From ed6169c86e81683946a84997010fa83304a57373 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Fri, 13 Oct 2023 15:19:25 -0600 Subject: [PATCH 1/3] feat: Add admission controller test suite - Fix typos in sidecar test suite --- .../falconadmission_controller_test.go | 172 ++++++++++++++++++ controllers/{ => admission}/suite_test.go | 4 +- .../falconcontainer_controller_test.go | 2 +- controllers/falcon_container/suite_test.go | 1 - test/e2e/e2e_test.go | 105 ++++++++++- 5 files changed, 276 insertions(+), 8 deletions(-) create mode 100644 controllers/admission/falconadmission_controller_test.go rename controllers/{ => admission}/suite_test.go (91%) diff --git a/controllers/admission/falconadmission_controller_test.go b/controllers/admission/falconadmission_controller_test.go new file mode 100644 index 00000000..101b766e --- /dev/null +++ b/controllers/admission/falconadmission_controller_test.go @@ -0,0 +1,172 @@ +package controllers + +import ( + "context" + "fmt" + "time" + + falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" + k8sutils "github.com/crowdstrike/falcon-operator/internal/controller/common" + "github.com/crowdstrike/falcon-operator/pkg/common" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/intstr" + "sigs.k8s.io/controller-runtime/pkg/reconcile" +) + +var _ = Describe("FalconAdmission controller", func() { + Context("FalconAdmission controller test", func() { + + const AdmissionControllerName = "test-falconadmissioncontroller" + const AdmissionControllerNamespace = "falcon-kac" + admissionImage := "example.com/image:test" + falconCID := "1234567890ABCDEF1234567890ABCDEF-12" + + ctx := context.Background() + + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: AdmissionControllerNamespace, + Namespace: AdmissionControllerNamespace, + }, + } + + typeNamespaceName := types.NamespacedName{Name: AdmissionControllerName, Namespace: AdmissionControllerNamespace} + + BeforeEach(func() { + By("Creating the Namespace to perform the tests") + err := k8sClient.Create(ctx, namespace) + Expect(err).To(Not(HaveOccurred())) + }) + + AfterEach(func() { + // TODO(user): Attention if you improve this code by adding other context test you MUST + // be aware of the current delete namespace limitations. More info: https://book.kubebuilder.io/reference/envtest.html#testing-considerations + By("Deleting the Namespace to perform the tests") + _ = k8sClient.Delete(ctx, namespace) + }) + + It("should successfully reconcile a custom resource for FalconAdmission", func() { + By("Creating the custom resource for the Kind FalconAdmission") + falconAdmission := &falconv1alpha1.FalconAdmission{} + err := k8sClient.Get(ctx, typeNamespaceName, falconAdmission) + if err != nil && errors.IsNotFound(err) { + // Let's mock our custom resource at the same way that we would + // apply on the cluster the manifest under config/samples + falconAdmission := &falconv1alpha1.FalconAdmission{ + ObjectMeta: metav1.ObjectMeta{ + Name: AdmissionControllerName, + Namespace: AdmissionControllerNamespace, + }, + Spec: falconv1alpha1.FalconAdmissionSpec{ + Falcon: falconv1alpha1.FalconSensor{ + CID: &falconCID, + }, + InstallNamespace: "falcon-kac", + Image: admissionImage, + Registry: falconv1alpha1.RegistrySpec{ + Type: "crowdstrike", + }, + AdmissionConfig: falconv1alpha1.FalconAdmissionConfigSpec{ + DepUpdateStrategy: falconv1alpha1.FalconAdmissionUpdateStrategy{ + RollingUpdate: appsv1.RollingUpdateDeployment{ + MaxUnavailable: &intstr.IntOrString{IntVal: 1}, + MaxSurge: &intstr.IntOrString{IntVal: 1}, + }, + }, + }, + }, + } + + err = k8sClient.Create(ctx, falconAdmission) + Expect(err).To(Not(HaveOccurred())) + } + + By("Checking if the custom resource was successfully created") + Eventually(func() error { + found := &falconv1alpha1.FalconAdmission{} + return k8sClient.Get(ctx, typeNamespaceName, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Reconciling the custom resource created") + falconAdmissionReconciler := &FalconAdmissionReconciler{ + Client: k8sClient, + Scheme: k8sClient.Scheme(), + } + + _, err = falconAdmissionReconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: typeNamespaceName, + }) + Expect(err).To(Not(HaveOccurred())) + + By("Checking if Service Account was successfully created in the reconciliation") + Eventually(func() error { + found := &corev1.ServiceAccount{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "falcon-operator-admission-controller", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if ResourceQuota was successfully created in the reconciliation") + Eventually(func() error { + found := &corev1.ResourceQuota{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "test-falconadmissioncontroller", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if TLS Secret was successfully created in the reconciliation") + Eventually(func() error { + found := &corev1.Secret{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "test-falconadmissioncontroller-tls", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if ConfigMap was successfully created in the reconciliation") + Eventually(func() error { + found := &corev1.ConfigMap{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "test-falconadmissioncontroller-config", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if Service was successfully created in the reconciliation") + Eventually(func() error { + found := &corev1.Service{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "test-falconadmissioncontroller", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if Deployment was successfully created in the