Bash script to deploy latest Node Sensor or Sidecar Injector as DaemonSet and Kubernetes Protection agent pulling all images from the CrowdStrike Registry.

To facilitate quick deployment of recommended CWP resources for testing.

For other deployment methods including hosting sensor in private registry, Terraform, etc., see CrowdStrike documentation and CrowdStrike GitHub.

• Script requires the following commands to be installed:
  • curl
  • jq
  • helm
  • docker, podman, or skopeo
• CrowdStrike API Client created with Falcon Images Download (read), Sensor Download (read), Kubernetes Protection Agent (write), and Kubernetes Protection (read/write) scope assigned.
• Crowdstrike CID (Customer ID) with two-digit checksum
• Cluster name (For KPA deployment)
• If you are using docker, make sure that docker is running locally.

usage: ./falcon-k8s-cluster-deploy.sh

Required Flags:
    -u, --client-id <FALCON_CLIENT_ID>             Falcon API OAUTH Client ID
    -s, --client-secret <FALCON_CLIENT_SECRET>     Falcon API OAUTH Client Secret
    -f, --cid <FALCON_CID_LONG>                    Falcon Customer ID inlcuding 2 digit checksum
    -c, --cluster <K8S_CLUSTER_NAME>               Customer cluster name
Optional Flags:
    -r, --region <FALCON_REGION>     Falcon Cloud
    -v, --version <SENSOR_VERSION>   Specify sensor version to deploy. Default is latest.
    --ebpf                           Deploy Falcon sensor in User - ebpf mode. Default is kernel.
    --sidecar                        Download sidecar-container sensor instead of container sensor
    --skip-kpa                       Skip deployment of KPA 
    --skip-sensor                    Skip deployment of Falcon sensor   
    --runtime                        Use a different container runtime [docker, podman, skopeo]. Default is docker.

Help Options:
    -h, --help display this help message"

Execute the script with the required and relevant input arguments. Script will deploy resources into the current kubeconfig context and will create namespaces falcon-system and falcon-kubernetes-protection.

The node sensor will deploy as a daemonset and automatically protect the host and all containers on the host.

The sidecar sensor will deploy an injector as daemonset. The injector will deploy the sidecar sensor into all newly started pods. Pre-existing workloads must be redeployed to be protected. The pull secret will be deployed into all namespaces at the time of helm chart deployment.

The Kubernetes Protection Agent will be deployed as one pod per cluster.

./falcon-k8s-cluster-deploy.sh \
--client-id <ABCDEFG123456> \
--client-secret <ABCDEFG123456> \
--cid <ABCDEFG123456-78> \
--cluster <myclustername>

./falcon-k8s-cluster-deploy.sh \
--client-id <ABCDEFG123456> \
--client-secret <ABCDEFG123456> \
--cid <ABCDEFG123456-78> \
--cluster <myclustername> \
--sidecar

Settings can be passed to the script through CLI Flags or environment variables:

To uninstall, run the following commands:

helm uninstall falcon-helm -n falcon-system
helm uninstall kpagent -n falcon-kubernetes-protection
kubectl delete ns falcon-system
kubectl delete ns falcon-kubernetes-protection