diff --git a/helm-charts/falcon-self-hosted-registry-assessment/Chart.yaml b/helm-charts/falcon-self-hosted-registry-assessment/Chart.yaml index b4aa6923..6c32aabd 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/Chart.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.1.0 +version: 1.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.1.0" +appVersion: "1.2.0" diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md index 823324de..764223d4 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/README.md +++ b/helm-charts/falcon-self-hosted-registry-assessment/README.md @@ -470,8 +470,10 @@ Be sure to specify the correct `type` field for your registry so SHRA knows how Copy this registry configuration to your `values_override.yaml` file and provide the required information. Notes: -* To access ECR, the host needs to have direct access to the ECR registry. -* Leave the default empty strings for `credentials.aws_iam_role` and `credentials.aws_external_id`. These are placeholders for possible future support of role assumption. +* To access ECR, the host needs either direct access or the ability to assume an IAM role with appropriate permissions for the ECR registry. +* If role assumption is needed to retrieve ECR tokens, supply both `credentials.aws_iam_role` and `credentials.aws_external_id`. + Ensure the roles have a trust-relationship configured to allow the service account access to the resources in the SHRA namespace (the default namespace used in these setup instructions is `falcon-self-hosted-registry-assessment`). + For additional information on IAM Roles, refer to the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html). ```yaml - type: ecr @@ -1092,7 +1094,6 @@ To increase or decrease the number of Executor Pods, edit the `executor.replicaC |:-----------------------------|------------:|:----------------------------------------------------------------------------------------------------------------------------|:------------| | `executor.replicaCount` | | The number of Executor Pods. This value can be increased for greater concurrency if CPU is the bottleneck. | 1 | - ### Allow traffic to CrowdStrike servers @@ -1321,7 +1322,6 @@ Now that your SHRA logs are ingested by LogScale, you can configure scheduled se 1. Follow our NG-SEIM instuctions to [Schedule your search](https://falcon.crowdstrike.com/documentation/page/a4275adf/scheduled-searches-for-edr). You'll be notified when any issues arise that you need to correct regarding registry connections. - ## Install the SHRA Helm Chart Before you install, follow the configuration steps above to prepare your accounts and create a `values_override.yaml` file with your customizations. @@ -1459,7 +1459,9 @@ The Chart's `values.yaml` file includes more comments and descriptions in-line f | `registryConfigs.*.credentials.username` | required without `kubernetesSecretName` | The username used to authenticate to the registry. | "" | | `registryConfigs.*.credentials.password` | required without `kubernetesSecretName` | The password used to authenticate to the registry. | "" | | `registryConfigs.*.credentials.kubernetesSecretName` | required with `kubernetesSecretNamespace` | The Kubernetes secret name that contains registry credentials. [secret type](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) must be a [kubernetes.io/dockercfg](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_docker-registry/) or a kubernetes.io/dockerconfigjson type secret. | "" | -| `registryConfigs.*.credentials.kubernetesSecretNamespace` | required with `kubernetesSecretName` | The namespace containing the Kubernetes secret with credentials. | "" | +| `registryConfigs.*.credentials.kubernetesSecretNamespace` | required with `kubernetesSecretName` | The namespace containing the Kubernetes secret with credentials. | "" | +| `registryConfigs.[*].credentials.aws_iam_role` | | Specify the assumed role, if any, when connectin to ECR. | | +| `registryConfigs.[*].credentials.aws_external_id` | | Specify the External ID for the connecting to the assumed role specified in `registryConfigs.[*].credentials.aws_iam_role` for the associated registry config. | | | `registryConfigs.*.port` | | The port for connecting to the registry. Unless you specify a value here, SHRA uses port 80 for http and 443 for https. | "" | | `registryConfigs.*.allowedRepositories` | | A comma separated list of repositories to assess. No regex or wildcard support. If this value is not set, all repositories within the registry are assessed. | "" | | `registryConfigs.*.host` | | The host for connecting to the registry. | "" | diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml index 485c5265..5d201309 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml @@ -12,7 +12,7 @@ executor: # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). # This variable is provided for those who have yet to move off of using tags. The sha256 digest # should be used in place of tags for increased security and image immutability. - tag: "0.9.0" + tag: "1.2.0" # Setting a digest will override any tag and should be used instead of tags. # # Example digest variable configuration: @@ -100,7 +100,7 @@ jobController: repository: "jobcontroller" # Overrides the image tag. In general, tags should not be used (including semver tags or `latest`). This variable is provided for those # who have yet to move off of using tags. The sha256 digest should be used in place of tags for increased security and image immutability. - tag: "0.17.0" + tag: "1.2.0" # Setting a digest will override any tag and should be used instead of tags. # # Example digest variable configuration: