diff --git a/helm-charts/falcon-sensor/Chart.yaml b/helm-charts/falcon-sensor/Chart.yaml
index 1c744671..08117dc2 100644
--- a/helm-charts/falcon-sensor/Chart.yaml
+++ b/helm-charts/falcon-sensor/Chart.yaml
@@ -15,12 +15,12 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.34.1
+version: 1.35.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 1.34.1
+appVersion: 1.35.0
keywords:
- CrowdStrike
diff --git a/helm-charts/falcon-sensor/README.md b/helm-charts/falcon-sensor/README.md
index acfe595e..b59065e0 100644
--- a/helm-charts/falcon-sensor/README.md
+++ b/helm-charts/falcon-sensor/README.md
@@ -126,13 +126,70 @@ The following tables lists the more common configurable parameters of the chart
| `node.image.registryConfigJSON` | base64 encoded docker config json for the pull secret | None (Conflicts with node.image.pullSecrets) |
| `node.daemonset.resources` | Configure Node sensor resource requests and limits (eBPF mode only)
:warning: **Warning**:
If you configure resources, you must configure the CPU and Memory Resource requests and limits correctly for your node instances for the node sensor to run properly!
| None (Minimum setting of 250m CPU and 500Mi memory allowed). Default for GKE Autopilot is 750m CPU and 1.5Gi memory. |
| `node.cleanupOnly` | Run the cleanup Daemonset only. | `false` Requires `node.hooks.postDelete.enabled: true` |
+| `node.extraVolumes` | Additional volumes appended to the node daemonset pod spec (e.g., CSI SecretProviderClass, projected secrets). | `[]` |
+| `node.extraVolumeMounts` | Additional volume mounts for the node sensor container; names must match `node.extraVolumes`. | `[]` |
+| `node.extraInitVolumeMounts` | Additional volume mounts for the init container. | `[]` |
| `falcon.cid` | CrowdStrike Customer ID (CID) | None (Required if falconSecret.enabled is false) |
| `falcon.cloud` | CrowdStrike cloud region (`us-1`, `us-2`, `eu-1`, `us-gov-1`, `us-gov-2`)
**NOTE:** This option is supported by Falcon sensor version 7.28 and above | None |
| `falconSecret.enabled` | Enable k8s secrets to inject sensitive Falcon values | false (Must be true if falcon.cid is not set) |
| `falconSecret.secretName` | Existing k8s secret name to inject sensitive Falcon values.
The secret must be under the same namespace as the sensor deployment. | None (Existing secret must include `FALCONCTL_OPT_CID`) |
+| `extraObjects` | List of additional manifests to render with the release (e.g., SecretProviderClass, ExternalSecret). | `[]` |
`falcon.cid` and `node.image.repository` are required values.
+#### Using external secret providers
+When you do not want to place `falcon.cid` (or other Falcon API values) directly in `values.yaml`, enable `falconSecret` and supply the secret name that will contain `FALCONCTL_OPT_CID` (and any other keys). You can render operator CRDs such as a Secrets Store CSI `SecretProviderClass` with `extraObjects` and mount it with the new volume hooks:
+
+```
+falconSecret:
+ enabled: true
+ secretName: falcon-credentials
+
+extraObjects:
+ - apiVersion: secrets-store.csi.x-k8s.io/v1
+ kind: SecretProviderClass
+ metadata:
+ name: falcon-credentials
+ spec:
+ provider: aws
+ parameters:
+ objects: |
+ - objectName: "falcon/credentials"
+ objectType: secretsmanager
+ jmesPath:
+ - path: "FALCONCTL_OPT_CID"
+ objectAlias: "FALCONCTL_OPT_CID"
+ - path: "FALCON_CLIENT_ID"
+ objectAlias: "FALCON_CLIENT_ID"
+ - path: "FALCON_CLIENT_SECRET"
+ objectAlias: "FALCON_CLIENT_SECRET"
+ secretObjects:
+ - secretName: falcon-credentials
+ type: Opaque
+ data:
+ - key: FALCONCTL_OPT_CID
+ objectName: FALCONCTL_OPT_CID
+ - key: FALCON_CLIENT_ID
+ objectName: FALCON_CLIENT_ID
+ - key: FALCON_CLIENT_SECRET
+ objectName: FALCON_CLIENT_SECRET
+
+node:
+ extraVolumes:
+ - name: falcon-credentials
+ csi:
+ driver: secrets-store.csi.k8s.io
+ readOnly: true
+ volumeAttributes:
+ secretProviderClass: falcon-credentials
+ extraVolumeMounts:
+ - name: falcon-credentials
+ mountPath: /var/run/secrets/falcon
+ readOnly: true
+```
+
+The SecretProviderClass above syncs a Kubernetes Secret named `falcon-credentials` so the daemonset can read `FALCONCTL_OPT_*` keys via `falconSecret`; the CSI volume mount triggers the sync and optionally exposes materialized files if you need them.
