Skip to content

Commit

Permalink
Merge pull request #587 from evanstoner/improve-managed-openshift-docs
Browse files Browse the repository at this point in the history
docs: improve ROSA/ARO support language
  • Loading branch information
evanstoner authored Nov 20, 2024
2 parents 38f334a + 4e99056 commit 4a35cdb
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 22 deletions.
17 changes: 6 additions & 11 deletions docs/deployment/openshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,15 @@ If you want to automate the deployment of the operator, the CLI method is recomm
> - Sensor Download: **Read**
### Managed OpenShift Considerations

> [!IMPORTANT]
> Managed OpenShift services (e.g. ROSA, ARO, RHOIC, OSD) do not support running user workloads on control plane and infrastructure nodes. However, not deploying the sensor to some nodes in the cluster would create a gap in protection. For this reason, we recommend deploying the sensor to all nodes in the cluster by using the default tolerations. Please be aware that Red Hat site reliability engineering (SRE) may be unable to maintain your cluster's service level agreement (SLA) for availability, and you may have to remove the sensor from control plane and infrastructure nodes during troubleshooting. For more information, see the Red Hat support article [Running custom workloads in OSD/ROSA control plane or infra nodes](https://access.redhat.com/solutions/6972101).
> On managed OpenShift services (e.g. ROSA, ARO, RHOIC, OSD), Red Hat does not support running any workloads on control plane and infrastructure nodes (including OpenShift-certified operators like this one). For managed OpenShift services _only_, you must choose one of these deployment options:
>
> 1. **Deploy the Falcon sensor only to worker nodes.** This introduces risk by not having visibility and protection on control plane and infrastructure nodes, but maintains full support from Red Hat Site Reliability Engineering (SRE). To do so, set `spec.node.tolerations: []` on `FalconNodeSensor`.
>
> If you would prefer to maintain your SLA and SRE support by limiting your protection to worker nodes, override the tolerations in FalconNodeSensor to be an empty list:
> 2. **Deploy the Falcon sensor to all nodes.** This provides full protection for the cluster, but may prevent Red Hat SRE from maintaining your service level agreement (SLA) for availability. We recommend working with your Red Hat account team to submit a support exception in this case. This is the default behavior of the operator, so no configuration is required. For more information, see the Red Hat support article [Running custom workloads in OSD/ROSA control plane or infra nodes](https://access.redhat.com/solutions/6972101).
>
> ```yaml
> apiVersion: falcon.crowdstrike.com/v1alpha1
> kind: FalconNodeSensor
> metadata:
> spec:
> node:
> tolerations: []
> # ...
> ```
> These constraints are specific to managed OpenShift services. The Falcon sensor is always supported on all node types for self-managed OpenShift clusters.
## Installing the operator through the Web Console (GUI)

Expand Down
17 changes: 6 additions & 11 deletions docs/src/deployment/openshift/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,15 @@ If you want to automate the deployment of the operator, the CLI method is recomm
> - Sensor Download: **Read**
### Managed OpenShift Considerations

> [!IMPORTANT]
> Managed OpenShift services (e.g. ROSA, ARO, RHOIC, OSD) do not support running user workloads on control plane and infrastructure nodes. However, not deploying the sensor to some nodes in the cluster would create a gap in protection. For this reason, we recommend deploying the sensor to all nodes in the cluster by using the default tolerations. Please be aware that Red Hat site reliability engineering (SRE) may be unable to maintain your cluster's service level agreement (SLA) for availability, and you may have to remove the sensor from control plane and infrastructure nodes during troubleshooting. For more information, see the Red Hat support article [Running custom workloads in OSD/ROSA control plane or infra nodes](https://access.redhat.com/solutions/6972101).
> On managed OpenShift services (e.g. ROSA, ARO, RHOIC, OSD), Red Hat does not support running any workloads on control plane and infrastructure nodes (including OpenShift-certified operators like this one). For managed OpenShift services _only_, you must choose one of these deployment options:
>
> 1. **Deploy the Falcon sensor only to worker nodes.** This introduces risk by not having visibility and protection on control plane and infrastructure nodes, but maintains full support from Red Hat Site Reliability Engineering (SRE). To do so, set `spec.node.tolerations: []` on `FalconNodeSensor`.
>
> If you would prefer to maintain your SLA and SRE support by limiting your protection to worker nodes, override the tolerations in FalconNodeSensor to be an empty list:
> 2. **Deploy the Falcon sensor to all nodes.** This provides full protection for the cluster, but may prevent Red Hat SRE from maintaining your service level agreement (SLA) for availability. We recommend working with your Red Hat account team to submit a support exception in this case. This is the default behavior of the operator, so no configuration is required. For more information, see the Red Hat support article [Running custom workloads in OSD/ROSA control plane or infra nodes](https://access.redhat.com/solutions/6972101).
>
> ```yaml
> apiVersion: falcon.crowdstrike.com/v1alpha1
> kind: FalconNodeSensor
> metadata:
> spec:
> node:
> tolerations: []
> # ...
> ```
> These constraints are specific to managed OpenShift services. The Falcon sensor is always supported on all node types for self-managed OpenShift clusters.
## Installing the operator through the Web Console (GUI)

Expand Down

0 comments on commit 4a35cdb

Please sign in to comment.