `{{ .KubeCmd }}` command-line tools, perform the following steps:
+
+- Set up your shell environment variables
+ ```sh
+ export AWS_REGION="insert your region"
+ export EKS_CLUSTER_NAME="insert your cluster name"
+
+ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+ iam_policy_name="FalconAdmissionEcrPull"
+ iam_policy_arn="arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${iam_policy_name}"
+ ```
+
+- Create AWS IAM Policy for ECR image pulling
+ ```sh
+ cat <<__END__ > policy.json
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowImagePull",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:BatchGetImage",
+ "ecr:DescribeImages",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:ListImages"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "AllowECRSetup",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:GetAuthorizationToken"
+ ],
+ "Resource": "*"
+ }
+ ]
+ }
+ __END__
+
+ aws iam create-policy \
+ --region "$AWS_REGION" \
+ --policy-name ${iam_policy_name} \
+ --policy-document 'file://policy.json' \
+ --description "Policy to enable Falcon Admission Controller to pull container image from ECR"
+ ```
+
+- Assign the newly created policy to the kubernetes ServiceAccount of Falcon Admission Controller
+ ```sh
+ eksctl create iamserviceaccount \
+ --name falcon-operator-admission-controller \
+ --namespace falcon-kac \
+ --region "$AWS_REGION" \
+ --cluster "${EKS_CLUSTER_NAME}" \
+ --attach-policy-arn "${iam_policy_arn}" \
+ --approve \
+ --override-existing-serviceaccounts
+ ```
+
+- Verify that the IAM Role (not to be confused with IAM Policy) has been assigned to the ServiceAccount by the previous command:
+ ```sh
+ {{ .KubeCmd }} get sa -n falcon-kac falcon-operator-admission-controller -o=jsonpath='{.metadata.annotations.eks\.amazonaws\.com/role-arn}'
+ ```
+
+- Delete the previously deployed FalconAdmission resource:
+ ```sh
+ {{ .KubeCmd }} delete falconadmission --all
+ ```
+
+- Add Role ARN to your FalconAdmission yaml file:
+ ```yaml
+ admissionConfig:
+ serviceAccount:
+ annotations:
+ eks.amazonaws.com/role-arn: arn:aws:iam::12345678910:role/eksctl-demo-cluster-addon-iamservic-Role1-J78KUNY32R1
+ ```
+
+- Deploy the FalconAdmission resource with the IAM role changes:
+ ```sh
+ {{ .KubeCmd }} create -f ./my-falcon-admission.yaml
+ ```
+
+
+
{{- end -}}
diff --git a/docs/src/templates/gkeautopilot.tmpl b/docs/src/templates/gkeautopilot.tmpl
index 1d872964..b98c3179 100644
--- a/docs/src/templates/gkeautopilot.tmpl
+++ b/docs/src/templates/gkeautopilot.tmpl
@@ -40,6 +40,9 @@ The sensor resource limits are only enabled when `backend: bpf`, which is a requ
### Enabling GKE Autopilot
+
+ Click to expand
+
To enable GKE Autopilot and deploy the sensor running in user mode, configure the following settings:
1. Set the backend to run in user mode.
@@ -99,4 +102,6 @@ node:
value: amd64
```
+
+
{{- end -}}
diff --git a/docs/src/templates/gkenode.tmpl b/docs/src/templates/gkenode.tmpl
index ad7b4a0e..6af6e919 100644
--- a/docs/src/templates/gkenode.tmpl
+++ b/docs/src/templates/gkenode.tmpl
@@ -13,7 +13,12 @@ For example:
Because the Falcon Container sensor injector is configured to monitor all namespaces, setting the above labels will ensure that any pod related to k8 control plane and CrowdStrike Falcon are not forwarded to the injector.
