As Kubernetes becomes increasingly integral to production environments, cyber adversaries are likewise becoming more skilled in cloud-native exploitation. According to the CrowdStrike 2024 Global Threat Report, cases involving exploitation of cloud services increased by 110% in 2023, far outpacing non-cloud cases, which grew only 60% year-over-year.
CrowdStrike helps organizations stay ahead of these evolving adversaries by providing breach prevention solutions that span endpoints, Kubernetes, clouds, data and identity in the consolidated CrowdStrike Falcon® platform.
This article talks about the following:
- CrowdStrike Falcon Platform architecture
- CrowdStrike Falcon Platform operator
- Installing Red Hat OpenShift Certified Falcon operator
Falcon platform architecture
The Falcon platform was designed to better protect against breaches and empower security teams. The lightweight Falcon sensor helps detect and prevent known and zero-day attacks, and the cloud-delivered Falcon platform consolidates dozens of cloud security capabilities, regularly processing trillions of telemetry events every day. This means there's very little for administrators to manage. Specifically, for Red Hat OpenShift, the Falcon platform offers better runtime protection against advanced adversaries, and helps protect both container workloads and the underlying Red Hat Enterprise Linux CoreOS operating system.
Why CrowdStrike developed an operator
Ease of deployment is a core tenet of CrowdStrike: The easier it is to deploy security software, the more likely an organization is to use it effectively. In the Kubernetes ecosystem, operators are the de facto packaging mechanism to simplify both the "Day 1" deployment and "Day 2" maintenance of software.
The CrowdStrike Falcon operator automates these tasks during initial deployment:
- Getting registry credentials from the CrowdStrike API and creating a corresponding registry
Secret
- Creating a
DaemonSet
for the Falcon sensor to be deployed to all nodes - Optionally, deploying Falcon Admission Controller for cluster-level security
Plus, the Falcon operator performs these lifecycle tasks:
- Redeploys the Falcon sensor when sensor configurations have changed
- Correlates your CrowdStrike Customer ID (CID) based on the provided CrowdStrike API credentials
- Redeploys the Falcon admission controller when a change has occurred
Finally, future areas of potential enhancement include:
- Verifying that the certified operator is being installed when deploying on OpenShift
- Automatically renewing certificates when cert-manger.io is deployed
The Falcon operator streamlines a number of tasks, making it easier to maintain a more consistent security posture across your Kubernetes fleet.
Installation steps
Prerequisites
- OpenShift 4.x Cluster
- CrowdStrike Falcon® Cloud Security subscription. Reach out to redhat@crowdstrike.com if you'd like to trial this. (Please use your company email address and provide background on the clusters you want to protect)
Step 1: Create a CrowdStrike API client for the Falcon operator
- Login to the CrowdStrike website
- Navigate to the API Clients and Keys page (Support and resources > Resources and tools > API Clients and Keys)
- Click Create API client
- Enter details to define your API client:
- Client Name (required)
- Description (optional)
- API Scopes (required):
- Select Falcon Images Download with read permission
- Select Sensor Download with read permission
- Click Create to save the API client and generate the client ID and secret
Step 2: Install the CrowdStrike Falcon operator from OperatorHub
- Log in to the OpenShift cluster
- Navigate to Operators > OperatorHub
- Search for "Falcon Operator" and select the tile offered by the Marketplace. Click "Install"
- By default, the Falcon operator installs in the falcon-operator namespace. Continue with the default settings and click "Install"
- On the screen, you will see a confirmation indicating that the Falcon operator is "ready for use"
- Click on "View Operator" to proceed
Step 3: Deploy FalconNodeSensor resource
The FalconNodeSensor
resource manages the installation of the Falcon sensor on the OpenShift control plane and worker nodes.