reconciliation") + Eventually(func() error { + found := &appsv1.Deployment{} + return k8sClient.Get(ctx, types.NamespacedName{Name: "test-falconadmissioncontroller", Namespace: AdmissionControllerNamespace}, found) + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking if pods were successfully created in the reconciliation") + Eventually(func() error { + pod, err := k8sutils.GetReadyPod(k8sClient, ctx, AdmissionControllerNamespace, map[string]string{common.FalconComponentKey: common.FalconAdmissionController}) + if err != nil && err.Error() != "No webhook service pod found in a Ready state" { + return err + } + if pod.Name == "" { + _, err = falconAdmissionReconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: typeNamespaceName, + }) + } + return err + }, time.Minute, time.Second).Should(Succeed()) + + By("Checking the latest Status Condition added to the FalconAdmission instance") + Eventually(func() error { + if falconAdmission.Status.Conditions != nil && len(falconAdmission.Status.Conditions) != 0 { + latestStatusCondition := falconAdmission.Status.Conditions[len(falconAdmission.Status.Conditions)-1] + expectedLatestStatusCondition := metav1.Condition{Type: falconv1alpha1.ConditionDeploymentReady, + Status: metav1.ConditionTrue, Reason: falconv1alpha1.ReasonInstallSucceeded, + Message: "FalconAdmission installation completed"} + if latestStatusCondition != expectedLatestStatusCondition { + return fmt.Errorf("The latest status condition added to the FalconAdmission instance is not as expected") + } + } + return nil + }, time.Minute, time.Second).Should(Succeed()) + }) + }) +}) diff --git a/controllers/suite_test.go b/controllers/admission/suite_test.go similarity index 91% rename from controllers/suite_test.go rename to controllers/admission/suite_test.go index 2c1d31f3..de6bf9b1 100644 --- a/controllers/suite_test.go +++ b/controllers/admission/suite_test.go @@ -28,7 +28,7 @@ var testEnv *envtest.Environment func TestAPIs(t *testing.T) { RegisterFailHandler(Fail) - RunSpecs(t, "Controller Suite") + RunSpecs(t, "Admission Controller Controller Suite") } var _ = BeforeSuite(func() { @@ -36,7 +36,7 @@ var _ = BeforeSuite(func() { By("bootstrapping test environment") testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, ErrorIfCRDPathMissing: true, } diff --git a/controllers/falcon_container/falconcontainer_controller_test.go b/controllers/falcon_container/falconcontainer_controller_test.go index 3756d640..c1be0322 100644 --- a/controllers/falcon_container/falconcontainer_controller_test.go +++ b/controllers/falcon_container/falconcontainer_controller_test.go @@ -149,7 +149,7 @@ var _ = Describe("FalconContainer controller", func() { By("Checking if pods were successfully created in the reconciliation") Eventually(func() error { pod, err := k8sutils.GetReadyPod(k8sClient, ctx, SidecarSensorNamespace, map[string]string{common.FalconComponentKey: common.FalconSidecarSensor}) - if err != nil && err.Error() != "No Injector pod found in a Ready state" { + if err != nil && err.Error() != "No webhook service pod found in a Ready state" { return err } if pod.Name == "" { diff --git a/controllers/falcon_container/suite_test.go b/controllers/falcon_container/suite_test.go index 9cdc75b6..a2906ef5 100644 --- a/controllers/falcon_container/suite_test.go +++ b/controllers/falcon_container/suite_test.go @@ -41,7 +41,6 @@ var _ = BeforeSuite(func() { testEnv = &envtest.Environment{ CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, ErrorIfCRDPathMissing: true, - WebhookInstallOptions: envtest.WebhookInstallOptions{}, } var err error diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 97927f85..10d0db4b 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -28,9 +28,10 @@ var _ = Describe("falcon", Ordered, func() { BeforeAll(func() { // The namespace can be created when we run make install // However, in this test we want ensure that the solution - // can run in a ns labeled as restricted. Therefore, we are + // can run in a ns labeled as privileged. Therefore, we are // creating the namespace an lebeling it. By("creating manager namespace") + cmd := exec.Command("kubectl", "create", "ns", namespace) _, _ = utils.Run(cmd) @@ -83,8 +84,7 @@ var _ = Describe("falcon", Ordered, func() { outputMake, err := utils.Run(cmd) ExpectWithOffset(1, err).NotTo(HaveOccurred()) - fmt.Println(outputMake) - By("validating that manager Pod/container(s) are restricted") + By("validating that manager Pod/container(s) are not restricted") ExpectWithOffset(1, outputMake).NotTo(ContainSubstring("Warning: would violate PodSecurity")) By("validating that the controller-manager pod is running as expected") @@ -308,11 +308,108 @@ var _ = Describe("falcon", Ordered, func() { fmt.Println(string(status)) ExpectWithOffset(2, err).NotTo(HaveOccurred()) if len(status) > 0 { - return fmt.Errorf("falcon-node-sensor pod in %s status", status) + return fmt.Errorf("falcon-sidecar-sensor pod in %s status", status) } return nil } EventuallyWithOffset(1, getFalconNodeSensorPodStatus, time.Minute, time.Second).Should(Succeed()) }) }) + + Context("Falcon Admission Controller", func() { + It("should deploy successfully", func() { + projectDir, _ := utils.GetProjectDir() + + var falconClientID = "" + var falconClientSecret = "" + if clientID, ok := os.LookupEnv("FALCON_CLIENT_ID"); ok { + falconClientID = clientID + } + + if clientSecret, ok := os.LookupEnv("FALCON_CLIENT_SECRET"); ok { + falconClientSecret = clientSecret + } + + if falconClientID != "" && falconClientSecret != "" { + err := utils.ReplaceInFile(filepath.Join(projectDir, + "./config/samples/falcon_v1alpha1_falconadmission.yaml"), + "client_id: PLEASE_FILL_IN", fmt.Sprintf("client_id: %s", falconClientID)) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + err = utils.ReplaceInFile(filepath.Join(projectDir, + "./config/samples/falcon_v1alpha1_falconadmission.yaml"), + "client_secret: PLEASE_FILL_IN", fmt.Sprintf("client_secret: %s", falconClientSecret)) + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + } + + By("creating an instance of the FalconAdmission Operand(CR)") + EventuallyWithOffset(1, func() error { + cmd := exec.Command("kubectl", "apply", "-f", filepath.Join(projectDir, + "./config/samples/falcon_v1alpha1_falconadmission.yaml"), "-n", namespace) + _, err := utils.Run(cmd) + return err + }, time.Minute, time.Second).Should(Succeed()) + + By("validating that pod(s) status.phase=Running") + getFalconSidecarPodStatus := func() error { + cmd := exec.Command("kubectl", "get", + "pods", "-A", "-l", "crowdstrike.com/component=admission_controller", + "-o", "jsonpath={.items[*].status}", "-n", namespace, + ) + status, err := utils.Run(cmd) + fmt.Println(string(status)) + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + if !strings.Contains(string(status), "\"phase\":\"Running\"") { + return fmt.Errorf(" pod in %s status", status) + } + return nil + } + EventuallyWithOffset(1, getFalconSidecarPodStatus, time.Minute, time.Second).Should(Succeed()) + + By("validating that the status of the custom resource created is updated or not") + getStatus := func() error { + cmd := exec.Command("kubectl", "get", "falconadmission", + "falcon-admission", "-A", "-o", "jsonpath={.status.conditions}", + "-n", namespace, + ) + status, err := utils.Run(cmd) + fmt.Println(string(status)) + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + if !strings.Contains(string(status), "Success") { + return fmt.Errorf("status condition with type Success should be set") + } + return nil + } + Eventually(getStatus, time.Minute, time.Second).Should(Succeed()) + }) + }) + + Context("Falcon Admission Controller", func() { + It("should cleanup successfully", func() { + projectDir, _ := utils.GetProjectDir() + + By("deleting an instance of the FalconAdmission Operand(CR)") + EventuallyWithOffset(1, func() error { + cmd := exec.Command("kubectl", "delete", "-f", filepath.Join(projectDir, + "./config/samples/falcon_v1alpha1_falconadmission.yaml"), "-n", namespace) + _, err := utils.Run(cmd) + return err + }, time.Minute, time.Second).Should(Succeed()) + + By("validating that pod(s) status.phase!=Running") + getFalconAdmissionPodStatus := func() error { + cmd := exec.Command("kubectl", "get", + "pods", "-A", "-l", "crowdstrike.com/component=admission_controller", "--field-selector=status.phase=Running", + "-o", "jsonpath={.items[*].status}", "-n", namespace, + ) + status, err := utils.Run(cmd) + fmt.Println(string(status)) + ExpectWithOffset(2, err).NotTo(HaveOccurred()) + if len(status) > 0 { + return fmt.Errorf("falcon-admission pod in %s status", status) + } + return nil + } + EventuallyWithOffset(1, getFalconAdmissionPodStatus, time.Minute, time.Second).Should(Succeed()) + }) + }) }) From 7e2aa96873ddcd19566886a032a1d7fe5dd35947 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Mon, 16 Oct 2023 15:43:07 -0600 Subject: [PATCH 2/3] fix: various test issues --- ...con.crowdstrike.com_falconnodesensors.yaml | 3 +-- .../admission/falconadmission_controller.go | 6 +++-- deploy/falcon-operator.yaml | 13 ++++++++--- internal/controller/assets/rbac_test.go | 22 +++++++++++++++++-- 4 files changed, 35 insertions(+), 9 deletions(-) diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml index 844d266a..9c011104 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml @@ -145,8 +145,7 @@ spec: type: boolean image: description: Location of the Falcon Sensor image. Use only in - cases when you mirror the original image to your repository/name:tag, - and CrowdStrike OAuth2 API is not used. + cases when you mirror the original image to your repository/name:tag pattern: ^.*:.*$ type: string imagePullPolicy: diff --git a/controllers/admission/falconadmission_controller.go b/controllers/admission/falconadmission_controller.go index e3204a08..d129ea32 100644 --- a/controllers/admission/falconadmission_controller.go +++ b/controllers/admission/falconadmission_controller.go @@ -42,8 +42,6 @@ type FalconAdmissionReconciler struct { Scheme *runtime.Scheme } -const nsTest = "falcon-kac" - // SetupWithManager sets up the controller with the Manager. func (r *FalconAdmissionReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). @@ -137,6 +135,10 @@ func (r *FalconAdmissionReconciler) Reconcile(ctx context.Context, req ctrl.Requ } } + if err := r.reconcileNamespace(ctx, req, log, falconAdmission); err != nil { + return ctrl.Result{}, err + } + // Image being set will override other image based settings if falconAdmission.Spec.Image != "" { if _, err := r.setImageTag(ctx, falconAdmission); err != nil { diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index e1381e02..4dd29d49 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -2702,8 +2702,7 @@ spec: type: boolean image: description: Location of the Falcon Sensor image. Use only in - cases when you mirror the original image to your repository/name:tag, - and CrowdStrike OAuth2 API is not used. + cases when you mirror the original image to your repository/name:tag pattern: ^.*:.