From c5a9e9df6d5a81259a9befb37f281bcfb7ced70d Mon Sep 17 00:00:00 2001 From: Adrian Wyssmann Date: Fri, 24 Jan 2025 12:41:34 +0100 Subject: [PATCH 1/2] feat: Make securityContext configurable Also extend with seccompProfile and capabilities as defaults --- .../templates/_helpers.tpl | 4 +- .../templates/executor-deployment.yaml | 27 ++++---- .../templates/job-controller-deployment.yaml | 26 ++++---- .../values.yaml | 64 +++++++++++++++++++ 4 files changed, 97 insertions(+), 24 deletions(-) diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl index 4139c6e8..49ae2dc7 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl @@ -13,11 +13,11 @@ If release name contains chart name it will be used as a full name. {{- define "ra-self-hosted.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 40 | trimSuffix "-" }} -{{- else }} +{{- else -}} {{- $name := default "shra" .Values.nameOverride }} {{- if contains $name .Release.Name }} {{- .Release.Name | trunc 40 | trimSuffix "-" }} -{{- else }} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml index 418b6712..062cb118 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml @@ -23,7 +23,11 @@ spec: spec: serviceAccountName: {{ include "ra-self-hosted-executor.fullname" . }} securityContext: - fsGroup: 2001 +{{ if .Values.executor.podSecurityContext -}} +{{ .Values.executor.podSecurityContext | toYaml | indent 8 }} +{{- else -}} +{{ .Values.podSecurityContext | toYaml | indent 8 }} +{{- end }} {{- if or (.Values.executor.image.pullSecret) (.Values.executor.image.registryConfigJSON) }} imagePullSecrets: {{ if .Values.executor.image.registryConfigJSON }} @@ -48,6 +52,7 @@ spec: value: {{ .Values.crowdstrikeConfig.clientID }} - name: "CLIENT_SECRET" value: {{ .Values.crowdstrikeConfig.clientSecret }} + {{- end }} - name: "STORAGE_ENGINE" value: "sqlite" - name: "AGENT_RUN_MODE" @@ -85,11 +90,11 @@ spec: {{ .Values.executor.resources | toYaml | indent 12 }} {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.executor.securityContext }} +{{ .Values.executor.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} containers: - name: executor image: {{ include "ra-self-hosted-executor.image" . }} @@ -144,11 +149,11 @@ spec: {{ .Values.executor.resources | toYaml | indent 12 }} {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.executor.securityContext }} +{{ .Values.executor.securityContext | toYaml | indent 19 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} {{- if .Values.executor.nodeSelector }} nodeSelector: {{- .Values.executor.nodeSelector | toYaml | nindent 8 }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml index 7bd55458..65309724 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml @@ -19,7 +19,11 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/job-controller-configmap.yaml") . | sha256sum }} spec: securityContext: - fsGroup: 2001 +{{ if .Values.jobController.podSecurityContext -}} +{{ .Values.jobController.podSecurityContext | toYaml | indent 8 }} +{{- else -}} +{{ .Values.podSecurityContext | toYaml | indent 8 }} +{{- end }} {{- if or (.Values.jobController.image.pullSecret) (.Values.jobController.image.registryConfigJSON) }} imagePullSecrets: {{ if .Values.jobController.image.registryConfigJSON }} @@ -73,11 +77,11 @@ spec: name: tls {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.jobController.securityContext }} +{{ .Values.jobController.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} containers: - name: job-controller image: {{ include "ra-self-hosted-job-controller.image" . }} @@ -131,11 +135,11 @@ spec: name: tls {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.jobController.securityContext }} +{{ .Values.jobController.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} {{- if .Values.jobController.nodeSelector }} nodeSelector: {{- .Values.jobController.nodeSelector | toYaml | nindent 8 }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml index 5d201309..680ce278 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml @@ -4,6 +4,26 @@ nameOverride: "" fullnameOverride: "" +podSecurityContext: + runAsUser: 1001 + runAsGroup: 2001 + fsGroup: 2001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +securityContext: + runAsUser: 1001 + runAsGroup: 2001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + executor: replicaCount: 1 image: @@ -47,6 +67,28 @@ executor: accessModes: - ReadWriteOnce + # Use to override the global podSecurityContext + # podSecurityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # fsGroup: 2001 + # runAsNonRoot: true + # seccompProfile: + # type: RuntimeDefault + + # Use to override the global securityContext + # securityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + logLevel: 3 # log level to be set for the service (1:error, 2:warning, 3:info, 4:debug) catalogPerPageRate: 100 # page size per catalog request @@ -169,6 +211,28 @@ jobController: additionalSecretEnvFrom: [] + # Use to override the global podSecurityContext + # podSecurityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # fsGroup: 2001 + # runAsNonRoot: true + # seccompProfile: + # type: RuntimeDefault + + # Use to override the global securityContext + # securityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + crowdstrikeConfig: region: "autodiscovery" # autodiscovery, us-1, us-2, eu-1, gov1, or gov2 clientID: "" From 89f9f2b38c83b0a0256e9215c00c5ed9c06de3b2 Mon Sep 17 00:00:00 2001 From: Adrian Wyssmann Date: Mon, 27 Jan 2025 13:37:53 +0100 Subject: [PATCH 2/2] feat: Allow define crowdstrike credentials via secret --- .../README.md | 84 +++++++++++++------ .../templates/executor-deployment.yaml | 21 ++++- .../values.yaml | 1 + 3 files changed, 78 insertions(+), 28 deletions(-) diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md index 764223d4..1c825b03 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/README.md +++ b/helm-charts/falcon-self-hosted-registry-assessment/README.md @@ -12,30 +12,65 @@ These costs may or may not be offset by the savings for data egress costs incurr ## Table of Contents -- [Supported registries](#supported-registries) -- [How it works](#how-it-works) -- [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility) -- [Requirements](#requirements) -- [Create a basic config file](#create-a-basic-config-file) -- [Customize your deployment](#customize-your-deployment) - - [Create the SHRA namespace](#create-the-shra-namespace) - - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials) - - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry) - - [Configure which registries to scan](#configure-which-registries-to-scan) - - [Configure your scanning schedules](#configure-your-scanning-schedules) - - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan) - - [Configure persistent data storage](#configure-persistent-data-storage) - - [Configure temporary storage](#configure-temporary-storage) - - [Configure SHRA scaling](#configure-shra-scaling-to-meet-your-scanning-needs) - - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers) - - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list) - - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls) - - [Optional. Configure HTPP Proxy](#optional-configure-http-proxy) -- [Forward SHRA Container Logs to Logscale](#forward-shra-container-logs-to-logscale) -- [Install the SHRA Helm Chart](#install-the-shra-helm-chart) -- [Update SHRA](#update-shra) -- [Uninstall SHRA](#uninstall-shra) -- [Falcon Chart configuration options](#falcon-chart-configuration-options) +- [CrowdStrike Self-hosted Registry Assessment (SHRA) Helm Chart](#crowdstrike-self-hosted-registry-assessment-shra-helm-chart) + - [Table of Contents](#table-of-contents) + - [Supported registries](#supported-registries) + - [How it works](#how-it-works) + - [How SHRA determines if an image is new](#how-shra-determines-if-an-image-is-new) + - [Kubernetes cluster compatibility](#kubernetes-cluster-compatibility) + - [Requirements](#requirements) + - [Create a basic config file](#create-a-basic-config-file) + - [Customize your deployment](#customize-your-deployment) + - [Create the SHRA namespace](#create-the-shra-namespace) + - [Configure your CrowdStrike credentials](#configure-your-crowdstrike-credentials) + - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry) + - [Download the Falcon sensor pull script](#download-the-falcon-sensor-pull-script) + - [List available images](#list-available-images) + - [Copy the SHRA images to your registry](#copy-the-shra-images-to-your-registry-1) + - [Prepare credentials for your registry](#prepare-credentials-for-your-registry) + - [Add registry and image details to the configuration](#add-registry-and-image-details-to-the-configuration) + - [Configure which registries to scan](#configure-which-registries-to-scan) + - [Amazon Elastic Container Registry (AWS ECR)](#amazon-elastic-container-registry-aws-ecr) + - [Azure Container Registry](#azure-container-registry) + - [Docker Hub](#docker-hub) + - [Docker Registry V2](#docker-registry-v2) + - [GitHub](#github) + - [GitLab](#gitlab) + - [Google Artifact Registry (GAR)](#google-artifact-registry-gar) + - [Google Container Registry (GCR)](#google-container-registry-gcr) + - [Harbor](#harbor) + - [IBM Cloud Registry](#ibm-cloud-registry) + - [Jfrog Artifactory](#jfrog-artifactory) + - [Mirantis Secure Registry (MCR)](#mirantis-secure-registry-mcr) + - [Oracle Container Registry](#oracle-container-registry) + - [Red Hat OpenShift](#red-hat-openshift) + - [Red Hat Quay.io](#red-hat-quayio) + - [Sonatype Nexus](#sonatype-nexus) + - [Validate the credentials locally](#validate-the-credentials-locally) + - [Apply your changes to the configuration file](#apply-your-changes-to-the-configuration-file) + - [Configure your scanning schedules](#configure-your-scanning-schedules) + - [Optional. Configure which repositories to scan](#optional-configure-which-repositories-to-scan) + - [Configure persistent data storage](#configure-persistent-data-storage) + - [Change