Autopilot doesn't support some fields in daemonset

[luigi-bitonti]

I tried to install Falcon Sensor on GKE Autopilot and this is the output:

Violations details: {"[denied by autogke-default-linux-capabilities]":["linux capability 'SYS_ADMIN,DAC_READ_SEARCH,BPF,PERFMON,SYS_RESOURCE,NET_ADMIN' on container 'falcon-node-sensor' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'.","linux capability 'SYS_ADMIN,DAC_READ_SEARCH' on container 'init-falconstore' not allowed; Autopilot only allows the capabilities: 'AUDIT_WRITE,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,MKNOD,NET_BIND_SERVICE,NET_RAW,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT,SYS_PTRACE'."],"[denied by autogke-disallow-hostnamespaces]":["enabling hostPID is not allowed in Autopilot.","enabling hostIPC is not allowed in Autopilot.","enabling hostNetwork is not allowed in Autopilot."],"[denied by autogke-disallow-privilege]":["container falcon-node-sensor is privileged; not allowed in Autopilot","container init-falconstore is privileged; not allowed in Autopilot"],"[denied by autogke-no-write-mode-hostpath]":["hostPath volume falconstore in container falcon-node-sensor is accessed in write mode; disallowed in Autopilot."]}

The values are hard-coded in daemonset template.

[redhatrises]

Hello,

1. Did you set node.gke.autopilot to true and is your backend set to bpf?
2. Are you using the latest daemonset sensor image?
3. Are you using a custom registry? If you are using a custom registry, you will need to work with Google to allow this custom registry to work. Otherwise, it will fail with the above message.

[luigi-bitonti]

Hi,

1. Yes
2. Yes
3. I'm using a custom registry, but I'm using the image that I've pulled from you registry with a key

[redhatrises]

Because you are using a custom registry url, you need to work with Google to allowlist the use of this registry url. Until they allow list it the custom registry url in your account, you will be prevented from deploying and keep getting the error message stating such.

[luigi-bitonti]

I have already worked with Google to make GKE able to retrieve the docker image from our private Registry. So much so that the same image is correctly downloaded by a GKE Standard. The problem is not the download of the image by the kubernetes cluster (this step happens correctly both in GKE Standard and in GKE Autopilot), but it seems to be related to permissions that are set in the deployment and that in GKE Autopilot are not supported.

[redhatrises]

The permissions that you see in the daemonset have already been allowlisted by Google for GKE Autopilot as part of the partner workload program. See https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-partners

1. What is the tag of the sensor image that you are deploying? What registry uri did you pull from?
2. The ability to download the image separately into a GKE autopilot cluster from a custom registry does not mean that the registry has been allowlisted by Google. By default, the CrowdStrike registries are the only allowed configuration for GKE Autopilot by the Google security team. Changing the image field to a custom registry means that the daemonset yaml no longer matches what is allowed. The Google security team needs to then create/update a regex specifically to your account to allow the image field to change to your custom registry. If you can test by using CrowdStrike's registry and not your own custom registry, we can confirm if that is the case.

Also, providing an example values yaml file without CID and Secrets, would be helpful.

[luigi-bitonti]

Hi thanks for the clarification! I opened a case to Google Support to whitelist my repo.