*$ type: string imagePullPolicy: @@ -3695,7 +3694,7 @@ spec: - linux containers: - args: - - --leader-elect + - --config=controller_manager_config.yaml command: - /manager env: @@ -3731,8 +3730,16 @@ spec: drop: - ALL privileged: false + volumeMounts: + - mountPath: /controller_manager_config.yaml + name: manager-config + subPath: controller_manager_config.yaml securityContext: fsGroup: 65534 runAsNonRoot: true serviceAccountName: falcon-operator-controller-manager terminationGracePeriodSeconds: 10 + volumes: + - configMap: + name: falcon-operator-manager-config + name: manager-config diff --git a/internal/controller/assets/rbac_test.go b/internal/controller/assets/rbac_test.go index 4890ad38..4d180107 100644 --- a/internal/controller/assets/rbac_test.go +++ b/internal/controller/assets/rbac_test.go @@ -86,6 +86,23 @@ func TestRole(t *testing.T) { Namespace: namespace, Labels: common.CRLabels("role", name, common.FalconAdmissionController), }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{"create", "get", "list", "watch", "update"}, + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + }, + { + Verbs: []string{"get", "list", "watch", "update"}, + APIGroups: []string{""}, + Resources: []string{"pods"}, + }, + { + Verbs: []string{"get", "list", "watch", "create", "update", "delete"}, + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + }, + }, } got := Role(name, namespace) if diff := cmp.Diff(want, got); diff != "" { @@ -107,8 +124,9 @@ func TestRoleBinding(t *testing.T) { Kind: "RoleBinding", }, ObjectMeta: metav1.ObjectMeta{ - Name: name, - Labels: common.CRLabels("rolebinding", name, component), + Name: name, + Labels: common.CRLabels("rolebinding", name, component), + Namespace: namespace, }, Subjects: []rbacv1.Subject{ { From b898af1102ddc375b2925ec02a1a885e8c408478 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 17 Oct 2023 13:58:32 -0600 Subject: [PATCH 3/3] feat: update bundle for admission controller --- ...c.authorization.k8s.io_v1_clusterrole.yaml | 32 + ...falcon-operator.clusterserviceversion.yaml | 363 +++++++++++- ...lcon.crowdstrike.com_falconadmissions.yaml | 548 ++++++++++++++++++ ...lcon.crowdstrike.com_falconcontainers.yaml | 2 +- bundle/metadata/annotations.yaml | 4 +- ...falcon-operator.clusterserviceversion.yaml | 3 +- 6 files changed, 944 insertions(+), 8 deletions(-) create mode 100644 bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml diff --git a/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000..00a760d7 --- /dev/null +++ b/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + crowdstrike.com/component: rbac + crowdstrike.com/created-by: falcon-operator + crowdstrike.com/instance: admission-controller-role + crowdstrike.com/managed-by: kustomize + crowdstrike.com/name: clusterrole + crowdstrike.com/part-of: Falcon + crowdstrike.com/provider: crowdstrike + name: falcon-operator-admission-controller-role +rules: +- apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - get + - list + - watch diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml index 99a0babc..7d7ed190 100644 --- a/bundle/manifests/falcon-operator.clusterserviceversion.yaml +++ b/bundle/manifests/falcon-operator.clusterserviceversion.yaml @@ -4,10 +4,51 @@ metadata: annotations: alm-examples: |- [ + { + "apiVersion": "falcon.crowdstrike.com/v1alpha1", + "kind": "FalconAdmission", + "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-admission", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconadmission", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, + "name": "falcon-admission" + }, + "spec": { + "falcon": { + "tags": [ + "admission_controller" + ], + "trace": "none" + }, + "falcon_api": { + "client_id": "PLEASE_FILL_IN", + "client_secret": "PLEASE_FILL_IN", + "cloud_region": "autodiscover" + }, + "registry": { + "type": "crowdstrike" + } + } + }, { "apiVersion": "falcon.crowdstrike.com/v1alpha1", "kind": "FalconContainer", "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-sidecar-sensor", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconcontainer", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, "name": "falcon-sidecar-sensor" }, "spec": { @@ -31,6 +72,15 @@ metadata: "apiVersion": "falcon.crowdstrike.com/v1alpha1", "kind": "FalconNodeSensor", "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-node-sensor", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconnodesensor", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, "name": "falcon-node-sensor" }, "spec": { @@ -51,11 +101,11 @@ metadata: capabilities: Basic Install categories: Security,Monitoring containerImage: quay.io/crowdstrike/falcon-operator - createdAt: "2023-06-27T14:11:17Z" + createdAt: "2023-10-17T19:56:45Z" description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster operatorframework.io/suggested-namespace: falcon-operator - operators.operatorframework.io/builder: operator-sdk-v1.30.0 - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io/builder: operator-sdk-v1.29.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4-alpha repository: https://github.com/CrowdStrike/falcon-operator support: Community Only name: falcon-operator.v0.9.0 @@ -64,6 +114,211 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: + - description: FalconAdmission is the Schema for the falconadmissions API + displayName: Falcon Admission + kind: FalconAdmission + name: falconadmissions.falcon.crowdstrike.com + specDescriptors: + - description: Configure a list of namespaces to ignore admission control. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces.namespaces + - description: ImagePullSecrets is an optional list of references to secrets + to use for pulling image from the image location. + displayName: Falcon Admission Controller Image Pull Secrets + path: admissionConfig.imagePullSecrets + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Secret + - description: Define annotations that will be passed down to the Service Account. + This is useful for passing along AWS IAM Role or GCP Workload Identity. + displayName: Service Account Annotations + path: admissionConfig.serviceAccount.annotations + - description: Validity of the TLS certificate in days. Default is 3650 days. + displayName: Falcon Container Injector TLS Validity Length (days) + path: admissionConfig.tls.validity + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: RollingUpdate is used to specify the strategy used to roll out + a deployment + displayName: Falcon Admisison Controller deployment update configuration + path: admissionConfig.updateStrategy.rollingUpdate + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:updateStrategy + - description: Falcon Customer ID (CID) + displayName: Falcon Customer ID (CID) + path: falcon.cid + - description: Falcon OAuth2 API Client ID + displayName: Client ID + path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: Namespace where the Falcon Admission Controller should be installed. + For best security practices, this should be a dedicated namespace that is + not used for any other purpose. It also should not be the same namespace + where the Falcon Operator or the Falcon Sensor is installed. + displayName: Install Namespace + path: installNamespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Allow pushing to docker registries over HTTPS with failed TLS + verification. Note that this does not affect other TLS connections. + displayName: Skip Registry TLS Verification + path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type + - description: Limits the number of admission controller pods that can be created + in the namespace. + displayName: Resource Quota Pod Limit + path: resourcequota.pods + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:podCount + - description: For OpenShift clusters, ignore openshift-specific namespaces + for admission control. + displayName: Ignore OpenShift Namespaces + path: admissionConfig.disabledNamespaces.ignoreOpenShiftNamespaces + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - displayName: Falcon Admission Controller Image Pull Policy + path: admissionConfig.imagePullPolicy + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy + - description: Installation token that prevents unauthorized hosts from being + accidentally or maliciously added to your customer ID (CID). + displayName: Provisioning Token + path: falcon.provisioning_token + - description: "FalconAPI configures connection from your local Falcon operator + to CrowdStrike Falcon platform. \n When configured, it will pull the sensor + from registry.crowdstrike.com and deploy the appropriate sensor to the cluster. + \n If using the API is not desired, the sensor can be manually configured + by setting the Image and Version fields." + displayName: Falcon Platform API Configuration + path: falcon_api + - description: Falcon OAuth2 API Client Secret + displayName: Client Secret + path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls + - description: Allow for users to provide a CA Cert Bundle, as either a string + or base64 encoded string + displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded + path: registry.tls.caCertificate + - description: Port on which the Falcon Admission Controller service will listen + for requests from the cluster. + displayName: Falcon Admission Controller Service Port + path: admissionConfig.servicePort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: CrowdStrike Falcon sensor configuration + displayName: Falcon Sensor Configuration + path: falcon + - description: Disable the Falcon Sensor's use of a proxy. + displayName: Disable Falcon Proxy + path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which + the operator will connect and register. + displayName: CrowdStrike Falcon Cloud Region + path: falcon_api.cloud_region + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name + - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle + under a key ending in .crt + displayName: ConfigMap containing Registry CA Certificate Bundle + path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap + - description: Port on which the Falcon Admission Controller container will + listen for requests. + displayName: Falcon Admission Controller Container Port + path: admissionConfig.containerPort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy host to use for Falcon sensor proxy configuration. + displayName: Disable Falcon Proxy Host + path: falcon.aph + - description: Falcon Customer ID (CID) Override (optional, default is derived + from the API Key pair) + displayName: Falcon Customer ID (CID) + path: falcon_api.cid + - description: ResourceQuota configures the ResourceQuota for the Falcon Admission + Controller. This is useful for limiting the number of pods that can be created + in the namespace. + displayName: Falcon Admission Controller Resource Quota + path: resourcequota + - description: Additional configuration for Falcon Admission Controller deployment. + displayName: Falcon Admission Controller Configuration + path: admissionConfig + - description: Number of replicas for the Falcon Admission Controller deployment. + displayName: Admission Controller Replica Count + path: admissionConfig.replicas + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy port to use for Falcon sensor proxy configuration. + displayName: Falcon Proxy Port + path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: Configure the