+
For a complete listing of configurable parameters, run the following command:
```
diff --git a/helm-charts/falcon-sensor/templates/daemonset.yaml b/helm-charts/falcon-sensor/templates/daemonset.yaml
index c8b1a60e..677405b7 100644
--- a/helm-charts/falcon-sensor/templates/daemonset.yaml
+++ b/helm-charts/falcon-sensor/templates/daemonset.yaml
@@ -137,6 +137,12 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
+ {{- if .Values.node.extraInitVolumeMounts }}
+ volumeMounts:
+ {{- with .Values.node.extraInitVolumeMounts }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- end }}
containers:
- name: falcon-node-sensor
image: "{{ include "falcon-sensor.image" . }}"
@@ -189,10 +195,16 @@ spec:
volumeMounts:
- name: falconstore
mountPath: /opt/CrowdStrike/falconstore
+ {{- with .Values.node.extraVolumeMounts }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
volumes:
- name: falconstore
hostPath:
path: /opt/CrowdStrike/falconstore
+ {{- with .Values.node.extraVolumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
serviceAccountName: {{ .Values.serviceAccount.name }}
terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriod }}
{{- if or .Values.node.daemonset.priorityClassName .Values.node.gke.autopilot }}
diff --git a/helm-charts/falcon-sensor/templates/extra-objects.yaml b/helm-charts/falcon-sensor/templates/extra-objects.yaml
new file mode 100644
index 00000000..0f348205
--- /dev/null
+++ b/helm-charts/falcon-sensor/templates/extra-objects.yaml
@@ -0,0 +1,6 @@
+{{- if .Values.extraObjects }}
+{{- range $index, $object := .Values.extraObjects }}
+---
+{{- tpl (toYaml $object) $ }}
+{{- end }}
+{{- end }}
diff --git a/helm-charts/falcon-sensor/values.schema.json b/helm-charts/falcon-sensor/values.schema.json
index a6ec9af6..a84a7167 100644
--- a/helm-charts/falcon-sensor/values.schema.json
+++ b/helm-charts/falcon-sensor/values.schema.json
@@ -273,6 +273,15 @@
"default": "60",
"pattern": "^[0-9]+$"
},
+ "extraVolumes": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraInitVolumeMounts": {
+ "type": "array"
+ },
"hooks": {
"type": "object",
"properties": {
@@ -482,6 +491,9 @@
}
}
},
+ "extraObjects": {
+ "type": "array"
+ },
"serviceAccount": {
"type": "object",
"properties": {
diff --git a/helm-charts/falcon-sensor/values.yaml b/helm-charts/falcon-sensor/values.yaml
index 6b15d418..e55085b1 100644
--- a/helm-charts/falcon-sensor/values.yaml
+++ b/helm-charts/falcon-sensor/values.yaml
@@ -103,6 +103,11 @@ node:
# How long to wait for Falcon pods to stop gracefully
terminationGracePeriod: 60
+ # Extra volumes and mounts for the daemonset (e.g., CSI SecretProviderClass mounts)
+ extraVolumes: []
+ extraVolumeMounts: []
+ extraInitVolumeMounts: []
+
hooks:
# Settings for the node post-delete helm hook
postDelete:
@@ -260,6 +265,9 @@ container:
cpu: 10m
memory: 20Mi
+# Render arbitrary Kubernetes manifests (e.g., SecretProviderClass, ExternalSecret)
+extraObjects: []
+
serviceAccount:
name: crowdstrike-falcon-sa
annotations: {}