Hello,

we start try using sentinelone on Kubernetes. The Chart is installed and the Ressources are deployed but run in a Error.

Failed to load logs: container "agent" in pod "sentinelone-agent-2g4cz" is waiting to start: trying and failing to pull image
Reason: BadRequest (400)

we use Terraform to deploy

resource "helm_release" "sentinelone" {
  name              = "sentinelone"
  repository       = "https://sentinel-one.github.io/helm-charts"
  chart               = "s1-agent"
  namespace     = kubernetes_namespace.sentinelone.metadata.0.name
  version            = "23.2.1"
  create_namespace = true

  values = [yamlencode({
    configuration = {
      cluster = {
        name = "<clustername>"
      }
    }
    secrets = {
      # imagePullSecret = "s1-secret" # not used
      site_key = {
        value = "<secret>"
      }
    }
    nodeSelector ={
      "key" = "systemservices"
    }
  })]
}

Please can you help to solve?

BR

InfoSec scanned the helm charts associated with this project and determined that there are several security findings, some urgent, some less so.

Please see the attached.

There is no way to specify tolerations and affinity for the preDeleteHook.
This prevents uninstalling the helm chart on my cluster.

We need some kind of configuration similar to the agent or helper pods.

I have been told pods/exec permission will be moving to Role/Rolebindings in v23.4.x

https://github.com/Sentinel-One/helm-charts/blob/c08dbe5b451d2b3b51d3d73d1cf227703013bcdc/charts/s1-agent/templates/cluster/cluster-role.yaml#L12C1-L14C20

This happen for both the helper and agent pod. My helm definition (this case is a helmrelease using FluxCD) has the following value definition. If I configure a pod yaml with the same :, it works fine.

values:
configuration:
cluster:
name: "dev-001"
repositories:
agent: "dev001.azurecr.io/cwpp_agent/s1agent"
helper: "dev001.azurecr.io/cwpp_agent/s1helper"
tag:
agent: "ga-22.1.2"
helper: "ga-22.1.2"

The chart defines a S1_HEAP_TRIMMING_INTERVAL env variable, but the /opt/deployment.sh script in the cwpp_agent/s1agent image consume S1_HEAP_TRIMMIG_INTERVAL (Notice the missing 'N').

/opt/deployment.sh

if [[ "${S1_HEAP_TRIMMING_ENABLE}" == "true" ]]; then
    sudo /opt/sentinelone/bin/sentinelctl heap_trimming state set on
    sudo /opt/sentinelone/bin/sentinelctl heap_trimming interval set "${S1_HEAP_TRIMMIG_INTERVAL}"
fi

Resulting in this error at startup when setting S1_HEAP_TRIMMING_ENABLE to true:

/opt/sentinelone/bin/sentinelctl heap_trimming interval set ""
value: Invalid type, expected number

Tested with 22.3.1, 22.3.3 and 22.4.1

#41 adds the SYS_MODULE capability to the Agent DaemonSet. This should be reflected in the SCC for OpenShift

The newly updated chart v21.10.3 uses images ga-21.10.3, but they are not available.

Steps to reproduce:

$ docker pull docker.pkg.github.com/s1-agents/cwpp_agent/s1agent:ga-21.10.3
Error response from daemon: manifest unknown

SentinelAgent_k8s_v23_4_2_14 routinely allocates as much as 2.1-3.5Gi of memory, most likely due to a memory leak. This causes K8 to OOM kill the container.

Log:
"Memory cgroup out of memory: Killed process 3523925 (s1-agent) total-vm:3122100kB, anon-rss:1113928kB, file-rss:154000kB, shmem-rss:0kB, UID:0 pgtables:3752kB oom_score_adj:966"

I am trying to perform helm lint but getting the below error.
==> Linting charts/sentinelone
[INFO] Chart.yaml: icon is recommended
[ERROR] templates/: template: s1-agent/templates/common/secrets.yaml:12:3: executing "s1-agent/templates/common/secrets.yaml" at <fail "The site_key.value does not look like a valid site/group token. You must use a site token/group token exported from your console (under the desired site/group scope => Site Info/Group Info. Make sure to copy the full string and not omit any trailing '=' characters.">: error calling fail: The site_key.value does not look like a valid site/group token. You must use a site token/group token exported from your console (under the desired site/group scope => Site Info/Group Info. Make sure to copy the full string and not omit any trailing '=' characters.