failure policy for the Falcon Admission Controller. + displayName: Falcon Admission Controller Failure Policy + path: admissionConfig.failurePolicy + - description: 'Sensor grouping tags are optional, user-defined identifiers + that can used to group and filter hosts. Allowed characters: all alphanumerics, + ''/'', ''-'', and ''_''.' + displayName: Sensor Grouping Tags + path: falcon.tags + - description: Registry configures container image registry to which the Admission + Controller image will be pushed. + displayName: Falcon Admission Controller Registry Configuration + path: registry + - description: Define annotations that will be passed down to admision controller + service account. This is useful for passing along AWS IAM Role or GCP Workload + Identity. + displayName: Service Account Configuration + path: admissionConfig.serviceAccount + - description: Set sensor trace level. + displayName: Trace Level + path: falcon.trace + - description: Location of the Falcon Sensor image. Use only in cases when you + mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 + API is not used. + displayName: Falcon Admission Controller Image URI + path: image + - description: Configure TLS setings for the Falcon Admission Controller + displayName: Falcon Admission Controller TLS Configuration + path: admissionConfig.tls + - description: Utilize default or Pay-As-You-Go billing. + displayName: Billing + path: falcon.billing + - description: 'Falcon Admission Controller Version. The latest version will + be selected when version specifier is missing. Example: 6.31, 6.31.0, 6.31.0-1409, + etc.' + displayName: Falcon Admission Controller Version + path: version + - displayName: Falcon Admission Controller Client Resources + path: admissionConfig.resourcesClient + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Falcon Admission Controller Resources + path: admissionConfig.resources + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - description: Type of Deployment update. Can be "RollingUpdate" or "OnDelete". + Default is RollingUpdate. + displayName: Deployment Update Strategy + path: admissionConfig.updateStrategy + - description: Ignore admission control for a specific set of namespaces. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces + version: v1alpha1 - description: FalconContainer is the Schema for the falconcontainers API displayName: Falcon Container kind: FalconContainer @@ -77,6 +332,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Define annotations that will be passed down to injector service account. This is useful for passing along AWS IAM Role or GCP Workload Identity. displayName: Service Account Configuration @@ -87,6 +344,11 @@ spec: verification. Note that this does not affect other TLS connections. displayName: Skip Registry TLS Verification path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type - description: Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). displayName: Provisioning Token @@ -98,8 +360,14 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - displayName: Falcon Container Injector Listen Port path: injector.listenPort + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls - description: Allow for users to provide a CA Cert Bundle, as either a string or base64 encoded string displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded @@ -107,6 +375,8 @@ spec: - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -117,10 +387,16 @@ spec: Container image will be pushed displayName: Falcon Container Image Registry Configuration path: registry + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle under a key ending in .crt displayName: ConfigMap containing Registry CA Certificate Bundle path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap - description: The application proxy host to use for Falcon sensor proxy configuration. displayName: Disable Falcon Proxy Host path: falcon.aph @@ -137,6 +413,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - displayName: Falcon Container Image Pull Secret Name path: injector.imagePullSecret - description: 'Sensor grouping tags are optional, user-defined identifiers @@ -192,6 +470,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. @@ -206,6 +486,8 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Location of the Falcon Sensor image. Use only in cases when you mirror the original image to your repository/name:tag displayName: Image @@ -213,6 +495,8 @@ spec: - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -236,6 +520,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - description: Specifies node affinity for scheduling the DaemonSet. Defaults to allowing scheduling on all nodes. displayName: Node Affinity @@ -352,6 +638,14 @@ spec: - list - update - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -361,6 +655,18 @@ spec: - deletecollection - get - list + - update + - watch + - apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - update - watch - apiGroups: - "" @@ -406,6 +712,17 @@ spec: - list - update - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - apps resources: @@ -435,9 +752,11 @@ spec: - leases verbs: - create + - delete - get - list - update + - watch - apiGroups: - "" resources: @@ -450,6 +769,32 @@ spec: - patch - update - watch + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions/finalizers + verbs: + - update + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions/status + verbs: + - get + - patch + - update - apiGroups: - falcon.crowdstrike.com resources: @@ -526,6 +871,18 @@ spec: - list - update - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - security.openshift.io