falcon-sensor /opt/CrowdStrike error #493
Description
Hello
- Cluster: AWS EKS 1.33 - 1.35
- Managed by: ArgoCD and GitOPS (Based off AWS GitOps Bridge https://github.com/gitops-bridge-dev/gitops-bridge)
- Nodes: Amazon Linux 2023 and BottleRocket (amd64)
- Umbrella Helm chart to facilitate the external secret generation for oid
- values file included at the end of post
- Image pulled via
falcon-container-sensor-pull.sh -r eu-1 -t falcon-sensor -c <redacted>.dkr.ecr.eu-west-2.amazonaws.com/crowdstrikefrom https://github.com/CrowdStrike/falcon-scripts/blob/main/bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh
I am setting up falcon-sensor on our AWS EKS based clusters using the daemonset.
The daemonset seems to deploy, but there are hundreds of lines in the logs indicating an issue with the /opt/CrowdStrike volume/folder
If I describe the running pod or daemonset the init-falconstore container only shows a mount for the service account but https://kubernetes.io/docs/concepts/workloads/pods/init-containers/#differences-from-regular-containers indicates that they share volumes.
If I inspect other pods that use init containers they seem to indicate a volume mount on both the init and normal container
I have noted other issues here where the container image was used instead of the sensor one, but I double checked the above flag for falcon-sensor
Any advice would be appretiated
init-falconstore
│ Running /opt/CrowdStrike/falcon-daemonset-init -i │
│ Setting up CrowdStrike directory │
│ Created directory /opt/CrowdStrike │
│ Created /opt/CrowdStrike/falconstore │
│ Running /opt/CrowdStrike/configure-cluster-id │
│ Found Service Host │
│ Found node name │
│ Found Certificate │
│ Found Access token │
│ Connected to Api Server │
│ Acquired Response Data │
│ Connected to Api Server │
│ Acquired Response Data │
│ Found Cluster ID <redacted> and node UID: <redacted> │
│ Successfully configured Cluster ID: <redacted> and Node UID: <redacted> │
│ stream closed: EOF for falcon-sensor/falcon-sensor-j9j7s (init-falconstore)
from falcon-node-sensor (notable logs at the start, there are 10k logs so didnt include all yet)
| | 2026-02-04 08:58:56.716 | Wed Feb 4 08:58:56 2026 Could not resolve path /opt/CrowdStrike/CsPython/: ERRNO=2 () (1933570) [0] |
| | 2026-02-04 08:58:56.716 | Wed Feb 4 08:58:56 2026 Could not resolve path /opt/CrowdStrike/Packages/: ERRNO=2 () (1933570) [0] |
| | 2026-02-04 08:58:56.716 | Wed Feb 4 08:58:56 2026 GetRealPathAnsi failed for '/opt/CrowdStrike/Packages/': STATUS=0xC0000034 (1933570) [0] |
| | 2026-02-04 08:58:56.716 | Wed Feb 4 08:58:56 2026 Could not open Packages directory: STATUS=0xC0000034 (1933570) [0] |
| | 2026-02-04 08:58:56.717 | Wed Feb 4 08:58:56 2026 Interface 0xa028 is not supported. (1933570) [0] |
| | 2026-02-04 08:58:56.717 | Wed Feb 4 08:58:56 2026 Interface 0x3f3 is not supported. (1933570) [0] |
| | 2026-02-04 08:58:56.717 | Wed Feb 4 08:58:56 2026 Interface 0x3f7 is not supported. (1933570) [0] |
| | 2026-02-04 08:58:56.725 | Wed Feb 4 08:58:56 2026 No counters available (1933570) [0] |
| | 2026-02-04 08:58:56.725 | Wed Feb 4 08:58:56 2026 No counters available (1933570) [0] |
| | 2026-02-04 08:58:56.725 | Wed Feb 4 08:58:56 2026 No counters available (1933570) [0] |
| | 2026-02-04 08:58:56.725 | Wed Feb 4 08:58:56 2026 No counters available (1933570) [0]
bash-5.1# ls -al /opt/CrowdStrike/
total 177444
drwxr-x---. 1 root root 40 Feb 4 08:58 .
drwxr-xr-x. 1 root root 25 Nov 15 2024 ..
lrwxrwxrwx. 1 root root 24 Jan 9 18:24 KernelModuleArchive -> KernelModuleArchive18606
-rw-r-----. 1 root root 70265032 Jan 9 18:24 KernelModuleArchive18606
-rw-r-----. 1 root root 1058 Jan 9 18:24 README
lrwxrwxrwx. 1 root root 25 Jan 9 18:25 configure-cluster-id -> configure-cluster-id18606
-rwxr-x---. 1 root root 5531800 Jan 9 18:25 configure-cluster-id18606
lrwxrwxrwx. 1 root root 26 Jan 9 18:25 falcon-daemonset-init -> falcon-daemonset-init18606
-rwxr-x---. 1 root root 244536 Jan 9 18:25 falcon-daemonset-init18606
lrwxrwxrwx. 1 root root 16 Jan 9 18:25 falcon-flow -> falcon-flow18606
-rwxr-xr-x. 1 root root 69360968 Jan 9 18:25 falcon-flow18606
lrwxrwxrwx. 1 root root 21 Jan 9 18:24 falcon-fx -> falcon-fxpredict18606
lrwxrwxrwx. 1 root root 21 Jan 9 18:24 falcon-fxpredict -> falcon-fxpredict18606
-rwxr-x---. 1 root root 130336 Jan 9 18:24 falcon-fxpredict18606
lrwxrwxrwx. 1 root root 24 Jan 9 18:24 falcon-kernel-check -> falcon-kernel-check18606
-rwxr-x---. 1 root root 392655 Jan 9 18:24 falcon-kernel-check18606
lrwxrwxrwx. 1 root root 21 Jan 9 18:24 falcon-predict -> falcon-fxpredict18606
lrwxrwxrwx. 1 root root 18 Jan 9 18:24 falcon-sensor -> falcon-sensor18606
lrwxrwxrwx. 1 root root 22 Jan 9 18:24 falcon-sensor-bpf -> falcon-sensor-bpf18606
-rwxr-x---. 1 root root 11468840 Jan 9 18:25 falcon-sensor-bpf18606
-rwxr-x---. 1 root root 7011288 Jan 9 18:25 falcon-sensor18606
lrwxrwxrwx. 1 root root 23 Jan 9 18:24 falcon-zip-inspect -> falcon-zip-inspect18606
-rwxr-x---. 1 root root 2275864 Jan 9 18:24 falcon-zip-inspect18606
lrwxrwxrwx. 1 root root 14 Jan 9 18:24 falconctl -> falconctl18606
-rwxr-x---. 1 root root 314448 Jan 9 18:24 falconctl18606
lrwxrwxrwx. 1 root root 12 Jan 9 18:24 falcond -> falcond18606
-rwxr-x---. 1 root root 240408 Jan 9 18:24 falcond18606
-rw-r-----. 1 root root 8192 Feb 4 09:01 falconstore
lrwxrwxrwx. 1 root root 28 Jan 9 18:24 libelf-sourceware.so.1 -> libelf-sourceware.so.1-18606
-rwxr-x---. 1 root root 109144 Jan 9 18:24 libelf-sourceware.so.1-18606
lrwxrwxrwx. 1 root root 23 Jan 9 18:24 libfalconfxp.so.3 -> libfalconfxp.so.3-18606
-rwxr-x---. 1 root root 14324672 Jan 9 18:24 libfalconfxp.so.3-18606
drwx------. 2 root root 6 Feb 4 08:58 sandbox
umbrella chart effective values
ExternalSecret:
refreshInterval: "1h0m0s"
secretStoreRef:
name: "aws-secrets-manager"
kind: "ClusterSecretStore"
remoteRef:
key: "eks/crowdstrike"
falcon-sensor:
falconSecret:
enabled: true
secretName: "falcon-sensor-oid"
falcon:
trace: "err"
node:
image:
repository: <redacted>.dkr.ecr.eu-west-2.amazonaws.com/crowdstrike/falcon-sensor
tag: 7.33.0-18606-1