Below is the terraform code attempting to use this helm-charts. I'm able to install it successfully but when performing a delete I get timeout issue.

`

----------------------------------------------------------------------------------------------------------

SETUP SENTINEL ONE AGENT

The following sets up SentinelOne agent for the cluster

----------------------------------------------------------------------------------------------------------

resource "kubernetes_namespace" "sentinelone_namespace" {
metadata {
name = "sentinelone"
}
}

resource "kubernetes_secret" "docker_registry_secret" {
metadata {
name = "nexus-imagepull-secret"
namespace = kubernetes_namespace.sentinelone_namespace.metadata[0].name
}

type = "kubernetes.io/dockerconfigjson"

data = {
".dockerconfigjson" = jsonencode({
auths = {
"${var.nexus_registry_base}" = {
"username" = "${var.nexus_username}",
"password" = "${var.nexus_password}",
"email" = "${var.email}",
"auth" = "${local.encoded_nexus_credentials}"
}
}
})
}
}

resource "helm_release" "sentinelone_agent" {

depends_on = [module.eks_core_nodes, module.eks_control_plane]

name = "s1"
namespace = kubernetes_namespace.sentinelone_namespace.metadata[0].name
repository = "https://charts.sentinelone.com"
chart = "s1-agent"
version = "${var.s1_agent_tag}"

set {
name = "secrets.imagePullSecret"
value = kubernetes_secret.docker_registry_secret.metadata[0].name
}

set {
name = "secrets.site_key.value"
value = "${var.s1_site_key}"
}

set {
name = "configuration.repositories.agent"
value = "${var.nexus_registry_base}/xxx-sentinelone/s1agent"
}

set {
name = "configuration.tag.agent"
value = "${var.s1_agent_tag}"
}

set {
name = "configuration.repositories.helper"
value = "${var.nexus_registry_base}/xxx-sentinelone/s1helper"
}

set {
name = "configuration.tag.helper"
value = "${var.s1_agent_tag}"
}

set {
name = "configuration.cluster.name"
value = "${module.eks_control_plane.eks_cluster_name}"
}

set {
name = "helper.nodeSelector.kubernetes\.io/os"
value = "linux"
}

set {
name = "agent.nodeSelector.kubernetes\.io/os"
value = "linux"
}

set {
name = "agent.resources.limits.memory"
value = "1945Mi"
}

set {
name = "agent.resources.limits.cpu"
value = "900m"
}

set {
name = "agent.resources.requests.memory"
value = "800Mi"
}

set {
name = "agent.resources.requests.cpu"
value = "500m"
}

set {
name = "helper.resources.limits.memory"
value = "1945Mi"
}

set {
name = "helper.resources.limits.cpu"
value = "900m"
}

set {
name = "helper.resources.requests.memory"
value = "100Mi"
}

set {
name = "helper.resources.requests.cpu"
value = "100m"
}

set {
name = "configuration.env.agent.heap_trimming_enable"
value = "true"
}

set {
name = "configuration.env.agent.log_level"
value = "debug"
}

set {
name = "agent.tolerations[0].key"
value = "dedicated"
}

set {
name = "agent.tolerations[0].operator"
value = "Equal"
}

set {
name = "agent.tolerations[0].value"
value = "core"
}

set {
name = "agent.tolerations[0].effect"
value = "NoSchedule"
}

set {
name = "helper.tolerations[0].key"
value = "dedicated"
}

set {
name = "helper.tolerations[0].operator"
value = "Equal"
}

set {
name = "helper.tolerations[0].value"
value = "core"
}

set {
name = "helper.tolerations[0].effect"
value = "NoSchedule"
}
}`

I then check pods and come to know that additional uninstall-agent

`
admin@desktop infra % kubectl get pods -n sentinelone -o wide

Do we have to add taint for s1-uninstall-agent as well?

we need a replicas value in the chart value file.
https://github.com/Sentinel-One/helm-charts/blame/3fef7d2080ab52dedb5188bc6dce65fbdcf3a1cd/charts/s1-agent/values.yaml#L81

When a Kubernetes cluster does not have sufficient resources, the s1agent DaemonSet and Helper may not run, because they
run with default priority 0.

To ensure correct operation, the helm chart should allow setting a PriorityClass, for both Agent and Helper, so an admin can choose to run these with system/cluster critical priority.