persistent storage retention](#change-persistent-storage-retention) + - [Configure temporary storage](#configure-temporary-storage) + - [Configure SHRA scaling to meet your scanning needs](#configure-shra-scaling-to-meet-your-scanning-needs) + - [Allow traffic to CrowdStrike servers](#allow-traffic-to-crowdstrike-servers) + - [Optional. Configure CrowdStrike allow list](#optional-configure-crowdstrike-allow-list) + - [Optional. Configure gRPC over TLS](#optional-configure-grpc-over-tls) + - [Option 1. Enable gRPC TLS with Cert Manager](#option-1-enable-grpc-tls-with-cert-manager) + - [Option 2. Enable gRPC TLS with custom secret](#option-2-enable-grpc-tls-with-custom-secret) + - [Option 3. Enable gRPC TLS with custom certificate files](#option-3-enable-grpc-tls-with-custom-certificate-files) + - [Optional. Configure HTTP Proxy](#optional-configure-http-proxy) + - [Forward SHRA Container Logs to LogScale](#forward-shra-container-logs-to-logscale) + - [Configure SHRA log levels](#configure-shra-log-levels) + - [Create the HEC Ingest Connector](#create-the-hec-ingest-connector) + - [Start the Kubernetes LogScale Collector in your SHRA namespace](#start-the-kubernetes-logscale-collector-in-your-shra-namespace) + - [Review logs in the UI](#review-logs-in-the-ui) + - [Configure saved searches to monitor SHRA](#configure-saved-searches-to-monitor-shra) + - [Install the SHRA Helm Chart](#install-the-shra-helm-chart) + - [Update SHRA](#update-shra) + - [Uninstall SHRA](#uninstall-shra) + - [Falcon Chart configuration options](#falcon-chart-configuration-options) ## Supported registries @@ -243,6 +278,7 @@ crowdstrikeConfig: |:------------------------------------|-----------|:------------------------------------------------------------------------------------------------------|:----------| | `crowdstrikeConfig.clientID` | required | The client id used to authenticate the self-hosted registry assessment service with CrowdStrike. | "" | | `crowdstrikeConfig.clientSecret` | required | The client secret used to authenticate the self-hosted registry assessment service with CrowdStrike. | "" | +| `crowdstrikeConfig.clientSecretRef` | optional | Refernce to a secret which contains `clientID` (`CLIENT_ID`) and `clientSecret` (`CLIENT_SECRET`). | "" ### Copy the SHRA images to your registry diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml index 062cb118..045e8c4c 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml @@ -48,6 +48,7 @@ spec: value: "/db" - name: "REGION" value: {{ .Values.crowdstrikeConfig.region }} + {{ if not .Values.crowdstrikeConfig.clientSecretRef }} - name: "CLIENT_ID" value: {{ .Values.crowdstrikeConfig.clientID }} - name: "CLIENT_SECRET" @@ -65,15 +66,20 @@ spec: value: {{ .value }} {{- end }} {{- end }} - {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} + {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}} envFrom: {{- if .Values.registryConfigs }} - configMapRef: name: {{ include "ra-self-hosted-executor.fullname" . }} {{- end }} - {{- range .Values.executor.additionalSecretEnvFrom }} + {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} - secretRef: + {{- range .Values.executor.additionalSecretEnvFrom }} {{ . | toYaml | indent 16 }} + {{- end }} + {{- if .Values.crowdstrikeConfig.clientSecretRef }} + name: {{ .Values.crowdstrikeConfig.clientSecretRef }} + {{- end }} {{- end }} {{- range .Values.executor.additionalCMEnvFrom }} - configMapRef: @@ -110,25 +116,32 @@ spec: value: "/db" - name: "REGION" value: {{ .Values.crowdstrikeConfig.region }} + {{ if not .Values.crowdstrikeConfig.clientSecretRef -}} - name: "CLIENT_ID" value: {{ .Values.crowdstrikeConfig.clientID }} - name: "CLIENT_SECRET" value: {{ .Values.crowdstrikeConfig.clientSecret }} + {{- end }} - name: "STORAGE_ENGINE" value: "sqlite" - name: "LOG_LEVEL" value: {{ .Values.executor.logLevel | quote }} - name: "CATALOG_PER_PAGE_RATE" value: {{ .Values.executor.catalogPerPageRate | quote }} - {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} + {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom ) -}} envFrom: {{- if .Values.registryConfigs }} - configMapRef: name: {{ include "ra-self-hosted-executor.fullname" . }} {{- end }} - {{- range .Values.executor.additionalSecretEnvFrom }} + {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} - secretRef: + {{- range .Values.executor.additionalSecretEnvFrom }} {{ . | toYaml | indent 16 }} + {{- end }} + {{- if .Values.crowdstrikeConfig.clientSecretRef }} + name: {{ .Values.crowdstrikeConfig.clientSecretRef }} + {{- end }} {{- end }} {{- range .Values.executor.additionalCMEnvFrom }} - configMapRef: diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml index 680ce278..3a375c6f 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml @@ -235,6 +235,7 @@ jobController: crowdstrikeConfig: region: "autodiscovery" # autodiscovery, us-1, us-2, eu-1, gov1, or gov2 + # clientSecretRef: "" # use that instead `clientID` and `clientSecret` clientID: "" clientSecret: ""