feat(container-pull-script): add support for falcon snapshot scanner (#250)

carlosmmatos · web-flow · commit 59ce8ad5c714 · 2024-01-25T14:35:55.000-05:00
Closes #199 This PR introduces support for downloading/pushing the Falcon Snapshot scanner image.
diff --git a/bash/containers/falcon-container-sensor-pull/README.md b/bash/containers/falcon-container-sensor-pull/README.md
@@ -32,6 +32,10 @@ To check your version of cURL, run the following command: `curl --version`
   - `Sensor Download (read)`
   - `Kubernetes Protection (read)`
     - For `kpagent` only
+  - `Snapshot Scanner Image Download (read)`
+    - For `falcon-snapshot` only
+  - `Snapshot (read/write)`
+    - For `falcon-snapshot` only
 - If you are using Docker, make sure that Docker is running locally.
 
 ## Usage
@@ -49,7 +53,7 @@ Optional Flags:
     -c, --copy <REGISTRY/NAMESPACE>   registry to copy image e.g. myregistry.com/mynamespace
     -v, --version <SENSOR_VERSION>    specify sensor version to retrieve from the registry
     -p, --platform <SENSOR_PLATFORM>  specify sensor platform to retrieve e.g x86_64, aarch64
-    -t, --type <SENSOR_TYPE>          specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|kpagent]
+    -t, --type <SENSOR_TYPE>          specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|kpagent]
                                       Default is falcon-container.
 
     --runtime                         use a different container runtime [docker, podman, skopeo]. Default is docker.
@@ -75,7 +79,7 @@ Help Options:
 | `-c`, `--copy <REGISTRY/NAMESPACE>`            | `$COPY`                 | `None` (Optional)          | Registry you want to copy the sensor image to. Example: `myregistry.com/mynamespace`     |
 | `-v`, `--version <SENSOR_VERSION>`             | `$SENSOR_VERSION`       | `None` (Optional)          | Specify sensor version to retrieve from the registry                                     |
 | `-p`, `--platform <SENSOR_PLATFORM>`           | `$SENSOR_PLATFORM`      | `None` (Optional)          | Specify sensor platform to retrieve from the registry                                    |
-| `-t`, `--type <SENSOR_TYPE>`                   | `$SENSOR_TYPE`         | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `kpagent`] ([see more details below](#sensor-types)) |
+| `-t`, `--type <SENSOR_TYPE>`                   | `$SENSOR_TYPE`         | `falcon-container` (Optional) | Specify which sensor to download [`falcon-container`, `falcon-sensor`, `falcon-kac`, `falcon-snapshot`, `kpagent`] ([see more details below](#sensor-types)) |
 | `--runtime`                                    | `$CONTAINER_TOOL`       | `docker` (Optional)        | Use a different container runtime [docker, podman, skopeo]. **Default is Docker**.       |
 | `--dump-credentials`                           | `$CREDS`                | `False` (Optional)         | Print registry credentials to stdout to copy/paste into container tools                  |
 | `--get-pull-token`                             | N/A                     | `None`                     | Get the pull token of the selected SENSOR_TYPE for Kubernetes.                           |
@@ -92,6 +96,7 @@ The following sensor types are available to download:
 | `falcon-sensor` | The Falcon sensor for Linux as a DaemonSet deployment |
 | `falcon-container` **(default)** | The Falcon Container sensor for Linux |
 | `falcon-kac` | The Falcon Kubernetes Admission Controller |
+| `falcon-snapshot` | The Falcon Snapshot scanner |
 | `kpagent` | The Falcon Kubernetes Protection Agent |
 
