This guide offers 2 methods to deploy the Falcon Integration Gateway into an existing EKS Cluster. You can choose to either deploy the FIG container with a Helm chart, or as a standard Kubernetes pod spec file.
- Falcon API Credentials
- Your cluster has an OpenID Connect (OIDC) issuer URL associated with it.
This is necessary to properly create the IAM role for the service account used in the FIG. For more information, view the AWS documentation on this.
-
Please use the CloudFormation Template to create your service account IAM Role.
The screenshot below is an example.
Please note the
OIDCIssuerURLWithoutProtocol
does not have a protocol (http|s://).The
FIGPolicyArn
is from the CloudTrail Lake Integration Getting Started guide
- Once the CloudFormation stack is completed, in the Outputs tab, make note of the
FalconFigAccessRoleArn
value.This value will be used as an input when deploying the FIG application on EKS.
Click to expand
For Dependency requirements, installation instructions, as well as the full list of available configuration options, go to the Helm Chart - Falcon Integration Gateway repository.
export FALCON_CLIENT_ID=<your api falcon client id>
export FALCON_CLIENT_SECRET=<your api falcon client secret>
export FALCON_CLOUD_REGION=<your api falcon client region>
export CLOUDTRAIL_LAKE_CHANNEL_ARN=<your cloudtrail lake channel arn>
export CLOUDTRAIL_LAKE_REGION=<your aws region aligning with channel>
export FALCON_APPLICATION_ID=<your unique application stream identifier>
export IAM_ROLE_ARN=<value from FalconFigAccessRoleArn stack output>
- Add the CrowdStrike Falcon Helm repository
helm repo add crowdstrike https://crowdstrike.github.io/falcon-helm
- Update the local Helm repository cache
helm repo update
- Install the FIG with AWS CloudTrail Lake enabled:
helm install falcon-fig crowdstrike/falcon-integration-gateway -n falcon-integration-gateway --create-namespace \ --set falcon.client_id=$FALCON_CLIENT_ID \ --set falcon.client_secret=$FALCON_CLIENT_SECRET \ --set falcon.cloud_region=$FALCON_CLOUD_REGION \ --set falcon.integration_gateway.application_id=$FALCON_APPLICATION_ID \ --set push.cloudtrail_lake.enabled=true \ --set push.cloudtrail_lake.channel_arn=$CLOUDTRAIL_LAKE_CHANNEL_ARN \ --set push.cloudtrail_lake.region=$CLOUDTRAIL_LAKE_REGION \ --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=$IAM_ROLE_ARN
To uninstall, run the following command:
helm uninstall falcon-fig -n falcon-integration-gateway
You may need/want to delete the falcon-integration-gateway namespace as well since helm will not do it for you:
kubectl delete ns falcon-integration-gateway
Click to expand
Download/Edit the pod specification file available here.
wget https://raw.githubusercontent.com/crowdstrike/falcon-integration-gateway/main/docs/cloudtrail-lake/eks/falcon-integration-gateway.yaml
Replace the credentials in the pod spec with the actual Falcon API credentials. The following commands illustrate how to base64 encode the credentials.
echo -n $FALCON_CLIENT_ID | base64
echo -n $FALCON_CLIENT_SECRET | base64
Replace the <IAM_ROLE_ARN>
variable with the FalconFigAccessRoleArn
output value from the cloudformation SA IAM role stack.
apiVersion: v1
kind: ServiceAccount
metadata:
name: falcon-integration-gateway
namespace: falcon-integration-gateway
annotations:
eks.amazonaws.com/role-arn: <IAM_ROLE_ARN>
Uncomment the following variables in the config.ini
ConfigMap:
For more information about configuration options, refer to the FIG config.ini.
channel_arn =
should be set to your provided CloudTrail Lake Channel ARN
region =
should be set to your AWS region where you setup the CloudTrail Lake Channel
application_id =
should be set to something unique.
❗ Running multiple FIG instances with the same
application_id
can cause issues.
See the below example of config changes:
Example config.ini
# Falcon Integration Gateway
[main]
# Cloud backends that are enabled. The gateway will push events to the cloud providers specified below
backends=CLOUDTRAIL_LAKE
# Uncomment to configure number of threads that process Falcon Events
#worker_threads = 4
[events]
# Uncomment to filter out events based on number of days past the event (default 21)
older_than_days_threshold = 14
[logging]
# Uncomment to request logging level (ERROR, WARN, INFO, DEBUG)
#level = DEBUG
[falcon]
# Uncomment to provide Falcon Cloud. Alternatively, use FALCON_CLOUD_REGION env variable.
cloud_region = us-2
# Uncomment to provide application id. Needs to be different per each fig instance.
# Alternatively, use FALCON_APPLICATION_ID env variable.
application_id = fig-int-1
[cloudtrail_lake]
# AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
# Uncomment to provide the Channel ARN. Alternatively, use CLOUDTRAIL_LAKE_CHANNEL_ARN env variable.
channel_arn = arn:aws:cloudtrail:us-east-1:EXAMPLE:channel/EXAMPLE-9f94-471c-96ba-EXAMPLE
# Uncomment to provide the AWS region. Should match the same region as the Channel.
# Alternatively, use CLOUDTRAIL_LAKE_REGION env variable.
region = us-east-1
Ensure your kubectl command is configured to use your EKS environment
kubectl cluster-info
Deploy the pod
kubectl apply -f falcon-integration-gateway.yaml
A successful run should display:
namespace/falcon-integration-gateway created
secret/falcon-integration-gateway-creds created
configmap/falcon-integration-gateway-config created
serviceaccount/falcon-integration-gateway created
deployment.apps/falcon-integration-gateway created
To uninstall, run the following command:
kubectl delete -f falcon-integration-gateway.yaml
Run the following commands to verify deployment was successful.
To verify pod health and get the pod name:
kubectl get pods -n falcon-integration-gateway
View the pod logs:
kubectl logs -n falcon-integration-gateway <pod name>
A successful deployment should have logs that start with:
2022-09-15 19:52:35 fig MainThread INFO AWS CloudTrail Lake Backend is enabled.
2022-09-15 19:52:36 fig cs_stream INFO Opening Streaming Connection
...
...