- Navigate to Installed Operators > CrowdStrike Falcon Platform - Operator
- In the Falcon Node Sensor tile, select "Create instance"
- Choose the YAML view and fill in your
client_id
andclient_secret
- Fill in
namespace: falcon-operator
- Click "Create"
- Wait until the Status updates to "Success"
- Switch to the Workloads > DaemonSets view and verify the
falcon-node-sensor
resource shows "X of X pods" (where X is the number of nodes in your cluster)
Step 4: Deploy the FalconAdmission resource
The FalconAdmission
resource manages deployment of the Falcon Admission Controller on the cluster, which prevents noncompliant workloads from being deployed.
- Navigate to Installed Operators > CrowdStrike Falcon Platform - Operator
- In the Falcon Admission tile, select "Create instance"
- Choose the YAML view and fill in your
client_id
andclient_secret
- Click "Create"
- By default, Falcon Admission is deployed in the falcon-kac namespace
- Select "Project: falcon-kac"
- Switch to the Workloads > Pods view and verify the two
falcon-admission-*
pods are running
Stop a simulated breach
To observe Falcon protection in action, install the vulnapp
example vulnerable application. This application allows you to trigger malicious behavior inside a container from a web browser. You can find the source for vulnapp
on GitHub.
However, because the Falcon platform learns which applications are malicious, you may need to exclude the vulnerable application from monitoring to make sure it runs.
Step 1: Exclude the vulnerable application from detections
- Log in to the CrowdStrike console
- In the Falcon console, navigate to Endpoint security > Configure > Exclusions
- Click "Create exclusion"
- Select "All hosts" or follow the instructions to create a new group for the OpenShift nodes
- Exclude from: Detections and preventions
- Exclusion pattern:
/shell2http
- Click "Create exclusion"
Step 2: Install vulnerable testing application
Note that these steps expose vulnapp on a public route.
- Create a new project for the application:
oc new-project vulnapp
- Deploy the application:
oc apply -f https://raw.githubusercontent.com/crowdstrike/vulnapp/main/vulnerable.openshift.yaml
- Retrieve the web address by running the following command:
oc get route vulnapp
- Open the application using the web address, then select "/rootkit" to trigger a detection. (This script will change the group owner of /etc/ld.so.preload to 0, indicative of a Jynx rootkit)
- In the Falcon console, navigate to Endpoint security > Monitor > Endpoint detections to view the detection
- Select the Severity box on the left-hand side of the dashboard to view the details of the detection
- In the screenshot, you can see the
chgrp
command fromcoreutils
being used to change the group ownership to 0 (root group) for the/etc/ld.so.preload
file
- In the screenshot, you can see the
Conclusion
You have successfully installed the CrowdStrike Falcon operator on your OpenShift 4.x cluster and deployed an example application to test detections.
Visit crowdstrike.com/redhat to learn about all of the ways CrowdStrike integrates with Red Hat Enterprise Linux, Red Hat OpenShift and Red Hat Ansible Automation Platform.
執筆者紹介
Specializing in end-to-end infrastructure to deployment of containerized applications, I am a Cloud Infrastructure Engineer with extensive experience in Kubernetes native application design and optimization.
My passion for technology drives me to continuously explore cutting-edge tools and practices, enabling me to design and implement innovative solutions that optimize performance and user experience.
With a keen eye for detail and a commitment to excellence, I thrive on turning challenging problems into seamless, efficient solutions.
Evan Stoner is a Senior Solution Architect at CrowdStrike focused on integrating its leading security platform with Red Hat’s enterprise open source solutions. Together, Red Hat and CrowdStrike provide a stable and secure foundation for the hybrid cloud: on-premises, in the cloud, or at the edge. Evan has previously held roles as a solution architect for aerospace and defense at Red Hat, platform engineering lead at a defense contractor, and cybersecurity researcher in academia. He has worked at the intersection of security and open source his entire career.
Gabriel Alford is a Staff Solutions Architect at CrowdStrike where he collaborates with Cloud Service Providers and Cloud ISVs on integrating and certifying CrowdStrike products on partner platforms as well as creating joint partner technical solutions. He has over 15 years experience in security, compliance, and IT operations.
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit