Skip to content

Latest commit

 

History

History
200 lines (135 loc) · 6.48 KB

README.md

File metadata and controls

200 lines (135 loc) · 6.48 KB

Deployment Guide for EKS and ECR

This document will guide you through the installation of the Falcon Operator and deployment of the following custom resources provided by the Falcon Operator:

  • FalconAdmission with the Falcon Admission Controller image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
  • FalconContainer with the Falcon Container image being mirrored from CrowdStrike container registry to ECR (Elastic Container Registry). A new AWS IAM Policy will be created to allow the operator to push to ECR registry.
  • FalconImageAnalyzer with the Falcon Image Analyzer image being pull from the CrowdStrike container registry.
  • FalconNodeSensor custom resource to the cluster.

Prerequisites

Important

  • The correct CrowdStrike Cloud (not Endpoint) subscription

  • CrowdStrike API Key Pair (if installing the CrowdStrike Sensor via the CrowdStrike API)

    If you need help creating a new API key pair, review our docs: CrowdStrike Falcon.

Make sure to assign the following permissions to the key pair:

  • Falcon Images Download: Read
  • Sensor Download: Read

Installing the Falcon Operator

Click to expand

  • Set up a new Kubernetes cluster or use an existing one. The EKS cluster that runs Falcon Operator needs to have the IAM OIDC provider installed. The IAM OIDC provider associates AWS IAM roles with EKS workloads. Please review AWS documentation to understand how the IAM OIDC provider works before proceeding.

  • Provide the following AWS settings as environment variables:

export AWS_REGION=<my_aws_region>
export EKS_CLUSTER_NAME=<my_cluster_name>
  • Install IAM OIDC on the cluster if it is not already installed:
eksctl utils associate-iam-oidc-provider --region "$AWS_REGION" --cluster "$EKS_CLUSTER_NAME" --approve
  • Install the Falcon Operator by running the following command: 
    kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml

Deploying the Falcon Node Sensor

Click to expand

After the Falcon Operator has deployed, you can now deploy the Falcon Node Sensor:

  • Deploy FalconNodeSensor through the cli using the kubectl command: 
    kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconnodesensor.yaml --edit=true

Deploying the Falcon Container Sidecar Sensor

Click to expand

Create the FalconContainer resource

  • Create a new FalconContainer resource 
    kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconcontainer.yaml --edit=true

Complete install using AWS Cloud Shell

  • Open AWS Cloud Shell: https://console.aws.amazon.com/cloudshell/home

  • Install the operator & deploy Falcon Container Sensor

    bash -c 'source <(curl -s https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/run)'

    [!NOTE] This script should be run as in the cloud shell session directly as some command line tools may be installed in the process.

Deploying the Falcon Admission Controller

Click to expand
  • Create a new FalconAdmission resource 
    kubectl create -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/docs/deployment/eks/falconadmission.yaml --edit=true

Deploying the Falcon Image Analyzer

Click to expand

After the Falcon Operator has deployed, you can now deploy the Image Analyzer:

  • Deploy FalconImageAnalyzer through the cli using the kubectl command: 
    kubectl create -n falcon-operator -f https://raw.githubusercontent.com/crowdstrike/falcon-operator/main/config/samples/falcon_v1alpha1_falconimageanalyzer.yaml --edit=true

Upgrading

Click to expand

To upgrade, run the following command:

kubectl apply -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml

If you want to upgrade to a specific version, replace latest with the desired version number in the URL:

VERSION=1.2.3
kubectl apply -f https://github.com/CrowdStrike/falcon-operator/releases/download/${VERSION}/falcon-operator.yaml

Uninstalling

Warning

It is essential to uninstall ALL of the deployed custom resources before uninstalling the Falcon Operator to ensure proper cleanup.

Uninstalling the Falcon Node Sensor

Click to expand

Remove the FalconNodeSensor resource by running:

kubectl delete falconnodesensor -A --all

Uninstalling the Falcon Container Sidecar Sensor

Click to expand

Remove the FalconContainer resource. The operator will then uninstall the Falcon Container Sidecar Sensor from the cluster:

kubectl delete falconcontainers --all

Uninstalling the Falcon Admission Controller

Click to expand

Remove the FalconAdmission resource. The operator will then uninstall the Falcon Admission Controller from the cluster:

kubectl delete falconadmission --all

Uninstalling the Falcon Image Analyzer

Click to expand

Remove the FalconImageAnalyzer resource. The operator will then uninstall the Falcon Image Analyzer from the cluster:

kubectl delete falconimageanalyzer --all

Uninstalling the Falcon Operator

Click to expand

Delete the Falcon Operator deployment by running:

kubectl delete -f https://github.com/crowdstrike/falcon-operator/releases/latest/download/falcon-operator.yaml