CrowdStrike Series: How to Install Falcon Sensor Sidecar in Kubernetes
Overview
- The CrowdStrike Falcon Sensor is a sidecar container that is used in conjunction with the CrowdStrike Falcon platform, which is a cloud-native endpoint protection and threat intelligence platform.
- The Falcon Sensor is responsible for collecting data from the endpoint (such as system events, network activity, and memory images) and sending it to the Falcon platform for analysis and threat detection.
- The sensor sidecar runs as a daemon on the endpoint and continuously monitors the endpoint for any suspicious activity or malicious behavior. When it detects something suspicious, it sends the relevant data to the Falcon platform for further analysis.
- The platform then uses machine learning and threat intelligence to determine if the activity is malicious, and if so, takes appropriate action to protect the endpoint.
- The sensor sidecar also provides additional features such as real-time threat detection, incident response, and forensic analysis.
- The sensor can also be used to enable features such as hardware-level encryption, malware prevention, and endpoint detection and response (EDR) capabilities.
The Falcon Helm chart provides a pre-configured package of Kubernetes resources that are used to deploy the Falcon Container sensor as a sidecar in Kubernetes pods.
Kubernetes Pre-Requisites
Make sure your Kubernetes environment meets the requirements to deploy the Helm chart
- Supported Kubernetes distributions: GKE, EKS, AKS, Rancher K3S, Red Hat OpenShift Container Platform 4.6+
- You have an x86_64 Kubernetes cluster deployed
- You have Helm 3.x or later installed
- The nodes that make up your Kubernetes cluster are running Linux distributions supported by CrowdStrike
Falcon Sensor Helm Chart Pre-Requisites
You should have the following sensor info available, which will be used when deploying the Helm chart:
Falcon Sensor Sidecar Installation
1. Setup Helm Client
Add the CrowdStrike Helm Chart repository
helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
helm repo update
helm repo list
2. Download Falcon Sensor Docker Images Locally
To download the Falcon sensor for Linux image, you must have a Cloud Workload Protection subscription.
2.1 Create an API Key
To download the image from the CrowdStrike repository, you must create a client ID with the required API scope.
To create an API key for Falcon Images Download in CrowdStrike, you can follow these steps:
- Log in to the CrowdStrike Falcon console.
- Click on the gear icon in the top-right corner and select “Settings.”
- In the left-hand menu, select “API Clients.”
- Click the “New API Client” button to create a new API client.
- Enter a name for the API client, and select the “Falcon Images Download” API scope and select READ
- Find the “Sensor Download API” scope and select READ
- Click the “Save” button to create the API client.
- After the API client is created, you can see the “API Key” displayed on the screen. You should keep this key secure and use it in your application to access Falcon Images Download functionality.
- From the API client created dialog, copy the client ID <YOUR_FALCON_CLIENT_ID> and secret <YOUR_FALCON_CLIENT_SECRET> to a password management or secret management service.
Configure the API client ID and password as command line variables:
export FALCON_CLIENT_ID=<YOUR_FALCON_CLIENT_ID>
export FALCON_CLIENT_SECRET=<YOUR_FALCON_CLIENT_SECRET>
From the CrowdStrike https://falcon.crowdstrike.com/hosts/sensor-downloads page get the CID
export FALCON_CID=<YOUR_CID_W_CHECKSUM>
Configure your cloud region variables:
export FALCON_CLOUD_API=<YOUR_CLOUD>
export FALCON_REGION=<YOUR_CLOUD_TAG>
export FALCON_CONTAINER_REGISTRY=<YOUR_REGISTRY>
Your API client and CID checksum are associated with a specific CrowdStrike cloud region. Use the following table to determine which variables to configure for your cloud region:
2.2 Get private CrowdStrike registry credentials from API
Get OAuth2 token to interact with the CrowdStrike API:
export FALCON_CS_API_TOKEN=$(curl \
--data "client_id=${FALCON_CLIENT_ID}&client_secret=${FALCON_CLIENT_SECRET}"\
--request POST \
--silent \
https://${FALCON_CLOUD_API}/oauth2/token | jq -cr '.access_token | values')
Get CrowdStrike registry username and password:
export FALCON_ART_USERNAME="fc-$(echo ${FALCON_CID} | awk '{ print tolower($0) }' | cut -d'-' -f1)"
