feat: Add crowdstrike-falcon addon
#1350
Conversation
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
ffalor
changed the title
crowdstrike-falcon addoncrowdstrike-falcon addon
ffalor
changed the title
crowdstrike-falcon addoncrowdstrike-falcon addon
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
ffalor
changed the title
crowdstrike-falcon addoncrowdstrike-falcon addon
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Failure
There was a problem hiding this comment.
@ffalor Thank you for your contribution.
I would like to let you know that with the significant growth of the Terraform EKS Blueprints project, the governing contributors of the repository are freezing activities to onboard new partner add-ons because of the maintenance overhead and limited ability to provide proper quality assurance for the external add-ons.
We are reviewing alternate approaches for the extensibility, that will decouple such add-ons from this repository (with the only potential exception for documentation).
We are considering the AWS Marketplace route for future partner add-on onboarding as well.
Once the new approach becomes available, we will update this PR and documentation with the proper instructions. You can reach out to me directly if you have any questions. My apologies for any inconveniences.
|
This PR has been automatically marked as stale because it has been open 30 days |
|
I'll be updating this PR this soon to realign with the goals we came up with in our call. |
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
|
@shapirov103 I believe I updated this PR to include the changes we talked about in our call. This adds a readme that shows how to use the falcon terraform module. |
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
There was a problem hiding this comment.
@ffalor looks great and indeed, seems to align with what we discussed. Generally, we run a validation of add-ons to make sure that the customer experience is smooth.
Do you have an example that I can try to make sure it works?
docs/add-ons/crowdstrike-falcon.md
Outdated
| You will call the `falcon` module similar to how you would call any other terraform module. The [module documentation](https://github.com/CrowdStrike/terraform-kubectl-falcon) provides a list of all the inputs and outputs. | ||
|
|
||
| ```hcl | ||
| #--------------------------------------------------------------- |
There was a problem hiding this comment.
@ffalor have you tested this example to make sure it is compatible in that mode?
There was a problem hiding this comment.
let me modify the example from my previous PR and I'll add it to my module repo as a full E2E example of how to use this with blueprints. I'll comment back once I have and you can use the same example on your end.
There was a problem hiding this comment.
There was a problem hiding this comment.
I've never used the EKS blueprints repo so lmk if I missed something, but my example is based on another example in this repo.
There was a problem hiding this comment.
@ffalor your example states "Click Self-Managed Kubernetes Service". However, I also see AWS EKS in the list, which seems to be a more natural choice. Will that path work for the customers?
Also when doing it at scale, is there a way to reuse a secret across a fleet of clusters (e.g. all production clusters in the account across all regions)? One of the goals of the blueprint is to eliminate any per-cluster configuration and make fully automatic.
There was a problem hiding this comment.
the example provided here is not valid - lets just remove and use the linked example on line 24 (tl;dr - line 26+ can be deleted)
There was a problem hiding this comment.
@shapirov103 the only reason the instructions on generating a "Self-Managed Kubernetes Services" exists is to get access to the DockerApiToken that is used to pull the container images that are required by the helm chart that is deployed. If you follow the instructions for registering AWS EKS clusters that you saw it would generate scripts that would deploy a CFT template that creates a role in each aws account. This role would be used to discover the clusters, but the KPA agent is still required to be installed via the helm chart. The terraform module is handling the installation of the KPA agent onto the cluster.
The same DockerAPIToken can be used for any number of clusters. It is just a token that is used to pull the container images from our internal registry.
Let me know if I need to clarify anything.
edit
You brought up a good point maybe KPA isn't required for AWS deployments. Let me look into this because it looks like in order to get KPA working in AWS the only requirement is for a role to exist within an account that CrowdStrike can use to gather information from the cluster removing the need for KPA to be running on the cluster. This may or may not change how we want to handle KPA on AWS let me consult my team.
edit 2
The KPA agent would still be required on the cluster so nothing changes. Updated my comment above to reflect this.
There was a problem hiding this comment.
@bryantbiggs the example on line 26+ is the exact same example that is linked just without the required/optional parameters. The goal was to show how you would call our module just like calling the EKS blueprint modules. I was told it would be best to not to include anything that could change.
If we are okay with including input variables i'd be happy to update the example to include only the required input variables that I know will be unlikely to ever change, or if we just think its redundant and we should just link to the full example only that works for me.
There was a problem hiding this comment.
@ffalor understood about the DockerAPIToken. What about cid? Is it something that can be generated from the blueprint?
Use case: need to provision 20 clusters in prod across multiple regions. How do I feed cids? Will it mean accessing your dashboard 20 times and generating a unique cid?
There was a problem hiding this comment.
Good question. A customer will only have a single CID. Some customers may have a multi cid setup, but even then they would probably still be using a single one. That setup is extremely rare too. CIDs do not change either.
|
@bryantbiggs please take a quick look when you get a chance (can't add you to the reviewers unfortunately). Wanted to make sure that nothing is missed and the add-on will show up in the nav section of the docs. |
ffalor
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
bryantbiggs
had a problem deploying
to
EKS Blueprints Test
GitHub Actions
Error
bryantbiggs
temporarily deployed
to
EKS Blueprints Test
GitHub Actions
Inactive
Co-authored-by: Bryant Biggs <[email protected]>
What does this PR do?
add the
crowdstrike-falconpartner documentationMotivation
Make it easy to boostrap falcon in AWS EKS
More
pre-commit run -awith this PRFor Moderators
Additional Notes
Below is the result of running the
crowdstrike-falconexamplekubectlof the operator and KPA