-## Granting GCP Workload Identity to Falcon Container Injector
+## Enabling GCP Workload Identity
+
+### Enabling GCP Workload Identity for the Falcon Sidecar Injector
+
+
+ Click to expand
The Falcon Container Injector may need [GCP Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
to read GCR or Artifact Registry. In many cases, the GCP Workload Identity is assigned or inherited automatically. However if you
@@ -30,8 +35,11 @@ Conceptually, the following tasks need to be done in order to enable GCR to pull
- Allow Falcon Container to use the newly created Service Account
- Put GCP Service Account handle into your Falcon Container resource for re-deployments
-### Assigning GCP Workload Identity to Falcon Container Injector
+#### Assigning GCP Workload Identity to Falcon Container Injector
+
+ Click to expand
+
Using both `gcloud` and `{{ .KubeCmd }}` command-line tools, perform the following steps:
- Set up your shell environment variables
@@ -53,12 +61,12 @@ Using both `gcloud` and `{{ .KubeCmd }}` command-line tools, perform the followi
--role roles/containerregistry.ServiceAgent
```
-- Allow Falcon Injector to use the newly created GCP Service Account
+- Allow Falcon Sidecar Injector to use the newly created GCP Service Account
```sh
gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
- --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-system/default]"
+ --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-system/falcon-operator-sidecar-sensor]"
```
- Delete the previously deployed FalconContainer resource:
@@ -70,7 +78,7 @@ Using both `gcloud` and `{{ .KubeCmd }}` command-line tools, perform the followi
```yaml
spec:
injector:
- sa_annotations:
+ annotations:
iam.gke.io/gcp-service-account: $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com
```
@@ -84,4 +92,81 @@ Using both `gcloud` and `{{ .KubeCmd }}` command-line tools, perform the followi
{{ .KubeCmd }} create -f ./my-falcon-container.yaml
```
+
+
+
+### Enabling GCP Workload Identity for the Falcon Admission Controller
+
+
+ Click to expand
+
+The Falcon Admission Controller may need [GCP Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+to read GCR or Artifact Registry. In many cases, the GCP Workload Identity is assigned or inherited automatically.
+Conceptually, the following tasks need to be done in order to enable GCR to pull from the injector:
+
+- Create GCP Service Account
+- Grant GCR permissions to the newly created Service Account
+- Allow Falcon Admission Controller to use the newly created Service Account
+- Put GCP Service Account handle into your Falcon Admission resource for re-deployments
+
+#### Assigning GCP Workload Identity to Falcon Admission Controller
+
+
+ Click to expand
+
+Using both `gcloud` and `{{ .KubeCmd }}` command-line tools, perform the following steps:
+
+- Set up your shell environment variables
+ ```sh
+ GCP_SERVICE_ACCOUNT=falcon-admission-controller
+
+ GCP_PROJECT_ID=$(gcloud config get-value core/project)
+ ```
+
+- Create new GCP Service Account
+ ```sh
+ gcloud iam service-accounts create $GCP_SERVICE_ACCOUNT
+ ```
+
+- Grant GCR permissions to the newly created Service Account
+ ```sh
+ gcloud projects add-iam-policy-binding $PROJECT_ID \
+ --member "serviceAccount:$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
+ --role roles/containerregistry.ServiceAgent
+ ```
+
+- Allow Falcon Admission Controller to use the newly created GCP Service Account
+ ```sh
+ gcloud iam service-accounts add-iam-policy-binding \
+ $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com \
+ --role roles/iam.workloadIdentityUser \
+ --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[falcon-kac/falcon-operator-admission-controller]"
+ ```
+
+- Delete the previously deployed FalconAdmission resource:
+ ```sh
+ {{ .KubeCmd }} delete falconadmission --all
+ ```
+
+- Add the newly created Service Account to your FalconAdmission yaml file:
+ ```yaml
+ spec:
+ admissionConfig:
+ annotations:
+ iam.gke.io/gcp-service-account: $GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com
+ ```
+
+ Do not forget to replace the service account name template with actual name
+ ```sh
+ echo "$GCP_SERVICE_ACCOUNT@$GCP_PROJECT_ID.iam.gserviceaccount.com"
+ ```
+
+- Deploy the FalconAdmission resource with the IAM role changes:
+ ```sh
+ {{ .KubeCmd }} create -f ./my-falcon-admission.yaml
+ ```
+
+
+
+
{{- end -}}
diff --git a/docs/src/templates/presidecar.tmpl b/docs/src/templates/presidecar.tmpl
index b6a2144e..75f9998a 100644
--- a/docs/src/templates/presidecar.tmpl
+++ b/docs/src/templates/presidecar.tmpl
@@ -3,7 +3,7 @@
- Either create or use an existing ACR registry. Make sure to store the ACR registry name in an environment variable.
```sh
- ACR_NAME=my-acr-registy-name
+ ACR_NAME=my-acr-registry-name
```
#### Manual installation of ACR push secret