export FALCON_ART_PASSWORD=$(curl -X GET -H "authorization: Bearer ${FALCON_CS_API_TOKEN}"
https://${FALCON_CLOUD_API}/container-security/entities/image-registry-credentials/v1 | jq -cr
'.resources[].token | values')
2.3 Get CrowdStrike Private Registry Token
Obtain a token to interact with the CrowdStrike private registry:
export REGISTRY_BEARER=$(curl -X GET -s -u "${FALCON_ART_USERNAME}:${FALCON_ART_PASSWORD}"
"https://${FALCON_CONTAINER_REGISTRY}/v2/token?=fc-${CID}&scope=repository:falcon-
sensor/${FALCON_REGION}/release/falcon-sensor:pull&service=${FALCON_CONTAINER_REGISTRY}" | jq -r '.token')
2.4 Get container image tags for latest sensor images
Fetch the latest tag:
# For sidecar deployment:
export SENSORTYPE=falcon-container
Fetch the latest tag:
export
FALCON_SENSOR_IMAGE_REPO="${FALCON_CONTAINER_REGISTRY}/${SENSORTYPE}/${FALCON_REGION}/release/${SENSORTYPE}
"
export FALCON_SENSOR_IMAGE_TAG=$(curl -X GET -s -H "authorization: Bearer ${REGISTRY_BEARER}"
"https://${FALCON_CONTAINER_REGISTRY}/v2/${SENSORTYPE}/${FALCON_REGION}/release/falcon-sensor/tags/list" |
jq -r '.tags[-1]')
2.5 Push Container Images to Private Registry
# Configure your container registry
export MY_INTERNAL_CONTAINER_REGISTRY=<YOUR_INTERNAL_REPOSITORY>
# Configure your sensor repo
export MY_INTERNAL_SENSOR_IMAGE_REPO="${MY_INTERNAL_CONTAINER_REGISTRY}/${SENSORTYPE}"
# Login to crowdstrike registry
echo $FALCON_ART_PASSWORD | docker login -u $FALCON_ART_USERNAME --password-stdin
${FALCON_CONTAINER_REGISTRY}
# Login to your internal registry
docker login ${MY_INTERNAL_CONTAINER_REGISTRY}
# Move images to your local registry
## Pull latest falcon-sensor image for daemonset deployment
docker pull ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}
## Tag the images to point to your registry
docker tag ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}
${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}
## push the images to your registry
docker push ${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}
3. Install Falcon Sensor Sidecar for Linux
3.1 Pre-Requisites
- You must be a cluster administrator to deploy Helm charts to the cluster.
- When deploying the Falcon Container sensor for Linux, make sure there are no firewall rules blocking communication to the Mutating Webhook. The default port for the Webhook is 4433.
Note: An error communicating with the Mutating Webhook usually throws a context deadline exceeded error. - The Falcon Container sensor for Linux should be deployed to Kubernetes-managed environments, or environments that do not allow node access or installation via a Kubernetes DaemonSet.
- This deployment requires advanced Helm chart functionality, which may not work with Continuous Delivery tools (GitOps).
Create a namespace to install CrowdStrike Falcon Sensor Injector
kubectl create namespace falcon-system
NOTE: If your Kubernetes cluster version is 1.22 or earlier, the NamespaceDefaultLabelName feature gate is not enabled. You should label the namespace for injector
kubectl label namespace falcon-system kubernetes.io/metadata.name=falcon-system
3.2 Install Helm Chart
# add the repository to your Helm client
export REPO=crowdstrike/falcon-sensor
# To see all the parameters
helm show values ${REPO}
# install into a customized namespace by running the following command
helm install falcon-helm ${REPO} \
-n falcon-system --create-namespace \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="$CROWDSTRIKE_CID" \
--set container.image.repository="$FALCON_IMAGE_REPO" \
--set container.image.tag="$FALCON_IMAGE_TAG"
OR
To install with falcon sensor sidecar memory/cpu requests and limits
helm install falcon-helm ${REPO} \
-n falcon-system --create-namespace \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="$CROWDSTRIKE_CID" \
--set container.image.repository="$FALCON_IMAGE_REPO" \
--set container.image.tag="$FALCON_IMAGE_TAG" \
--set container.sensorResources.limits.memory="128Mi" \
--set container.sensorResources.limits.cpu="100m" \
--set container.sensorResources.requests.memory="20Mi" \
--set container.sensorResources.requests.cpu="10m"
4. Uninstall Falcon Sensor Sidecar Helm Release
helm uninstall falcon-helm -n falcon-system
kubectl delete ns falcon-system
We hope you found this article informative and useful. If you want to stay updated with our latest content, please subscribe to our blog.