Skip to content

Commit

Permalink
feat: add cluster visibility to FalconAdmission
Browse files Browse the repository at this point in the history
  • Loading branch information
gpontejos committed Oct 2, 2024
1 parent a7f6ae6 commit fffc69b
Show file tree
Hide file tree
Showing 15 changed files with 1,073 additions and 368 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= 1.1.0
VERSION ?= 1.3.0

# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
Expand Down
66 changes: 63 additions & 3 deletions api/falcon/v1alpha1/falconadmission_types.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package v1alpha1

import (
"time"

arv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -99,7 +101,29 @@ type FalconAdmissionConfigSpec struct {
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12
DisabledNamespaces FalconAdmissionNamespace `json:"disabledNamespaces,omitempty"`

// Currently ignored and internally set to 1.
// Determines if with falcon-watcher container is included in the Pod
// +kubebuilder:default:=true
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deploy Watcher Container",order=13
DeployWatcher *bool `json:"deployWatcher,omitempty"`

// Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility.
// +kubebuilder:default:=true
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable Resource Snapshots",order=15
SnapshotsEnabled *bool `json:"snapshotsEnabled,omitempty"`

// Time interval between two snapshots of Kubernetes resources in the cluster.
// +kubebuilder:default:="22h"
// +kubebuilder:validation:Type:=string
// +kubebuilder:validation:Format:=duration
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Time Interval Between Two Snapshots",order=16
SnapshotsInterval *metav1.Duration `json:"snapshotsInterval,omitempty"`

// Determines if Kubernetes resources are watched for cluster visibility.
// +kubebuilder:default:=true
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable Resource Watcher",order=17
WatcherEnabled *bool `json:"watcherEnabled,omitempty"`

// Currently ignored and internally set to 1
// +kubebuilder:default:=2
// +kubebuilder:validation:XIntOrString
// +kubebuilder:validation:Minimum:=0
Expand All @@ -117,11 +141,15 @@ type FalconAdmissionConfigSpec struct {
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`

// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Client Resources",order=9,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:resourceRequirements"}
//+kubebuilder:default:={"limits":{"cpu":"750m","memory":"256Mi"},"requests":{"cpu":"500m","memory":"256Mi"}}
// +kubebuilder:default:={"limits":{"cpu":"750m","memory":"384Mi"},"requests":{"cpu":"500m","memory":"384Mi"}}
ResourcesClient *corev1.ResourceRequirements `json:"resourcesClient,omitempty"`

// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Watcher Resources",order=14,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:resourceRequirements"}
// +kubebuilder:default:={"limits":{"cpu":"750m","memory":"384Mi"},"requests":{"cpu":"500m","memory":"384Mi"}}
ResourcesWatcher *corev1.ResourceRequirements `json:"resourcesWatcher,omitempty"`

// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Resources",order=10,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:resourceRequirements"}
//+kubebuilder:default:={"limits":{"cpu":"300m","memory":"512Mi"},"requests":{"cpu":"300m","memory":"512Mi"}}
//+kubebuilder:default:={"limits":{"cpu":"300m","memory":"256Mi"},"requests":{"cpu":"300m","memory":"256Mi"}}
ResourcesAC *corev1.ResourceRequirements `json:"resources,omitempty"`

// Type of Deployment update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
Expand Down Expand Up @@ -201,3 +229,35 @@ type FalconAdmissionList struct {
func init() {
SchemeBuilder.Register(&FalconAdmission{}, &FalconAdmissionList{})
}

func (watcher FalconAdmissionConfigSpec) DeployWatcherContainer() bool {
if watcher.DeployWatcher == nil {
return false
}

return *watcher.DeployWatcher
}

func (watcher FalconAdmissionConfigSpec) GetSnapshotsEnabled() bool {
if watcher.SnapshotsEnabled == nil {
return true
}

return *watcher.SnapshotsEnabled
}

func (watcher FalconAdmissionConfigSpec) GetSnapshotsInterval() time.Duration {
if watcher.SnapshotsInterval == nil {
return time.Duration(22 * time.Hour)
}

return watcher.SnapshotsInterval.Duration
}

func (watcher FalconAdmissionConfigSpec) GetWatcherEnabled() bool {
if watcher.WatcherEnabled == nil {
return true
}

