This repository contains modules that can be used to automate the deployment of the CrowdStrike Falcon Sensor, Falcon Admission Controller (KAC) and the Kubernetes Protection Agent (KPA) on a Kubernetes cluster.
Learn more about each module:
Module | Description |
---|---|
operator | Manages Falcon Sensor and KAC deployments |
operator-openshift | Manages Falcon Sensor and KAC deployments on OpenShift |
k8s-protection-agent | Manage KPA deployment |
You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
Scope Name | Permission |
---|---|
Falcon Images Download | Read |
Sensor Download | Read |
Kubernetes Protection Agent | Write |
Kubernetes Protection | Read and Write |
You need a CrowdStrike Docker API Token and CID. See How to retrieve your Falcon Docker API Token and CID for instructions on how to retrieve your Docker API Token and CID.
No providers.
No resources.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cid | Customer ID (CID) of the Falcon platform. | string |
n/a | yes |
client_id | Falcon API Client Id | string |
n/a | yes |
client_secret | Falcon API Client Secret | string |
n/a | yes |
cloud | Falcon Cloud Region to use. | string |
n/a | yes |
cluster_name | Your Cluster Name | string |
n/a | yes |
docker_api_token | Falcon Docker API Token | string |
n/a | yes |
environment | Environment or 'Alias' tag | string |
"tf_module" |
no |
operator_version | Falcon Operator version to deploy. Can be a branch, tag, or commit hash of the falcon-operator repo. | string |
"v0.9.1" |
no |
sensor_type | Falcon sensor type: FalconNodeSensor or FalconContainer. Requires platform = kubernetes |
string |
"FalconNodeSensor" |
no |
node_sensor_mode | Falcon Node Sensor mode: 'kernel' or 'bpf'. | string |
"bpf" |
no |
falcon_admission | Whether to deploy the FalconAdmission Custom Resource (CR) to the cluster. | bool |
'true' | no |
platform | Whether to deploy on kubernetes or OpenShift. | string |
'kubernetes' | no |
cleanup | Whether to cleanup resources on destroy. | bool |
'true' | no |
No outputs.
provider "aws" {
region = local.region
}
# Example of using secrets stored in AWS Secrets Manager
data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}
data "aws_secretsmanager_secret_version" "current" {
secret_id = data.aws_secretsmanager_secret.falcon_secrets.id
version_stage = var.aws_secret_version_stage
}
locals {
cluster_name = "cluster-name"
region = var.region
secrets = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)
}
module "crowdstrike_falcon" {
source = "CrowdStrike/falcon/kubectl"
version = "0.4.0"
cid = local.secrets["cid"]
client_id = local.secrets["client_id"]
client_secret = local.secrets["client_secret"]
cloud = var.cloud
cluster_name = local.cluster_name
docker_api_token = local.secrets["docker_api_token"]
platform = "kubernetes"
}