search

CrowdStrike / falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
The Unlicense
137 stars 81 forks source link

falcon-container-sensor-pull.sh: image pulled for kpagent isn't latest #226

Closed davidronk closed 8 months ago

davidronk commented 8 months ago

When pulling the latest kpagent via falcon-container-sensor-pull.sh it is sorting alphabetically instead of numerically to determine "latest".

> ./falcon-container-sensor-pull.sh --client-id $FALCON_CLIENT_ID --client-secret $FALCON_CLIENT_SECRET --cid $FALCON_CID --region us-gov-1 --type kpagent --list-tags
{
  "name" : "kpagent",
  "tags" : [ "0.1473.0",
"0.248.0",
"0.43.24",
"0.43.8",
"0.447.0",
"0.457.0",
"0.585.0",
"0.69.1",
"0.69.2",
"0.69.3" ]
}

The script is pulling 0.69.3 but it needs to pull 0.1473.0.

The latest version per https://github.com/CrowdStrike/falcon-helm/blob/main/helm-charts/cs-k8s-protection-agent/Chart.yaml > appVersion "0.1474.0". (although the latest available via helm is 0.1473.0):

> helm search repo kpagent-helm -l
NAME                                    CHART VERSION   APP VERSION DESCRIPTION
kpagent-helm/cs-k8s-protection-agent    0.1473.0        0.1473.0    A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.585.0         0.585.0     A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.457.0         0.457.0     A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.447.0         0.447.0     A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.248.0         0.248.0     A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.69.3          0.69.3      A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.69.2          0.69.2      A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.69.1          0.69.1      A Helm chart for Crowdstrike Kubernetes Protect...
kpagent-helm/cs-k8s-protection-agent    0.43.8          0.43.8      A Helm chart for Crowdstrike Kubernetes Protect...

This is the full command I'm using:

> falcon-container-sensor-pull.sh 
      --client-id $FALCON_CLIENT_ID 
      --client-secret $FALCON_CLIENT_SECRET 
      --cid $FALCON_CID 
      --region us-gov-1 
      --type kpagent
      --runtime skopeo
      --copy <my_registry>
carlosmmatos commented 8 months ago

@davidronk - thanks for opening up the issue. I'm working on a fix right now.

davidronk commented 8 months ago

@carlosmmatos - Verified this works for docker runtime but using --runtime skopeo still results in0.69.3 being copied for kpagent. It looks like it does it's own thing for listing tags? I'm running this in a CI environment and using docker isn't viable.

carlosmmatos commented 8 months ago

I actually brought this up today. For now list tags seems to only support docker. I'm going to look into podman and skopeo tomorrow.

carlosmmatos commented 8 months ago

@davidronk - PR #236 should allow this to work now for all runtimes. Just waiting for a review.

davidronk commented 8 months ago

Thank you for these fixes! Works great now!

carlosmmatos commented 8 months ago

Thanks - glad it's working for you!