From 10035b8d2c4552b9330079017fb99a10eeee1ee3 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 21 Apr 2023 17:39:26 -0600 Subject: [PATCH] docs: resource docs updates - make resource link better - minor formatting fixes - add missing settings --- README.md | 8 +-- docs/deployment/azure/README.md | 4 +- docs/deployment/eks-fargate/README.md | 4 +- docs/deployment/eks/README.md | 4 +- docs/deployment/gke/README.md | 4 +- docs/deployment/openshift/README.md | 4 +- docs/install_guide.md | 2 +- .../container/README.md | 52 +++++++++++-------- .../node/README.md | 8 ++- 9 files changed, 52 insertions(+), 38 deletions(-) rename docs/{cluster_resources => resources}/container/README.md (89%) rename docs/{cluster_resources => resources}/node/README.md (86%) diff --git a/README.md b/README.md index 4d1e1175..2196d28f 100644 --- a/README.md +++ b/README.md @@ -19,10 +19,10 @@ The CrowdStrike Falcon Operator deploys CrowdStrike Falcon Workload Protection t ## About Custom Resources -| Custom Resource | Description | -| :-------- | :------------ | -| [FalconContainer](docs/cluster_resources/container/README.md) | Manages installation of Falcon Container Sensor on the cluster | -| [FalconNodeSensor](docs/cluster_resources/node/README.md) | Manages installation of Falcon Linux Sensor on the cluster nodes | +| Custom Resource | Description | +| :-------- | :------------ | +| [FalconContainer](docs/resources/container/README.md) | Manages installation of Falcon Container Sensor on the cluster | +| [FalconNodeSensor](docs/resources/node/README.md) | Manages installation of Falcon Linux Sensor on the cluster nodes | ## Installation and Deployment diff --git a/docs/deployment/azure/README.md b/docs/deployment/azure/README.md index 7d277623..2d34079b 100644 --- a/docs/deployment/azure/README.md +++ b/docs/deployment/azure/README.md @@ -1,7 +1,7 @@ # Deployment Guide for Azure and AKS This document will guide you through the installation of falcon-operator and deployment of either the: -- [FalconContainer](../../cluster_resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ACR (Azure Container Registry). -- [FalconNodeSensor](../../cluster_resources/node/README.md) custom resource to the cluster. +- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ACR (Azure Container Registry). +- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster. ## Prerequisites diff --git a/docs/deployment/eks-fargate/README.md b/docs/deployment/eks-fargate/README.md index 3d9226a1..5932814f 100644 --- a/docs/deployment/eks-fargate/README.md +++ b/docs/deployment/eks-fargate/README.md @@ -1,6 +1,6 @@ # Deployment Guide for EKS Fargate and ECR This document will guide you through the installation of falcon-operator and deployment of either the: -- [FalconContainer](../../cluster_resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry. +- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry. ## Prerequisites @@ -171,4 +171,4 @@ Using `aws`, `eksctl`, and `kubectl` command-line tools, perform the following s - Deploy the FalconContainer resource with the IAM role changes: ``` kubectl create -f ./my-falcon-container.yaml - ``` \ No newline at end of file + ``` diff --git a/docs/deployment/eks/README.md b/docs/deployment/eks/README.md index 6fab44bf..97338b21 100644 --- a/docs/deployment/eks/README.md +++ b/docs/deployment/eks/README.md @@ -1,7 +1,7 @@ # Deployment Guide for EKS and ECR This document will guide you through the installation of falcon-operator and deployment of either the: -- [FalconContainer](../../cluster_resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry. -- [FalconNodeSensor](../../cluster_resources/node/README.md) custom resource to the cluster. +- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the opeator to push to ECR registry. +- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster. ## Prerequisites diff --git a/docs/deployment/gke/README.md b/docs/deployment/gke/README.md index a6c9c118..454e7870 100644 --- a/docs/deployment/gke/README.md +++ b/docs/deployment/gke/README.md @@ -1,7 +1,7 @@ # Deployment Guide for GKE This document will guide you through the installation of falcon-operator and deployment of either the: -- [FalconContainer](../../cluster_resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created. -- [FalconNodeSensor](../../cluster_resources/node/README.md) custom resource to the cluster. +- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to GCR (Google Container Registry). A new GCP service account for pushing to GCR registry will be created. +- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster. ## Prerequisites diff --git a/docs/deployment/openshift/README.md b/docs/deployment/openshift/README.md index d6e8dbfd..13d4c62f 100644 --- a/docs/deployment/openshift/README.md +++ b/docs/deployment/openshift/README.md @@ -1,7 +1,7 @@ # Deployment Guide for OpenShift This document will guide you through the installation of falcon-operator and deployment of either the: -- [FalconContainer](../../cluster_resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry). -- [FalconNodeSensor](../../cluster_resources/node/README.md) custom resource to the cluster. +- [FalconContainer](../../resources/container/README.md) custom resource to the cluster with Falcon Container image being mirrored from CrowdStrike container registry to OpenShift ImageStreams (on cluster registry). +- [FalconNodeSensor](../../resources/node/README.md) custom