CrowdStrike Extends Powerful Falcon Platform Capabilities into Red Hat OpenShift

CrowdStrike collaborated with Red Hat to develop the CrowdStrike Falcon plug-in, an extension to the Red Hat OpenShift web console that delivers key data to developers and platform engineers.

Kubernetes has become the cornerstone of modern DevOps, empowering teams to quickly deploy, manage, and scale containerized applications. However, many struggle to navigate Kubernetes' complexity while operating across hybrid and multi-cloud environments. 

Red Hat OpenShift builds on Kubernetes by providing a consistent, enterprise-grade platform that abstracts the intricacies of the underlying infrastructure. It’s trusted by customers across industries and around the globe. 

The speed at which engineers can move using Red Hat OpenShift leaves little room for siloed security practices. With tight deadlines and constant pressure to deliver, security is often viewed as a separate concern — addressed only after primary development tasks are complete. However, because security is fundamental to the performance, reliability, and stability of applications in production, security best practices should be viewed as a key development task, just like coding and testing. 

To extend the powerful capabilities of the CrowdStrike Falcon® cybersecurity platform into Red Hat OpenShift, CrowdStrike collaborated with Red Hat to develop the CrowdStrike Falcon plug-in: an extension to the Red Hat OpenShift web console that delivers security detections, identifies risky misconfigurations, and surfaces vulnerabilities directly to the developers and platform engineers managing virtual machines and containers. 

CrowdStrike leverages Red Hat OpenShift's extensible platform to provide additional insights and increased visibility for DevOps engineers who use Red Hat OpenShift to manage security.

Delivering CrowdStrike Data within Red Hat OpenShift

Consistent Security Insights across Containerized and Virtualized Workloads

Red Hat OpenShift offers powerful capabilities for teams to manage both containers and virtual machines in a unified environment with Red Hat OpenShift Virtualization, a feature of Red Hat OpenShift. With this, teams can standardize infrastructure deployment and maintain workloads using a common set of established enterprise tools, bringing alignment across DevOps and ITOps teams and consistency across hybrid cloud environments. 

However, when it comes to security, organizations often deal with too many disparate security tools across their containerized and non-containerized workloads. This fragmented approach doesn’t always provide a cohesive view into overall risk posture, making it difficult to pinpoint which security issues to focus on first. Here, CrowdStrike can help.

The Falcon platform delivers real-time visibility into attack surfaces and active threats across endpoints, cloud workloads, identities, and data — all through a single, lightweight agent. This agent leverages detection logic powered by CrowdStrike Falcon® Adversary OverWatch™, which provides 24/7 proactive threat hunting powered by AI, human expertise, and CrowdStrike’s industry-leading adversary intelligence, protecting against the most novel and evasive threats. 

With comprehensive coverage and adversary-driven insights, teams can access a single, prioritized set of security issues to fix across their containers and virtual machines.

DevOps Engineers Gain Visibility into Relevant Security Insights 

This plug-in serves as a vehicle for the Falcon platform to bridge the communication gap that can exist between DevOps and security teams, surfacing the right security information directly to the teams that maintain critical production workloads. With this, engineers and security analysts spend less time answering tickets and chat messages and more time collaborating on enterprise security.

Figure 1. The extension to the VirtualMachine page provides an immediate overview of recent security findings, helping ITOps teams understand their system’s security posture and coordinate with security analysts. Remediations for fixable vulnerabilities, prioritized by severity score, are also shown but not included in this screenshot. Figure 1. The extension to the VirtualMachine page provides an immediate overview of recent security findings, helping ITOps teams understand their system’s security posture and coordinate with security analysts. Remediations for fixable vulnerabilities, prioritized by severity score, are also shown but not included in this screenshot.
Figure 2. The extension to the Pod details page outlines recent runtime detections that occurred inside the pod’s containers, as well as image misconfiguration details to guide DevOps teams toward a fix. Image vulnerabilities, their severities, and exploitability status are also shown but not included in this screenshot. Figure 2. The extension to the Pod details page outlines recent runtime detections that occurred inside the pod’s containers, as well as image misconfiguration details to guide DevOps teams toward a fix. Image vulnerabilities, their severities, and exploitability status are also shown but not included in this screenshot.

This seamless accessibility to CrowdStrike security data both allows cloud teams to view and act on security risk insights within their familiar workflows, and builds alignment with security teams on what to fix first and when. 

Automated Prioritization to Facilitate Speed 

CrowdStrike enables teams to understand their highest-priority security risks with our proprietary ExPRT.AI rating system, which is a predictive AI-powered rating model that automates prioritization of vulnerabilities based on their risk of exploitation and business impact. 

By delivering a clear, actionable view of the highest-priority risks, the Falcon platform enables DevOps teams to focus on the issues that truly matter — justifying security fixes as essential tasks that align with sprint goals. This intelligent automation empowers teams to make informed, efficient decisions, allowing them to maintain security without compromising on pace of innovation.

Figure 3. Vulnerability data includes CrowdStrike’s ExPRT.AI rating system, which scores vulnerabilities based on exploitability and other factors, to help ITOps teams effectively prioritize patching. Figure 3. Vulnerability data includes CrowdStrike’s ExPRT.AI rating system, which scores vulnerabilities based on exploitability and other factors, to help ITOps teams effectively prioritize patching.

Get Started

To use the console plug-in, first deploy the Red Hat OpenShift certified Falcon operator and its FalconNodeSensor and FalconImageAnalyzer components at a minimum. If you are using OpenShift Virtualization, also deploy the Falcon sensor to the virtual machines using your preferred deployment practice. (CrowdStrike provides a certified Ansible collection that works with Windows, macOS, and Linux.)

The console plug-in is installed using a Helm chart and configured with a secret. Follow this step-by-step guide:

  1. In the Falcon console, create a CrowdStrike API client with the following permissions:

    1. Alerts: Read (required to list runtime detections)

    2. Hosts: Read (required to identify if a virtual machine has the Falcon sensor installed)

    3. Vulnerabilities: Read (required to list vulnerabilities)

    4. Falcon Container Image: Read (required to list container misconfigurations)

  2. Choose the OpenShift namespace where you’d like to see CrowdStrike security data for pods or virtual machines. You can choose multiple namespaces, but each will require the same one-time setup detailed below.

  3. Create a secret in the desired namespace named crowdstrike-api with the following fields (NOTE: Any user with the ability to read secrets in this namespace will have access to the API client details):

    1. cloud (e.g., us-1)

    2. client_id

    3. client_secret

  4. Download the plug-in’s source code (you may use Git, or just download a zip file):  https://github.com/CrowdStrike/falcon-openshift-console-plugin

  5. Deploy the plug-in’s Helm chart: helm upgrade -i  falcon-openshift-console-plugin charts/openshift-console-plugin -n falcon-openshift-console-plugin --create-namespace --set plugin.image=quay.io/crowdstrike/falcon-openshift-console-plugin:latest

  6. When prompted, refresh the OpenShift console.

  7. Navigate to any pod or virtual machine to see the new CrowdStrike tab!

For more information, refer to the plug-in’s README on GitHub. We need your feedback on this plug-in — what should we add or change? You can file an issue on GitHub, or contact the team directly at redhat@crowdstrike.com.

Additional Resources

Breaches Stop Here