feat: enable GKE autopilot support

- Add GKE sensor types - Set default resource and priorityclass configuration for GKE - Reconcile more objects in DS configuration change updates
CrowdStrike · Oct 25, 2023 · 8887d4e · 8887d4e
1 parent c9f180d
commit 8887d4e
Show file tree

Hide file tree

Showing 17 changed files with 934 additions and 87 deletions.
diff --git a/api/falcon/v1alpha1/falconnodesensor_types.go b/api/falcon/v1alpha1/falconnodesensor_types.go
@@ -65,16 +65,69 @@ type FalconNodeSensorConfig struct {
 	// +kubebuilder:default=false
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=8
 	NodeCleanup *bool `json:"disableCleanup,omitempty"`
+
+	// Configure resource requests and limits for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon eBPF Sensor Resources",order=9
+	SensorResources Resources `json:"resources,omitempty"`
+
 	// Sets the backend to be used by the DaemonSet Sensor.
 	// +kubebuilder:default=kernel
 	// +kubebuilder:validation:Enum=kernel;bpf
-	// +operator-sdk-csv:customresourcedefinitions:type=spec,order=9
+	// +operator-sdk-csv:customresourcedefinitions:type=spec,order=10
 	Backend string `json:"backend,omitempty"`
 
+	// Enables the use of GKE Autopilot.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="GKE Autopilot Settings",order=11
+	GKE AutoPilot `json:"gke,omitempty"`
+
+	// Enable priority class for the DaemonSet. This is useful for GKE Autopilot clusters, but can be set for any cluster.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Priority Class",order=12
+	PriorityClass PriorityClassConfig `json:"priorityClass,omitempty"`
+
 	// Version of the sensor to be installed. The latest version will be selected when this version specifier is missing.
 	Version *string `json:"version,omitempty"`
 }
 
+type PriorityClassConfig struct {
+	// Enables the operator to deploy a PriorityClass instead of rolling your own. Default is false.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deploy Priority Class to cluster",order=2
+	Deploy *bool `json:"deploy,omitempty"`
+
+	// Name of the priority class to use for the DaemonSet.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Name of the Priority Class to use",order=2
+	Name string `json:"name,omitempty"`
+
+	// Value of the priority class to use for the DaemonSet. Requires the Deploy field to be set to true.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Priority Class Value",order=3
+	Value *int32 `json:"value,omitempty"`
+}
+
+type Resources struct {
+	// Sets the resource limits for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Limits ResourceList `json:"limits,omitempty"`
+	// Sets the resource requests for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Requests ResourceList `json:"requests,omitempty"`
+}
+
+type ResourceList struct {
+	// Minimum allowed is 250m.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Pattern="^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$"
+	CPU string `json:"cpu,omitempty"`
+	// Minimum allowed is 500Mi.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Pattern="^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$"
+	Memory string `json:"memory,omitempty"`
+}
+
+type AutoPilot struct {
+	// Enables the use of GKE Autopilot.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Enabled *bool `json:"autopilot,omitempty"`
+}
+
 type FalconNodeUpdateStrategy struct {
 	// +kubebuilder:default=RollingUpdate
 	// +kubebuilder:validation:Enum=RollingUpdate;OnDelete

diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go
@@ -216,6 +216,26 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutoPilot) DeepCopyInto(out *AutoPilot) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoPilot.
+func (in *AutoPilot) DeepCopy() *AutoPilot {
+	if in == nil {
+		return nil
+	}
+	out := new(AutoPilot)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconAPI) DeepCopyInto(out *FalconAPI) {
 	*out = *in
@@ -784,6 +804,9 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	out.SensorResources = in.SensorResources
+	in.GKE.DeepCopyInto(&out.GKE)
+	in.PriorityClass.DeepCopyInto(&out.PriorityClass)
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
@@ -955,6 +978,31 @@ func (in *FalconSensor) DeepCopy() *FalconSensor {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PriorityClassConfig) DeepCopyInto(out *PriorityClassConfig) {
+	*out = *in
+	if in.Deploy != nil {
+		in, out := &in.Deploy, &out.Deploy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(int32)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PriorityClassConfig.
+func (in *PriorityClassConfig) DeepCopy() *PriorityClassConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(PriorityClassConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegistrySpec) DeepCopyInto(out *RegistrySpec) {
 	*out = *in
@@ -990,3 +1038,35 @@ func (in *RegistryTLSSpec) DeepCopy() *RegistryTLSSpec {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceList) DeepCopyInto(out *ResourceList) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceList.
+func (in *ResourceList) DeepCopy() *ResourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Resources) DeepCopyInto(out *Resources) {
+	*out = *in
+	out.Limits = in.Limits
+	out.Requests = in.Requests
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources.
+func (in *Resources) DeepCopy() *Resources {
+	if in == nil {
+		return nil
+	}
+	out := new(Resources)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml
@@ -101,7 +101,7 @@ metadata:
     capabilities: Basic Install
     categories: Security,Monitoring
     containerImage: quay.io/crowdstrike/falcon-operator
-    createdAt: "2023-10-17T19:56:45Z"
+    createdAt: "2023-10-25T21:27:38Z"
     description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
     operatorframework.io/suggested-namespace: falcon-operator
     operators.operatorframework.io/builder: operator-sdk-v1.29.0
@@ -492,6 +492,13 @@ spec:
           mirror the original image to your repository/name:tag
         displayName: Image
         path: node.image
+      - description: Enables the operator to deploy a PriorityClass instead of rolling
+          your own. Default is false.
+        displayName: Deploy Priority Class to cluster
+        path: node.priorityClass.deploy
+      - description: Name of the priority class to use for the DaemonSet.
+        displayName: Name of the Priority Class to use
+        path: node.priorityClass.name
       - description: Disable the Falcon Sensor's use of a proxy.
         displayName: Disable Falcon Proxy
         path: falcon.apd
@@ -506,6 +513,10 @@ spec:
         path: node
       - displayName: Image Pull Policy
         path: node.imagePullPolicy
+      - description: Value of the priority class to use for the DaemonSet. Requires
+          the Deploy field to be set to true.
+        displayName: Priority Class Value
+        path: node.priorityClass.value
       - description: The application proxy host to use for Falcon sensor proxy configuration.
         displayName: Disable Falcon Proxy Host
         path: falcon.aph
@@ -550,6 +561,40 @@ spec:
           as sensor downgrading.
         displayName: Node Cleanup
         path: node.disableCleanup
+      - description: Configure resource requests and limits for the DaemonSet Sensor.
+          Only applies when using the eBPF backend.
+        displayName: Falcon eBPF Sensor Resources
+        path: node.resources
+      - description: Enables the use of GKE Autopilot.
+        displayName: GKE Autopilot Settings
+        path: node.gke
+      - description: Enable priority class for the DaemonSet. This is useful for GKE
+          Autopilot clusters, but can be set for any cluster.
+        displayName: Priority Class
+        path: node.priorityClass
+      - description: Enables the use of GKE Autopilot.
+        displayName: Enabled
+        path: node.gke.autopilot
+      - description: Sets the resource limits for the DaemonSet Sensor. Only applies
+          when using the eBPF backend.
+        displayName: Limits
+        path: node.resources.limits
+      - description: Minimum allowed is 250m.
+        displayName: CPU
+        path: node.resources.limits.cpu
+      - description: Minimum allowed is 500Mi.
+        displayName: Memory
+        path: node.resources.limits.memory
+      - description: Sets the resource requests for the DaemonSet Sensor. Only applies
+          when using the eBPF backend.
+        displayName: Requests
+        path: node.resources.requests
+      - description: Minimum allowed is 250m.
+        displayName: CPU
+        path: node.resources.requests.cpu
+      - description: Minimum allowed is 500Mi.
+        displayName: Memory
+        path: node.resources.requests.memory
       - description: Add metadata to the DaemonSet Service Account for IAM roles.
         displayName: Service Account
         path: node.serviceAccount
@@ -883,6 +928,17 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - scheduling.k8s.io
+          resources:
+          - priorityclasses
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - security.openshift.io
           resourceNames:

diff --git a/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml b/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml
@@ -143,6 +143,13 @@ spec:
                       on the nodes. Disabling might have unintended consequences for
                       certain operations such as sensor downgrading.
                     type: boolean
+                  gke:
+                    description: Enables the use of GKE Autopilot.
+                    properties:
+                      autopilot:
+                        description: Enables the use of GKE Autopilot.
+                        type: boolean
+                    type: object
                   image:
                     description: Location of the Falcon Sensor image. Use only in
                       cases when you mirror the original image to your repository/name:tag
@@ -379,6 +386,54 @@ spec:
                         type: object
                         x-kubernetes-map-type: atomic
                     type: object
+                  priorityClass:
+                    description: Enable priority class for the DaemonSet. This is
+                      useful for GKE Autopilot clusters, but can be set for any cluster.
+                    properties:
+                      deploy:
+                        description: Enables the operator to deploy a PriorityClass
+                          instead of rolling your own. Default is false.
+                        type: boolean
+                      name:
+                        description: Name of the priority class to use for the DaemonSet.
+                        type: string
+                      value:
+                        description: Value of the priority class to use for the DaemonSet.
+                          Requires the Deploy field to be set to true.
+                        format: int32
+                        type: integer
+                    type: object
+                  resources:
+                    description: Configure resource requests and limits for the DaemonSet
+                      Sensor. Only applies when using the eBPF backend.
+                    properties:
+                      limits:
+                        description: Sets the resource limits for the DaemonSet Sensor.
+                          Only applies when using the eBPF backend.
+                        properties:
+                          cpu:
+                            description: Minimum allowed is 250m.
+                            pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
+                            type: string
+                          memory:
+                            description: Minimum allowed is 500Mi.
+                            pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$
+                            type: string
+                        type: object
+                      requests:
+                        description: Sets the resource requests for the DaemonSet
+                          Sensor. Only applies when using the eBPF backend.
+                        properties:
+                          cpu:
+                            description: Minimum allowed is 250m.
+                            pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
+                            type: string
+                          memory:
+                            description: Minimum allowed is 500Mi.
+                            pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$
+                            type: string
+                        type: object
+                    type: object
                   serviceAccount:
                     description: Add metadata to the DaemonSet Service Account for
                       IAM roles.

diff --git a/cmd/main.go b/cmd/main.go
@@ -33,6 +33,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	schedulingv1 "k8s.io/api/scheduling/v1"
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
 	admissioncontroller "github.com/crowdstrike/falcon-operator/controllers/admission"
@@ -133,6 +134,9 @@ func main() {
 				&corev1.Secret{}:                   {},
 				&rbacv1.ClusterRoleBinding{}:       {},
 				&corev1.ServiceAccount{}:           {},
+				&schedulingv1.PriorityClass{}: {
+					Label: labels.SelectorFromSet(labels.Set{common.FalconComponentKey: common.FalconKernelSensor}),
+				},
 				&imagev1.ImageStream{}: {
 					Label: labels.SelectorFromSet(labels.Set{common.FalconProviderKey: common.FalconProviderValue}),
 				},