This repository contains modules that can be used to automate the deployment of the CrowdStrike Falcon Sensor, Falcon Admission Controller (KAC) Falcon Image Analyzer (IAR) and the Kubernetes Protection Agent (KPA) on a Kubernetes cluster.
Learn more about each module:
| Module | Description |
|---|---|
| operator | Manages Falcon Sensor, KAC and IAR deployments |
| operator-openshift | Manages Falcon Sensor, KAC and IAR deployments on OpenShift |
| k8s-protection-agent | Manage KPA deployment |
-
You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
Scope Name Permission Falcon Images Download Read Sensor Download Read Falcon Container CLI Write Falcon Container Image Read and Write Kubernetes Protection Agent Write Kubernetes Protection Read and Write -
You need a CrowdStrike Docker API Token and CID. See How to retrieve your Falcon Docker API Token and CID for instructions on how to retrieve your Docker API Token and CID.
No providers.
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admission_controller_manifest_path | n/a | string |
"default" |
no |
| cid | Customer ID (CID) of the Falcon platform. | string |
n/a | yes if kpa = true |
| cleanup | Whether to cleanup resources on destroy. | bool |
true |
no |
| client_id | Falcon API Client Id | string |
n/a | yes |
| client_secret | Falcon API Client Secret | string |
n/a | yes |
| cluster_name | Your Cluster Name | string |
n/a | yes |
| container_sensor_manifest_path | n/a | string |
"default" |
no |
| docker_api_token | Falcon Docker API Token | string |
n/a | yes |
| environment | Environment or 'Alias' tag | string |
"tf_module" |
no |
| falcon_admission | Whether to deploy the FalconAdmission Custom Resource (CR) to the cluster. | bool |
true |
no |
| cloud | Falcon Cloud Region to use. | string |
n/a | no |
| iar | Whether to deploy the Falcon Image Analyzer Custom Resource (CR) to the cluster. | bool |
true |
no |
| iar_manifest_path | n/a | string |
"default" |
no |
| kpa | Whether to deploy the Falcon Kubernetes Protection Agent to the cluster. | bool |
false |
no |
| node_manifest_path | n/a | string |
"default" |
no |
| node_sensor_mode | Falcon Node Sensor mode: 'kernel' or 'bpf'. | string |
"bpf" |
no |
| operator_version | Falcon Operator version to deploy. Can be a branch, tag, or commit hash of the falcon-operator repo. | string |
"v0.9.1" |
no |
| platform | Specify whether your cluster is managed by kubernetes or openshift. | string |
"kubernetes" |
no |
| sensor_type | Falcon sensor type: FalconNodeSensor or FalconContainer. | string |
"FalconNodeSensor" |
no |
No outputs.
provider "aws" {
region = local.region
}
# Example of using secrets stored in AWS Secrets Manager
data "aws_eks_cluster_auth" "this" {
name = module.eks_blueprints.eks_cluster_id
}
data "aws_secretsmanager_secret_version" "current" {
secret_id = data.aws_secretsmanager_secret.falcon_secrets.id
version_stage = var.aws_secret_version_stage
}
locals {
cluster_name = "cluster-name"
region = var.region
falcon_region = var.falcon_region
secrets = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)
}
module "crowdstrike_falcon" {
source = "CrowdStrike/falcon/kubectl"
version = "0.6.1"
cid = local.secrets["cid"]
client_id = local.secrets["client_id"]
client_secret = local.secrets["client_secret"]
falcon_region = local.falcon_region
cluster_name = local.cluster_name
docker_api_token = local.secrets["docker_api_token"]
}