resourceNames: diff --git a/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml new file mode 100644 index 00000000..64540a4d --- /dev/null +++ b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml @@ -0,0 +1,548 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + creationTimestamp: null + name: falconadmissions.falcon.crowdstrike.com +spec: + group: falcon.crowdstrike.com + names: + kind: FalconAdmission + listKind: FalconAdmissionList + plural: falconadmissions + singular: falconadmission + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Version of the Operator + jsonPath: .status.version + name: Operator Version + type: string + - description: Version of the Falcon Admission Controller + jsonPath: .status.sensor + name: Falcon Sensor + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: FalconAdmission is the Schema for the falconadmissions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FalconAdmissionSpec defines the desired state of FalconAdmission + properties: + admissionConfig: + description: Additional configuration for Falcon Admission Controller + deployment. + properties: + containerPort: + default: 4443 + description: Port on which the Falcon Admission Controller container + will listen for requests. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + disabledNamespaces: + description: Ignore admission control for a specific set of namespaces. + properties: + ignoreOpenShiftNamespaces: + description: For OpenShift clusters, ignore openshift-specific + namespaces for admission control. + type: boolean + namespaces: + description: Configure a list of namespaces to ignore admission + control. + items: + type: string + type: array + type: object + failurePolicy: + default: Ignore + description: Configure the failure policy for the Falcon Admission + Controller. + enum: + - Ignore + - Fail + type: string + imagePullPolicy: + default: Always + description: PullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - IfNotPresent + - Never + type: string + imagePullSecrets: + description: ImagePullSecrets is an optional list of references + to secrets to use for pulling image from the image location. + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + replicas: + default: 2 + description: Number of replicas for the Falcon Admission Controller + deployment. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + resources: + default: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 300m + memory: 512Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + resourcesClient: + default: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + serviceAccount: + description: Define annotations that will be passed down to admision + controller service account. This is useful for passing along + AWS IAM Role or GCP Workload Identity. + properties: + annotations: + additionalProperties: + type: string + description: Define annotations that will be passed down to + the Service Account. This is useful for passing along AWS + IAM Role or GCP Workload Identity. + type: object + type: object + servicePort: + default: 443 + description: Port on which the Falcon Admission Controller service + will listen for requests from the cluster. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + tls: + description: Configure TLS setings for the Falcon Admission Controller + properties: + validity: + description: Validity of the TLS certificate in days. Default + is 3650 days. + pattern: ^[0-9]{1-4}$ + type: integer + x-kubernetes-int-or-string: true + type: object + updateStrategy: + default: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + description: Type of Deployment update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + properties: + rollingUpdate: + description: RollingUpdate is used to specify the strategy + used to roll out a deployment + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be scheduled + above the desired number of pods. Value can be an absolute + number (ex: 5) or a percentage of desired pods (ex: + 10%). This can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding up. + Defaults to 25%. Example: when this is set to 30%, the + new ReplicaSet can be scaled up immediately when the + rolling update starts, such that the total number of + old and new pods do not exceed 130% of desired pods. + Once old pods have been killed, new ReplicaSet can be + scaled up further, ensuring that total number of pods + running at any time during the update is at most 130% + of desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be unavailable + during the update. Value can be an absolute number (ex: + 5) or a percentage of desired pods (ex: 10%). Absolute + number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet + can be scaled down to 70% of desired pods immediately + when the rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that the + total number of pods available at all times during the + update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object + type: object + falcon: + description: CrowdStrike Falcon sensor configuration + properties: + apd: + default: false + description: Disable the Falcon Sensor's use of a proxy. + type: boolean + aph: + description: The application proxy host to use for Falcon sensor + proxy configuration. + type: string + app: + description: The application proxy port to use for Falcon sensor + proxy configuration. + maximum: 65535 + minimum: 0 + type: integer + billing: + description: Utilize default or Pay-As-You-Go billing. + enum: + - default + - metered + type: string + cid: + description: Falcon Customer