resource to the cluster. You can choose to install the operator and custom resources through the [web console (GUI)](#installing-the-operator-through-the-web-console-gui) or through the [CLI](#installing-the-operator-through-the-cli). If you want to automate the deployment of the operator, the CLI method is recommended. diff --git a/docs/install_guide.md b/docs/install_guide.md index c93dc805..dd2ac5e9 100644 --- a/docs/install_guide.md +++ b/docs/install_guide.md @@ -38,7 +38,7 @@ Installation steps differ based on the Operator Life-cycle Manager (OLM) availab operator-sdk run bundle quay.io/crowdstrike/falcon-operator-bundle:latest --namespace $OPERATOR_NAMESPACE ``` -After the installation concludes, please proceed with deploying either the [Falcon Container Sensor](./cluster_resources/container/README.md) or [Falcon Node Sensor](./cluster_resources/node/README.md) Custom Resource. +After the installation concludes, please proceed with deploying either the [Falcon Container Sensor](./resources/container/README.md) or [Falcon Node Sensor](./resources/node/README.md) Custom Resource. #### Uninstall Steps diff --git a/docs/cluster_resources/container/README.md b/docs/resources/container/README.md similarity index 89% rename from docs/cluster_resources/container/README.md rename to docs/resources/container/README.md index d33d1730..f9d14fe6 100644 --- a/docs/cluster_resources/container/README.md +++ b/docs/resources/container/README.md @@ -28,7 +28,7 @@ No other permissions shall be granted to the new API key pair. apiVersion: falcon.crowdstrike.com/v1alpha1 kind: FalconContainer metadata: - name: default + name: falcon-sidecar-sensor spec: falcon: Tags: 'test-cluster,dev' @@ -42,31 +42,28 @@ spec: ### FalconContainer Reference Manual +#### Falcon API Settings +| Spec | Description | +| :------------------------- | :------------------------------------------------------------------------------------------------------- | +| falcon_api.client_id | CrowdStrike API Client ID | +| falcon_api.client_secret | CrowdStrike API Client Secret | +| falcon_api.cloud_region | CrowdStrike cloud region (allowed values: autodiscover, us-1, us-2, eu-1, us-gov-1) | +| falcon_api.cid | (optional) CrowdStrike Falcon CID API override | + +#### Sidecar Injection Configuration Settings | Spec | Description | -| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | -| falcon_api.client_id | CrowdStrike API Client ID | -| falcon_api.client_secret | CrowdStrike API Client Secret | -| falcon_api.cloud_region | CrowdStrike cloud region (allowed values: autodiscover, us-1, us-2, eu-1, us-gov-1) | -| falcon.apd | (optional) Configure Falcon Sensor to leverage a proxy host | -| falcon.aph | (optional) Configure the host Falcon Sensor should leverage for proxying | -| falcon.app | (optional) Configure the port Falcon Sensor should leverage for proxying | -| falcon.billing | (optional) Configure Pay-as-You-Go (metered) billing rather than default billing | -| falcon.provisioning_token | (optional) Configure a Provisioning Token for CIDs with restricted AID provisioning enabled | -| falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited | -| falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) | +| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | image | (optional) Leverage a Falcon Container Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require injector.imagePullSecretName to be set | | version | (optional) Enforce particular Falcon Container version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") | -| versionLocking | (optional) Enable/Disable version locking; if disabled, new image versions (matching any specified version string) will be leveraged for future pod injections upon controller reconciliation (default: true) -| registry.type | Registry to mirror Falcon Container (allowed values: acr, ecr, crowdstrike, gcr, openshift) | -| registry.tls.insecure_skip_verify | (optional) Skip TLS check when pushing Falcon Container to target registry (only for demoing purposes on self-signed openshift clusters) | -| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates -| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set) +| registry.type | Registry to mirror Falcon Container (allowed values: acr, ecr, crowdstrike, gcr, openshift) | +| registry.tls.insecure_skip_verify | (optional) Skip TLS check when pushing Falcon Container to target registry (only for demoing purposes on self-signed openshift clusters) | +| registry.tls.caCertificate | (optional) A string containing an optionally base64-encoded Certificate Authority Chain for self-signed TLS Registry Certificates +| registry.tls.caCertificateConfigMap | (optional) The name of a ConfigMap containing CA Certificate Authority Chains under keys ending in ".tls" for self-signed TLS Registry Certificates (ignored when registry.tls.caCertificate is set) | registry.acr_name | (optional) Name of ACR for the Falcon Container push. Only applicable to Azure cloud. (`registry.type="acr"`) | | registry.ecr_iam_role_arn | (optional) ARN of AWS IAM Role to be assigned to the Injector (only needed when injector runs on EKS Fargate) | -| injector.serviceAccount.name | (optional) Name of Service Account to create in falcon-system namespace | | injector.