return *watcher.WatcherEnabled
}
25 changes: 25 additions & 0 deletions api/falcon/v1alpha1/zz_generated.deepcopy.go
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,26 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
}
in.TLS.DeepCopyInto(&out.TLS)
in.DisabledNamespaces.DeepCopyInto(&out.DisabledNamespaces)
if in.DeployWatcher != nil {
in, out := &in.DeployWatcher, &out.DeployWatcher
*out = new(bool)
**out = **in
}
if in.SnapshotsEnabled != nil {
in, out := &in.SnapshotsEnabled, &out.SnapshotsEnabled
*out = new(bool)
**out = **in
}
if in.SnapshotsInterval != nil {
in, out := &in.SnapshotsInterval, &out.SnapshotsInterval
*out = new(v1.Duration)
**out = **in
}
if in.WatcherEnabled != nil {
in, out := &in.WatcherEnabled, &out.WatcherEnabled
*out = new(bool)
**out = **in
}
if in.Replicas != nil {
in, out := &in.Replicas, &out.Replicas
*out = new(int32)
Expand All @@ -338,6 +358,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
*out = new(corev1.ResourceRequirements)
(*in).DeepCopyInto(*out)
}
if in.ResourcesWatcher != nil {
in, out := &in.ResourcesWatcher, &out.ResourcesWatcher
*out = new(corev1.ResourceRequirements)
(*in).DeepCopyInto(*out)
}
if in.ResourcesAC != nil {
in, out := &in.ResourcesAC, &out.ResourcesAC
*out = new(corev1.ResourceRequirements)
Expand Down
21 changes: 18 additions & 3 deletions bundle/manifests/falcon-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Security,Monitoring
containerImage: quay.io/crowdstrike/falcon-operator
createdAt: "2024-06-03T19:42:25Z"
createdAt: "2024-08-23T19:08:01Z"
description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
Expand Down Expand Up @@ -285,7 +285,7 @@ spec:
- description: Additional configuration for Falcon Admission Controller deployment.
displayName: Falcon Admission Controller Configuration
path: admissionConfig
- description: Number of replicas for the Falcon Admission Controller deployment.
- description: Currently ignored and internally set to 1.
displayName: Admission Controller Replica Count
path: admissionConfig.replicas
x-descriptors:
Expand Down Expand Up @@ -346,6 +346,21 @@ spec:
- description: Ignore admission control for a specific set of namespaces.
displayName: Ignore Namespace List
path: admissionConfig.disabledNamespaces
- displayName: Falcon Admission Controller Watcher Resources
path: admissionConfig.resourcesWatcher
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:resourceRequirements
- description: Determines if snapshots of Kubernetes resources are periodically
taken for cluster visibility.
displayName: Enable Resource Snapshots
path: admissionConfig.snapshotsEnabled
- description: Time interval between two snapshots of Kubernetes resources in
the cluster.
displayName: Time Interval Between Two Snapshots
path: admissionConfig.snapshotsInterval
- description: Determines if Kubernetes resources are watched for cluster visibility.
displayName: Enable Resource Watcher
path: admissionConfig.watcherEnabled
version: v1alpha1
- description: FalconContainer is the Schema for the falconcontainers API
displayName: Falcon Container
Expand Down Expand Up @@ -1307,7 +1322,7 @@ spec:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: OPERATOR_NAME
value: falcon-operator
image: quay.io/crowdstrike/falcon-operator:1.0.0
image: quay.io/crowdstrike/falcon-operator:1.2.0
livenessProbe:
httpGet:
path: /healthz
Expand Down
73 changes: 73 additions & 0 deletions bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,63 @@ spec:
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
resourcesWatcher:
default:
limits:
cpu: 750m
memory: 256Mi
requests:
cpu: 500m
memory: 256Mi
description: ResourceRequirements describes the compute resource
requirements.
properties:
claims:
description: "Claims lists the names of resources, defined
in spec.resourceClaims, that are used by this container.
\n This is an alpha field and requires enabling the DynamicResourceAllocation
feature gate. \n This field is immutable. It can only be
set for containers."
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: Name must match the name of one entry in
pod.spec.resourceClaims of the Pod where this field
is used. It makes that resource available inside a
container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. Requests cannot exceed
Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
serviceAccount:
description: Define annotations that will be passed down to admision
controller service account. This is useful for passing along
Expand All @@ -242,6 +299,17 @@ spec:
minimum: 0
type: integer
x-kubernetes-int-or-string: true
snapshotsEnabled:
default: true
description: Determines if snapshots of Kubernetes resources are
periodically taken for cluster visibility.
type: boolean
snapshotsInterval:
default: 22h
description: Time interval between two snapshots of Kubernetes
resources in the cluster.
format: duration
type: string
tls:
description: Configure TLS setings for the Falcon Admission Controller
properties:
Expand Down Expand Up @@ -301,6 +369,11 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
watcherEnabled:
default: true
description: Determines if Kubernetes resources are watched for
cluster visibility.
type: boolean
type: object
falcon:
description: CrowdStrike Falcon sensor configuration
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ spec:
description: Various configuration for DaemonSet Deployment
properties:
backend:
default: kernel
default: bpf
description: Sets the backend to be used by the DaemonSet Sensor.
enum:
- kernel
Expand Down
Loading

0 comments on commit fffc69b

Please sign in to comment.