CrowdStrike Series: How to Install Falcon Sensor Sidecar in Kubernetes

Manish Sharma
5 min readJan 24, 2023

Overview

  • The CrowdStrike Falcon Sensor is a sidecar container that is used in conjunction with the CrowdStrike Falcon platform, which is a cloud-native endpoint protection and threat intelligence platform.
  • The Falcon Sensor is responsible for collecting data from the endpoint (such as system events, network activity, and memory images) and sending it to the Falcon platform for analysis and threat detection.
  • The sensor sidecar runs as a daemon on the endpoint and continuously monitors the endpoint for any suspicious activity or malicious behavior. When it detects something suspicious, it sends the relevant data to the Falcon platform for further analysis.
  • The platform then uses machine learning and threat intelligence to determine if the activity is malicious, and if so, takes appropriate action to protect the endpoint.
  • The sensor sidecar also provides additional features such as real-time threat detection, incident response, and forensic analysis.
  • The sensor can also be used to enable features such as hardware-level encryption, malware prevention, and endpoint detection and response (EDR) capabilities.

The Falcon Helm chart provides a pre-configured package of Kubernetes resources that are used to deploy the Falcon Container sensor as a sidecar in Kubernetes pods.

Fig: Falcon Sensor Sidecar Container Deployment

Kubernetes Pre-Requisites

Make sure your Kubernetes environment meets the requirements to deploy the Helm chart

  • Supported Kubernetes distributions: GKE, EKS, AKS, Rancher K3S, Red Hat OpenShift Container Platform 4.6+
  • You have an x86_64 Kubernetes cluster deployed
  • You have Helm 3.x or later installed
  • The nodes that make up your Kubernetes cluster are running Linux distributions supported by CrowdStrike

Falcon Sensor Helm Chart Pre-Requisites

You should have the following sensor info available, which will be used when deploying the Helm chart:

Falcon Sensor Sidecar Installation

1. Setup Helm Client

Add the CrowdStrike Helm Chart repository

helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
helm repo update
helm repo list

2. Download Falcon Sensor Docker Images Locally

To download the Falcon sensor for Linux image, you must have a Cloud Workload Protection subscription.

2.1 Create an API Key

To download the image from the CrowdStrike repository, you must create a client ID with the required API scope.

To create an API key for Falcon Images Download in CrowdStrike, you can follow these steps:

  1. Log in to the CrowdStrike Falcon console.
  2. Click on the gear icon in the top-right corner and select “Settings.”
  3. In the left-hand menu, select “API Clients.”
  4. Click the “New API Client” button to create a new API client.
  5. Enter a name for the API client, and select the “Falcon Images Download” API scope and select READ
  6. Find the “Sensor Download API” scope and select READ
  7. Click the “Save” button to create the API client.
  8. After the API client is created, you can see the “API Key” displayed on the screen. You should keep this key secure and use it in your application to access Falcon Images Download functionality.
  9. From the API client created dialog, copy the client ID <YOUR_FALCON_CLIENT_ID> and secret <YOUR_FALCON_CLIENT_SECRET> to a password management or secret management service.

Configure the API client ID and password as command line variables:

export FALCON_CLIENT_ID=<YOUR_FALCON_CLIENT_ID>
export FALCON_CLIENT_SECRET=<YOUR_FALCON_CLIENT_SECRET>

From the CrowdStrike https://falcon.crowdstrike.com/hosts/sensor-downloads page get the CID

export FALCON_CID=<YOUR_CID_W_CHECKSUM>

Configure your cloud region variables:

export FALCON_CLOUD_API=<YOUR_CLOUD>
export FALCON_REGION=<YOUR_CLOUD_TAG>
export FALCON_CONTAINER_REGISTRY=<YOUR_REGISTRY>

Your API client and CID checksum are associated with a specific CrowdStrike cloud region. Use the following table to determine which variables to configure for your cloud region:

2.2 Get private CrowdStrike registry credentials from API

Get OAuth2 token to interact with the CrowdStrike API:

export FALCON_CS_API_TOKEN=$(curl \
--data "client_id=${FALCON_CLIENT_ID}&client_secret=${FALCON_CLIENT_SECRET}"\
--request POST \
--silent \
https://${FALCON_CLOUD_API}/oauth2/token | jq -cr '.access_token | values')

Get CrowdStrike registry username and password:

export FALCON_ART_USERNAME="fc-$(echo ${FALCON_CID} | awk '{ print tolower($0) }' | cut -d'-' -f1)"
export FALCON_ART_PASSWORD=$(curl -X GET -H "authorization: Bearer ${FALCON_CS_API_TOKEN}"
https://${FALCON_CLOUD_API}/container-security/entities/image-registry-credentials/v1 | jq -cr
'.resources[].token | values')