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) | | injector.listenPort | (optional) Override the default Injector Listen Port of 4433 | -| injector.replicas | (optional) Override the default Injector Replica count of 2 | +| injector.replicas | (optional) Override the default Injector Replica count of 2 | | injector.tls.validity | (optional) Override the default Injector CA validity of 3650 days | | injector.imagePullPolicy | (optional) Override the default Falcon Container image pull policy of Always | | injector.imagePullSecretName | (optional) Provide a secret containing an alternative pull token for the Falcon Container image | @@ -77,6 +74,17 @@ spec: | injector.disableDefaultNamespaceInjection | (optional) If set to true, disables default Falcon Container injection at the namespace scope; namespaces requiring injection will need to be labeled as specified below | | injector.disableDefaultPodInjection | (optional) If set to true, disables default Falcon Container injection at the pod scope; pods requiring injection will need to be annotated as specified below | +#### Falcon Sensor Settings +| Spec | Description | +| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | +| falcon.apd | (optional) Configure Falcon Sensor to leverage a proxy host | +| falcon.aph | (optional) Configure the host Falcon Sensor should leverage for proxying | +| falcon.app | (optional) Configure the port Falcon Sensor should leverage for proxying | +| falcon.billing | (optional) Configure Pay-as-You-Go (metered) billing rather than default billing | +| falcon.provisioning_token | (optional) Configure a Provisioning Token for CIDs with restricted AID provisioning enabled | +| falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited | +| falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) | + | Status | Description | | :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | | phase | Current phase of the deployment; either RECONCILING, ERROR, or DONE @@ -143,7 +151,7 @@ Consult specific deployment guides to learn about the steps needed for image mir #### (Option 3) Use a custom Image URI -Image must be available at the specified URI; setting the image attribute will cause registry settings to be ignored. No image mirroring will be leveraged, and version locking is implied. +Image must be available at the specified URI; setting the image attribute will cause registry settings to be ignored. No image mirroring will be leveraged. Example: ``` @@ -165,11 +173,11 @@ kubectl delete falconcontainers.falcon.crowdstrike.com --all ### Sensor Upgrades -The current version of the operator will update the Falcon Container Sensor version upon Operator Reconciliation, if Version Locking is disabled. Note that this will only impact future Sensor injections, and will not cause any changes to running pods. Version Locking is enabled by default. +The current version of the operator will update the Falcon Container Sensor version upon Operator Reconciliation, if Version Locking is disabled. Note that this will only impact future Sensor injections, and will not cause any changes to running pods. ### Operator Upgrades -The current version of the operator does not support in place upgrades. Users are advised to remove any FalconContainer or FalconNodeSensor Custom Resources, allow the operator to clean up previously deployed resources, uninstall the operator and install the target version, before updating their Custom Resource(s) to reflect any changes introduced ([see Release Notes](../../RELEASE.md)). +The current version of the operator does not support in place upgrades. Users are advised to remove any FalconContainer or FalconNodeSensor Custom Resources, allow the operator to clean up previously deployed resources, uninstall the operator and install the target version, before updating their Custom Resource(s). ### Namespace Reference diff --git a/docs/cluster_resources/node/README.md b/docs/resources/node/README.md similarity index 86% rename from docs/cluster_resources/node/README.md rename to docs/resources/node/README.md index 9c60712e..dbf89a06 100644 --- a/docs/cluster_resources/node/README.md +++ b/docs/resources/node/README.md @@ -55,8 +55,14 @@ spec: #### Node Configuration Settings | Spec | Description | | :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | +| node.tolerations | (optional) See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for examples on configuring tolerations | +| node.nodeAffinity | (optional) See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ for examples on configuring nodeAffinity | | node.image | (optional) Location of the Falcon Sensor Image. Specify only when you mirror the original image to your own image repository | -| node.imagePullSecrets | (optional) list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. | +| node.imagePullPolicy | (optional) Override the default Falcon Container image pull policy of Always | +| node.imagePullSecrets | (optional) list of references to secrets to use for pulling image from image_override location. | +| node.terminationGracePeriod | (optional) Kills pod after a specificed amount of time (in seconds). Default is 30 seconds. | +| node.serviceAccount.annotations | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association) | +| node.backend | (optional) Configure the backend mode for Falcon Sensor (allowed values: kernel, bpf) | | node.disableCleanup | (optional) Cleans up `/opt/CrowdStrike` on the nodes by deleting the files and directory. | | node.version | (optional) Enforce particular Falcon Sensor version to be installed (example: "6.35", "6.35.0-13207") |