ID (CID) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + provisioning_token: + description: Installation token that prevents unauthorized hosts + from being accidentally or maliciously added to your customer + ID (CID). + pattern: ^[0-9a-fA-F]{8}$ + type: string + tags: + description: 'Sensor grouping tags are optional, user-defined + identifiers that can used to group and filter hosts. Allowed + characters: all alphanumerics, ''/'', ''-'', and ''_''.' + items: + type: string + type: array + trace: + default: none + description: Set sensor trace level. + enum: + - none + - err + - warn + - info + - debug + type: string + type: object + falcon_api: + description: "FalconAPI configures connection from your local Falcon + operator to CrowdStrike Falcon platform. \n When configured, it + will pull the sensor from registry.crowdstrike.com and deploy the + appropriate sensor to the cluster. \n If using the API is not desired, + the sensor can be manually configured by setting the Image and Version + fields." + properties: + cid: + description: Falcon Customer ID (CID) Override (optional, default + is derived from the API Key pair) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + client_id: + description: Falcon OAuth2 API Client ID + type: string + client_secret: + description: Falcon OAuth2 API Client Secret + type: string + cloud_region: + description: Cloud Region defines CrowdStrike Falcon Cloud Region + to which the operator will connect and register. + enum: + - autodiscover + - us-1 + - us-2 + - eu-1 + - us-gov-1 + type: string + required: + - client_id + - client_secret + - cloud_region + type: object + image: + description: Location of the Falcon Sensor image. Use only in cases + when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. + pattern: ^.*:.*$ + type: string + installNamespace: + default: falcon-kac + description: Namespace where the Falcon Admission Controller should + be installed. For best security practices, this should be a dedicated + namespace that is not used for any other purpose. It also should + not be the same namespace where the Falcon Operator or the Falcon + Sensor is installed. + type: string + registry: + description: Registry configures container image registry to which + the Admission Controller image will be pushed. + properties: + acr_name: + description: Azure Container Registry Name represents the name + of the ACR for the Falcon Container push. Only applicable to + Azure cloud. + type: string + tls: + description: TLS configures TLS connection for push of Falcon + Container image to the registry + properties: + caCertificate: + description: Allow for users to provide a CA Cert Bundle, + as either a string or base64 encoded string + type: string + caCertificateConfigMap: + description: Allow for users to provide a ConfigMap containing + a CA Cert Bundle under a key ending in .crt + type: string + insecure_skip_verify: + description: Allow pushing to docker registries over HTTPS + with failed TLS verification. Note that this does not affect + other TLS connections. + type: boolean + type: object + type: + description: Type of container registry to be used + enum: + - acr + - ecr + - gcr + - crowdstrike + - openshift + type: string + required: + - type + type: object + resourcequota: + description: ResourceQuota configures the ResourceQuota for the Falcon + Admission Controller. This is useful for limiting the number of + pods that can be created in the namespace. + properties: + pods: + default: "2" + description: Limits the number of admission controller pods that + can be created in the namespace. + type: string + type: object + version: + description: 'Falcon Admission Controller Version. The latest version + will be selected when version specifier is missing. Example: 6.31, + 6.31.0, 6.31.0-1409, etc.' + type: string + type: object + status: + description: FalconAdmissionStatus defines the observed state of FalconAdmission + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + sensor: + description: Version of the CrowdStrike Falcon Sensor + type: string + version: + description: Version of the CrowdStrike Falcon Operator + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml index dc366d96..557da71e 100644 --- a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml +++ b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml @@ -1899,7 +1899,7 @@ spec: type: boolean type: object type: - description: Type of the registry to be used + description: Type of container registry to be used enum: - acr - ecr diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 1b51dd9b..2896dca8 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -5,9 +5,9 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: falcon-operator operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.30.0 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.29.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 - operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4-alpha # Annotations for testing. operators.operatorframework.io.test.mediatype.v1: scorecard+v1 diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml index 4ec3f4cb..91557f61 100644 --- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml @@ -392,8 +392,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:password - description: Location of the Falcon Sensor image. Use only in cases when you - mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 - API is not used. + mirror the original image to your repository/name:tag displayName: Image path: node.image - description: Disable the Falcon Sensor's use of a proxy.