 ### Examples
@@ -120,6 +125,18 @@ The following example will download the latest version of the Falcon DaemonSet s
 --copy myregistry.com/mynamespace
 ```
 
+#### Example generating a pull token for K8s
+
+The following example will generate a pull token for the Falcon Container sensor for use in Kubernetes.
+
+```shell
+./falcon-container-sensor-pull.sh \
+--client-id <FALCON_CLIENT_ID> \
+--client-secret <FALCON_CLIENT_SECRET> \
+--type falcon-container \
+--get-pull-token
+```
+
 #### Example dumping credentials
 
 The following example will dump the credentials to stdout to copy/paste into container tools.
diff --git a/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh b/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh
@@ -19,7 +19,7 @@ Optional Flags:
     -c, --copy <REGISTRY/NAMESPACE>   registry to copy image e.g. myregistry.com/mynamespace
     -v, --version <SENSOR_VERSION>    specify sensor version to retrieve from the registry
     -p, --platform <SENSOR_PLATFORM>  specify sensor platform to retrieve e.g x86_64, aarch64
-    -t, --type <SENSOR_TYPE>          specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|kpagent]
+    -t, --type <SENSOR_TYPE>          specify which sensor to download [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|kpagent]
                                       Default is falcon-container.
 
     --runtime                         use a different container runtime [docker, podman, skopeo]. Default is docker.
@@ -222,7 +222,7 @@ format_tags_to_json() {
     )
     # The output should mimic the same format as the Docker (curl) output
     echo "{
-  \"name\": \"${SENSOR_TYPE}\",
+  \"name\": \"${IMAGE_NAME}\",
   ${tags_json}
 }"
 }
@@ -256,7 +256,7 @@ format_tags() {
     # Formats tags and handles sorting for KPA
     local all_tags=$1
 
-    if [ "${SENSOR_TYPE}" = "kpagent" ]; then
+    if [ "${SENSOR_TYPE}" = "kpagent" ] || [ "${SENSOR_TYPE}" = "falcon-snapshot" ]; then
         echo "$all_tags" |
             sed -n 's/.*"tags" : \[\(.*\)\].*/\1/p' |
             tr -d '"' | tr ',' '\n' |
@@ -274,7 +274,7 @@ print_formatted_tags() {
     local formatted_tags=$1
 
     # Print a JSON object with tags properly formatted
-    printf "{\n  \"name\": \"%s\",\n  \"tags\": [\n" "${SENSOR_TYPE}"
+    printf "{\n  \"name\": \"%s\",\n  \"tags\": [\n" "${IMAGE_NAME}"
     first=true
     echo "$formatted_tags" | while IFS= read -r tag; do
         if [ "$first" = true ]; then
@@ -291,7 +291,7 @@ list_tags() {
     all_tags=$(fetch_tags "${CONTAINER_TOOL}")
     formatted_tags=$(format_tags "$all_tags")
 
-    print_formatted_tags "$formatted_tags" "${SENSOR_TYPE}"
+    print_formatted_tags "$formatted_tags"
 }
 
 # shellcheck disable=SC2086
@@ -329,10 +329,10 @@ fi
 
 # Check if SENSOR_TYPE is set to a valid value
 case "${SENSOR_TYPE}" in
-    falcon-container | falcon-sensor | falcon-kac | kpagent) ;;
+    falcon-container | falcon-sensor | falcon-kac | falcon-snapshot | kpagent) ;;
     *) die """
     Unrecognized sensor type: ${SENSOR_TYPE}
-    Valid values are [falcon-container|falcon-sensor|falcon-kac|kpagent]""" ;;
+    Valid values are [falcon-container|falcon-sensor|falcon-kac|falcon-snapshot|kpagent]""" ;;
 esac
 
 #Check all mandatory variables set
@@ -410,27 +410,35 @@ if [ ! "$LISTTAGS" ] && [ ! "$PULLTOKEN" ]; then
 fi
 
 ART_USERNAME="fc-$cs_falcon_cid"
-sensor_name="falcon-sensor"
+IMAGE_NAME="falcon-sensor"
 repository_name="release/falcon-sensor"
+registry_type="container-security"
 
 if [ "${SENSOR_TYPE}" = "falcon-kac" ]; then
     # overrides for KAC
-    sensor_name="falcon-kac"
+    IMAGE_NAME="falcon-kac"
     repository_name="release/falcon-kac"
+elif [ "${SENSOR_TYPE}" = "falcon-snapshot" ]; then
+    # overrides for Snapshot
+    ART_USERNAME="fs-$cs_falcon_cid"
+    IMAGE_NAME="cs-snapshotscanner"
+    repository_name="release/cs-snapshotscanner"
+    registry_type="snapshots"
 elif [ "${SENSOR_TYPE}" = "kpagent" ]; then
     # overrides for KPA
     ART_USERNAME="kp-$cs_falcon_cid"
-    sensor_name="kpagent"
+    IMAGE_NAME="kpagent"
     repository_name="kpagent"
+    registry_type="kubernetes-protection"
     registry_opts="kubernetes_protection"
 fi
 
 #Set Docker token using the BEARER token captured earlier
 if [ "${SENSOR_TYPE}" = "kpagent" ]; then
-    raw_docker_api_token=$(curl_command "$cs_falcon_oauth_token" "https://$(cs_cloud)/kubernetes-protection/entities/integration/agent/v1?cluster_name=clustername&is_self_managed_cluster=true")
+    raw_docker_api_token=$(curl_command "$cs_falcon_oauth_token" "https://$(cs_cloud)/$registry_type/entities/integration/agent/v1?cluster_name=clustername&is_self_managed_cluster=true")
     docker_api_token=$(echo "$raw_docker_api_token" | awk '/dockerAPIToken:/ {print $2}')
 else
-    raw_docker_api_token=$(curl_command "$cs_falcon_oauth_token" "https://$(cs_cloud)/container-security/entities/image-registry-credentials/v1")
+    raw_docker_api_token=$(curl_command "$cs_falcon_oauth_token" "https://$(cs_cloud)/$registry_type/entities/image-registry-credentials/v1")
     docker_api_token=$(echo "$raw_docker_api_token" | json_value "token")
 fi
 ART_PASSWORD=$(echo "$docker_api_token" | sed 's/ *$//g' | sed 's/^ *//g')
@@ -456,7 +464,7 @@ $raw_docker_api_token
 
 Ensure the following:
   - Credentials are valid.
-  - Correct API Scopes are assigned (Falcon Images Download [read], Sensor Download [read], Kubernetes Protection [read])
+  - Correct API Scopes are assigned (Falcon Images Download [read], Sensor Download [read], Snapshot Scanner Image Download [read], Snapshot [read/write], Kubernetes Protection [read])
   - Cloud Security is enabled in your tenant."
 fi
 
@@ -497,7 +505,7 @@ else
 
     # For those that don't want to use skopeo to copy
     if [ -n "$COPY" ]; then
-        "$CONTAINER_TOOL" tag "$FULLIMAGEPATH" "$COPY/$sensor_name:$LATESTSENSOR"
-        "$CONTAINER_TOOL" push "$COPY/$sensor_name:$LATESTSENSOR"
+        "$CONTAINER_TOOL" tag "$FULLIMAGEPATH" "$COPY/$IMAGE_NAME:$LATESTSENSOR"
+        "$CONTAINER_TOOL" push "$COPY/$IMAGE_NAME:$LATESTSENSOR"
     fi
 fi