2.3 Get CrowdStrike Private Registry Token

Obtain a token to interact with the CrowdStrike private registry:

export REGISTRY_BEARER=$(curl -X GET -s -u "${FALCON_ART_USERNAME}:${FALCON_ART_PASSWORD}"
"https://${FALCON_CONTAINER_REGISTRY}/v2/token?=fc-${CID}&scope=repository:falcon-
sensor/${FALCON_REGION}/release/falcon-sensor:pull&service=${FALCON_CONTAINER_REGISTRY}" | jq -r '.token')

2.4 Get container image tags for latest sensor images

Fetch the latest tag:

# For sidecar deployment:
export SENSORTYPE=falcon-container

Fetch the latest tag:

export
FALCON_SENSOR_IMAGE_REPO="${FALCON_CONTAINER_REGISTRY}/${SENSORTYPE}/${FALCON_REGION}/release/${SENSORTYPE}
"

export FALCON_SENSOR_IMAGE_TAG=$(curl -X GET -s -H "authorization: Bearer ${REGISTRY_BEARER}"
"https://${FALCON_CONTAINER_REGISTRY}/v2/${SENSORTYPE}/${FALCON_REGION}/release/falcon-sensor/tags/list" |
jq -r '.tags[-1]')

2.5 Push Container Images to Private Registry

# Configure your container registry
export MY_INTERNAL_CONTAINER_REGISTRY=<YOUR_INTERNAL_REPOSITORY>

# Configure your sensor repo
export MY_INTERNAL_SENSOR_IMAGE_REPO="${MY_INTERNAL_CONTAINER_REGISTRY}/${SENSORTYPE}"

# Login to crowdstrike registry
echo $FALCON_ART_PASSWORD | docker login -u $FALCON_ART_USERNAME --password-stdin
${FALCON_CONTAINER_REGISTRY}

# Login to your internal registry
docker login ${MY_INTERNAL_CONTAINER_REGISTRY}


# Move images to your local registry

## Pull latest falcon-sensor image for daemonset deployment
docker pull ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}

## Tag the images to point to your registry
docker tag ${FALCON_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}
${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}

## push the images to your registry
docker push ${MY_INTERNAL_SENSOR_IMAGE_REPO}:${FALCON_SENSOR_IMAGE_TAG}

3. Install Falcon Sensor Sidecar for Linux

3.1 Pre-Requisites

  • You must be a cluster administrator to deploy Helm charts to the cluster.
  • When deploying the Falcon Container sensor for Linux, make sure there are no firewall rules blocking communication to the Mutating Webhook. The default port for the Webhook is 4433.
    Note: An error communicating with the Mutating Webhook usually throws a context deadline exceeded error.
  • The Falcon Container sensor for Linux should be deployed to Kubernetes-managed environments, or environments that do not allow node access or installation via a Kubernetes DaemonSet.
  • This deployment requires advanced Helm chart functionality, which may not work with Continuous Delivery tools (GitOps).

Create a namespace to install CrowdStrike Falcon Sensor Injector

kubectl create namespace falcon-system

NOTE: If your Kubernetes cluster version is 1.22 or earlier, the NamespaceDefaultLabelName feature gate is not enabled. You should label the namespace for injector

kubectl label namespace falcon-system kubernetes.io/metadata.name=falcon-system

3.2 Install Helm Chart

# add the repository to your Helm client
export REPO=crowdstrike/falcon-sensor

# To see all the parameters
helm show values ${REPO}

# install into a customized namespace by running the following command
helm install falcon-helm ${REPO} \
-n falcon-system --create-namespace \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="$CROWDSTRIKE_CID" \
--set container.image.repository="$FALCON_IMAGE_REPO" \
--set container.image.tag="$FALCON_IMAGE_TAG"

OR

To install with falcon sensor sidecar memory/cpu requests and limits

helm install falcon-helm ${REPO} \
-n falcon-system --create-namespace \
--set node.enabled=false \
--set container.enabled=true \
--set falcon.cid="$CROWDSTRIKE_CID" \
--set container.image.repository="$FALCON_IMAGE_REPO" \
--set container.image.tag="$FALCON_IMAGE_TAG" \
--set container.sensorResources.limits.memory="128Mi" \
--set container.sensorResources.limits.cpu="100m" \
--set container.sensorResources.requests.memory="20Mi" \
--set container.sensorResources.requests.cpu="10m"

4. Uninstall Falcon Sensor Sidecar Helm Release

helm uninstall falcon-helm -n falcon-system

kubectl delete ns falcon-system

We hope you found this article informative and useful. If you want to stay updated with our latest content, please subscribe to our blog.

--

--

Manish Sharma

I am technology geek & keep pushing myself to learn new skills. I am AWS Solution Architect — Associate, Professional & Terraform Associate Developer certified.