Skip to content

Latest commit

 

History

History
114 lines (86 loc) · 4.33 KB

README.md

File metadata and controls

114 lines (86 loc) · 4.33 KB

CrowdStrike FalconPy

Twitter URL

CrowdStrike Kubernetes Protection Agent

Introduction

The Kubernetes Protection Agent provides visibility into the cluster by collecting event information from the Kubernetes layer. These events are correlated to sensor events and cloud events to provide complete cluster visibility.

Prerequisites

  1. You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:

    Scope Name Permission
    Kubernetes Protection Agent Write
    Kubernetes Protection Read and Write

  2. You need a CrowdStrike Docker API Token and CID. See How to retrieve your Falcon Docker API Token and CID for instructions on how to retrieve your Docker API Token and CID.

How to retrieve your Falcon Docker API Token and CID

Using the console
  1. Log in to Falcon Console
  2. Navigate to https://falcon.crowdstrike.com/cloud-security/registration?return_to=eks
  3. Click Register New Kubernetes Cluster
  4. Click Self-Managed Kubernetes Service
  5. Type any value for Cluster Name and click Generate
  6. The generated config will contain both your Docker API Token and CID
Using the helper script

  1. Add the following environment variables with your values.

    export FALCON_CLOUD=api.us-2.crowdstrike.com
export FALCON_CLIENT_ID=123123123
export FALCON_CLIENT_SECRET=12312313

    Note: The scopes mentioned above are required for this script to work.

  2. Run the script.

    curl -L https://raw.githubusercontent.com/crowdStrike/terraform-kubectl-falcon/main/modules/k8s-protection-agent/examples/generate_prerequisites.sh | bash

    Example output

    Docker Access Token: AKSADKLDK
Falcon CCID: AKFJKLAJFLK-0F

Providers

Name Version
helm >= 2.8.0

Inputs

Name Description Type Default Required
cid Customer ID (CID) of the Falcon platform. string n/a yes
client_id Falcon API Client Id string n/a yes
client_secret Falcon API Client Secret string n/a yes
cloud Falcon Cloud Region to use. string n/a yes
cluster_name Your Cluster Name string n/a yes
docker_api_token Falcon Docker API Token string n/a yes

Outputs

No outputs.

Usage

provider "aws" {
  region = local.region
}

# Example of using secrets stored in AWS Secrets Manager
data "aws_eks_cluster_auth" "this" {
  name = module.eks_blueprints.eks_cluster_id
}

data "aws_secretsmanager_secret_version" "current" {
  secret_id     = data.aws_secretsmanager_secret.falcon_secrets.id
  version_stage = var.aws_secret_version_stage
}

locals {
  cluster_name = "cluster-name"
  region       = var.region

  secrets = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)
}

module "crowdstrike_kpa" {
  source = "github.com/CrowdStrike/terraform-kubectl-falcon//modules/k8s-protection-agent?ref=v0.1.0"

  cid              = local.secrets["cid"]
  client_id        = local.secrets["client_id"]
  client_secret    = local.secrets["client_secret"]
  cloud            = var.cloud
  cluster_name     = local.cluster_name
  docker_api_token = local.secrets["docker_api_token"]
}