From 25241c5aea6275f9c8f7d5e6dac8869020bddfbd Mon Sep 17 00:00:00 2001 From: Greg Pontejos Date: Mon, 16 Dec 2024 15:10:49 -0600 Subject: [PATCH] Update KAC reconcile to accommodate default values --- api/falcon/v1alpha1/falconadmission_types.go | 167 ++++++++++++++++-- api/falcon/v1alpha1/zz_generated.deepcopy.go | 29 ++- ...lcon.crowdstrike.com_falconadmissions.yaml | 2 +- deploy/falcon-operator.yaml | 5 +- internal/controller/admission/configmap.go | 6 +- .../admission/falconadmission_controller.go | 66 +++---- .../falconadmission_controller_test.go | 5 +- internal/controller/admission/image_push.go | 2 +- internal/controller/admission/rbac.go | 14 +- internal/controller/assets/deployment.go | 63 +++---- internal/controller/assets/deployment_test.go | 67 ++++--- 11 files changed, 290 insertions(+), 136 deletions(-) diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go index a0614637..10efeaeb 100644 --- a/api/falcon/v1alpha1/falconadmission_types.go +++ b/api/falcon/v1alpha1/falconadmission_types.go @@ -6,14 +6,39 @@ import ( arv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" ) -const ( - DeployWatcherDefault = true - SnapshotsEnabledDefault = true - SnapshotsIntervalDefault = 22 - WatcherEnabledDefault = true +var ( + DeployWatcherDefault bool = true + SnapshotsEnabledDefault bool = true + SnapshotsIntervalDefault time.Duration = 22 * time.Hour + WatcherEnabledDefault bool = true + APDDefault bool = false + APDDefaultTrace string = "none" + KACNamespaceDefault string = "falcon-kac" + KACResQuotaPodLimitDefault string = "2" + KACPortDefault int32 = 443 + KACContainerPortDefault int32 = 4443 + KACFailurePolicyDefault arv1.FailurePolicyType = "Ignore" + KACReplicasDefault int32 = 1 + KACImagePullPolicyDefault corev1.PullPolicy = "Always" + KACResourcesClientLimitCpuDefault string = "750m" + KACResourcesClientLimitMemDefault string = "384Mi" + KACResourcesClientReqCpuDefault string = "500m" + KACResourcesClientReqMemDefault string = "384Mi" + KACResourcesAcLimitCpuDefault string = "750m" + KACResourcesAcLimitMemDefault string = "384Mi" + KACResourcesAcReqCpuDefault string = "500m" + KACResourcesAcReqMemDefault string = "384Mi" + KACResourcesWatcherLimitCpuDefault string = "300m" + KACResourcesWatcherLimitMemDefault string = "256Mi" + KACResourcesWatcherReqCpuDefault string = "300m" + KACResourcesWatcherReqMemDefault string = "256Mi" + KACDepUpdateStrategyMaxUnavailable int32 = 0 + KACDepUpdateStrategyMaxSurge int32 = 1 ) // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! @@ -29,7 +54,7 @@ type FalconAdmissionSpec struct { // It also should not be the same namespace where the Falcon Operator or the Falcon Sensor is installed. // +kubebuilder:default:=falcon-kac // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} - InstallNamespace string `json:"installNamespace,omitempty"` + InstallNamespace *string `json:"installNamespace,omitempty"` // CrowdStrike Falcon sensor configuration // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Configuration",order=3 @@ -70,7 +95,7 @@ type FalconAdmissionRQSpec struct { // +kubebuilder:default:="2" // +kubebuilder:validation:String // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resource Quota Pod Limit",order=1,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:podCount"} - PodLimit string `json:"pods,omitempty"` + PodLimit *string `json:"pods,omitempty"` } type FalconAdmissionConfigSpec struct { @@ -102,7 +127,7 @@ type FalconAdmissionConfigSpec struct { // +kubebuilder:default:=Ignore // +kubebuilder:validation:Enum=Ignore;Fail // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Failure Policy",order=6 - FailurePolicy arv1.FailurePolicyType `json:"failurePolicy,omitempty"` + FailurePolicy *arv1.FailurePolicyType `json:"failurePolicy,omitempty"` // Ignore admission control for a specific set of namespaces. // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12 @@ -131,7 +156,7 @@ type FalconAdmissionConfigSpec struct { WatcherEnabled *bool `json:"watcherEnabled,omitempty"` // Currently ignored and internally set to 1 - // +kubebuilder:default:=2 + // +kubebuilder:default:=1 // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Minimum:=0 // +kubebuilder:validation:Maximum:=65535 @@ -141,7 +166,7 @@ type FalconAdmissionConfigSpec struct { // +kubebuilder:default:=Always // +kubebuilder:validation:Enum=Always;IfNotPresent;Never // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Image Pull Policy",order=2,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:imagePullPolicy"} - ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"` + ImagePullPolicy *corev1.PullPolicy `json:"imagePullPolicy,omitempty"` // ImagePullSecrets is an optional list of references to secrets to use for pulling image from the image location. // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Falcon Admission Controller Image Pull Secrets",xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"} @@ -162,7 +187,7 @@ type FalconAdmissionConfigSpec struct { // Type of Deployment update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. // +kubebuilder:default:={"rollingUpdate":{"maxUnavailable":0,"maxSurge":1}} // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deployment Update Strategy",order=11 - DepUpdateStrategy FalconAdmissionUpdateStrategy `json:"updateStrategy,omitempty"` + DepUpdateStrategy *FalconAdmissionUpdateStrategy `json:"updateStrategy,omitempty"` } type FalconAdmissionServiceAccount struct { @@ -255,7 +280,7 @@ func (watcher FalconAdmissionConfigSpec) GetSnapshotsEnabled() bool { func (watcher FalconAdmissionConfigSpec) GetSnapshotsInterval() time.Duration { if watcher.SnapshotsInterval == nil { - return SnapshotsIntervalDefault * time.Hour + return time.Duration(SnapshotsIntervalDefault) } return watcher.SnapshotsInterval.Duration @@ -268,3 +293,121 @@ func (watcher FalconAdmissionConfigSpec) GetWatcherEnabled() bool { return *watcher.WatcherEnabled } + +func (admission FalconAdmission) GetResourcesClient() *corev1.ResourceRequirements { + if admission.Spec.AdmissionConfig.ResourcesClient == nil { + return &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesClientLimitCpuDefault), + "memory": resource.MustParse(KACResourcesClientLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesClientReqCpuDefault), + "memory": resource.MustParse(KACResourcesClientLimitMemDefault), + }, + } + } + + return admission.Spec.AdmissionConfig.ResourcesClient +} + +func (admission FalconAdmission) GetResourcesWatcher() *corev1.ResourceRequirements { + if admission.Spec.AdmissionConfig.ResourcesWatcher == nil { + return &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesWatcherLimitCpuDefault), + "memory": resource.MustParse(KACResourcesWatcherLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesWatcherReqCpuDefault), + "memory": resource.MustParse(KACResourcesWatcherReqMemDefault), + }, + } + } + + return admission.Spec.AdmissionConfig.ResourcesWatcher +} + +func (admission FalconAdmission) GetResourcesAC() *corev1.ResourceRequirements { + if admission.Spec.AdmissionConfig.ResourcesAC == nil { + return &corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesAcLimitCpuDefault), + "memory": resource.MustParse(KACResourcesAcLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(KACResourcesAcReqCpuDefault), + "memory": resource.MustParse(KACResourcesAcReqMemDefault), + }, + } + } + + return admission.Spec.AdmissionConfig.ResourcesAC +} + +func (admission FalconAdmission) GetDepUpdateStrategy() *FalconAdmissionUpdateStrategy { + if admission.Spec.AdmissionConfig.DepUpdateStrategy == nil { + return &FalconAdmissionUpdateStrategy{ + RollingUpdate: appsv1.RollingUpdateDeployment{ + MaxUnavailable: &intstr.IntOrString{IntVal: KACDepUpdateStrategyMaxUnavailable}, + MaxSurge: &intstr.IntOrString{IntVal: KACDepUpdateStrategyMaxSurge}, + }, + } + } + + return admission.Spec.AdmissionConfig.DepUpdateStrategy +} + +func (admission FalconAdmission) GetImagePullPolicy() *corev1.PullPolicy { + if admission.Spec.AdmissionConfig.ImagePullPolicy == nil { + return &KACImagePullPolicyDefault + } + return admission.Spec.AdmissionConfig.ImagePullPolicy +} + +func (admission FalconAdmission) GetRegistryCAConfigMapName(name string) string { + registryCAConfigMapName := "" + registryCABundleConfigMapName := name + "-registry-certs" + + if admission.Spec.Registry.TLS.CACertificateConfigMap != "" { + registryCAConfigMapName = admission.Spec.Registry.TLS.CACertificateConfigMap + } + + if admission.Spec.Registry.TLS.CACertificate != "" { + registryCAConfigMapName = registryCABundleConfigMapName + } + + return registryCAConfigMapName +} + +func (admission FalconAdmission) GetKACPort() *int32 { + if admission.Spec.AdmissionConfig.Port == nil { + return &KACPortDefault + } + + return admission.Spec.AdmissionConfig.Port +} + +func (admission FalconAdmission) GetFailurePolicy() *arv1.FailurePolicyType { + if admission.Spec.AdmissionConfig.FailurePolicy == nil { + return &KACFailurePolicyDefault + } + + return admission.Spec.AdmissionConfig.FailurePolicy +} + +func (admission FalconAdmission) GetContainerPort() *int32 { + if admission.Spec.AdmissionConfig.ContainerPort == nil { + return &KACContainerPortDefault + } + + return admission.Spec.AdmissionConfig.ContainerPort +} + +func (admission FalconAdmission) GetResQuotaPodLimit() *string { + if admission.Spec.ResQuota.PodLimit == nil { + return &KACResQuotaPodLimitDefault + } + + return admission.Spec.ResQuota.PodLimit +} diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index 89f39d3a..393daa80 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -210,6 +210,7 @@ package v1alpha1 import ( + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -322,6 +323,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec **out = **in } in.TLS.DeepCopyInto(&out.TLS) + if in.FailurePolicy != nil { + in, out := &in.FailurePolicy, &out.FailurePolicy + *out = new(admissionregistrationv1.FailurePolicyType) + **out = **in + } in.DisabledNamespaces.DeepCopyInto(&out.DisabledNamespaces) if in.DeployWatcher != nil { in, out := &in.DeployWatcher, &out.DeployWatcher @@ -348,6 +354,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec *out = new(int32) **out = **in } + if in.ImagePullPolicy != nil { + in, out := &in.ImagePullPolicy, &out.ImagePullPolicy + *out = new(corev1.PullPolicy) + **out = **in + } if in.ImagePullSecrets != nil { in, out := &in.ImagePullSecrets, &out.ImagePullSecrets *out = make([]corev1.LocalObjectReference, len(*in)) @@ -368,7 +379,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } - in.DepUpdateStrategy.DeepCopyInto(&out.DepUpdateStrategy) + if in.DepUpdateStrategy != nil { + in, out := &in.DepUpdateStrategy, &out.DepUpdateStrategy + *out = new(FalconAdmissionUpdateStrategy) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionConfigSpec. @@ -436,6 +451,11 @@ func (in *FalconAdmissionNamespace) DeepCopy() *FalconAdmissionNamespace { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FalconAdmissionRQSpec) DeepCopyInto(out *FalconAdmissionRQSpec) { *out = *in + if in.PodLimit != nil { + in, out := &in.PodLimit, &out.PodLimit + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionRQSpec. @@ -473,13 +493,18 @@ func (in *FalconAdmissionServiceAccount) DeepCopy() *FalconAdmissionServiceAccou // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FalconAdmissionSpec) DeepCopyInto(out *FalconAdmissionSpec) { *out = *in + if in.InstallNamespace != nil { + in, out := &in.InstallNamespace, &out.InstallNamespace + *out = new(string) + **out = **in + } in.Falcon.DeepCopyInto(&out.Falcon) if in.FalconAPI != nil { in, out := &in.FalconAPI, &out.FalconAPI *out = new(FalconAPI) (*in).DeepCopyInto(*out) } - out.ResQuota = in.ResQuota + in.ResQuota.DeepCopyInto(&out.ResQuota) in.Registry.DeepCopyInto(&out.Registry) in.AdmissionConfig.DeepCopyInto(&out.AdmissionConfig) if in.Version != nil { diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index f54da098..39a075cc 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -103,7 +103,7 @@ spec: x-kubernetes-map-type: atomic type: array replicas: - default: 2 + default: 1 description: Currently ignored and internally set to 1 format: int32 maximum: 65535 diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index da6b3a14..e146ea13 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -117,7 +117,7 @@ spec: x-kubernetes-map-type: atomic type: array replicas: - default: 2 + default: 1 description: Currently ignored and internally set to 1 format: int32 maximum: 65535 @@ -4426,7 +4426,8 @@ spec: - name: WATCH_NAMESPACE - name: OPERATOR_NAME value: falcon-operator - image: quay.io/crowdstrike/falcon-operator:1.0.0 + imagePullPolicy: Never + image: controller:latest livenessProbe: httpGet: path: /healthz diff --git a/internal/controller/admission/configmap.go b/internal/controller/admission/configmap.go index 94a4c99c..9d0ac7a5 100644 --- a/internal/controller/admission/configmap.go +++ b/internal/controller/admission/configmap.go @@ -32,7 +32,7 @@ func (r *FalconAdmissionReconciler) reconcileGenericConfigMap(name string, genFu } existingCM := &corev1.ConfigMap{} - err = r.Get(ctx, types.NamespacedName{Name: name, Namespace: falconAdmission.Spec.InstallNamespace}, existingCM) + err = r.Get(ctx, types.NamespacedName{Name: name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingCM) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, cm) if err != nil { @@ -62,7 +62,7 @@ func (r *FalconAdmissionReconciler) newCABundleConfigMap(ctx context.Context, na if falconAdmission.Spec.Registry.TLS.CACertificate != "" { data["tls.crt"] = string(common.DecodeBase64Interface(falconAdmission.Spec.Registry.TLS.CACertificate)) - return assets.SensorConfigMap(name, falconAdmission.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil + return assets.SensorConfigMap(name, *falconAdmission.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil } return &corev1.ConfigMap{}, fmt.Errorf("unable to determine contents of Registry TLS CACertificate attribute") } @@ -84,5 +84,5 @@ func (r *FalconAdmissionReconciler) newConfigMap(ctx context.Context, name strin } data["FALCONCTL_OPT_CID"] = cid - return assets.SensorConfigMap(name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, data), nil + return assets.SensorConfigMap(name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, data), nil } diff --git a/internal/controller/admission/falconadmission_controller.go b/internal/controller/admission/falconadmission_controller.go index 397ca437..8c5b0413 100644 --- a/internal/controller/admission/falconadmission_controller.go +++ b/internal/controller/admission/falconadmission_controller.go @@ -106,7 +106,9 @@ func (r *FalconAdmissionReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, err } - validate, err := k8sutils.CheckRunningPodLabels(r.Client, ctx, falconAdmission.Spec.InstallNamespace, common.CRLabels("deployment", falconAdmission.Name, common.FalconAdmissionController)) + log.Info("Reconcile admission Spec", "existingFalconAdmission.Spec", falconAdmission.Spec) + + validate, err := k8sutils.CheckRunningPodLabels(r.Client, ctx, *falconAdmission.Spec.InstallNamespace, common.CRLabels("deployment", falconAdmission.Name, common.FalconAdmissionController)) if err != nil { return ctrl.Result{}, err } @@ -254,13 +256,14 @@ func (r *FalconAdmissionReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, err } - pod, err := k8sutils.GetReadyPod(r.Client, ctx, falconAdmission.Spec.InstallNamespace, map[string]string{common.FalconComponentKey: common.FalconAdmissionController}) + pod, err := k8sutils.GetReadyPod(r.Client, ctx, *falconAdmission.Spec.InstallNamespace, map[string]string{common.FalconComponentKey: common.FalconAdmissionController}) if err != nil && err != k8sutils.ErrNoWebhookServicePodReady { log.Error(err, "Failed to find Ready admission controller pod") return ctrl.Result{}, err } + if pod.Name == "" { - log.Info("Looking for a Ready admission controller pod", "namespace", falconAdmission.Spec.InstallNamespace) + log.Info("Looking for a Ready admission controller pod", "namespace", *falconAdmission.Spec.InstallNamespace) return ctrl.Result{RequeueAfter: 5 * time.Second}, nil } @@ -288,15 +291,11 @@ func (r *FalconAdmissionReconciler) Reconcile(ctx context.Context, req ctrl.Requ func (r *FalconAdmissionReconciler) reconcileResourceQuota(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { existingRQ := &corev1.ResourceQuota{} - defaultPodLimit := "5" - - if falconAdmission.Spec.ResQuota.PodLimit != "" { - defaultPodLimit = falconAdmission.Spec.ResQuota.PodLimit - } + podLimit := *falconAdmission.GetResQuotaPodLimit() - rq := assets.ResourceQuota(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, defaultPodLimit) + rq := assets.ResourceQuota(falconAdmission.Name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, podLimit) - err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: falconAdmission.Spec.InstallNamespace}, existingRQ) + err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingRQ) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, rq) if err != nil { @@ -309,8 +308,7 @@ func (r *FalconAdmissionReconciler) reconcileResourceQuota(ctx context.Context, return err } - podLimit := resource.MustParse(defaultPodLimit) - if existingRQ.Spec.Hard["pods"] != podLimit { + if existingRQ.Spec.Hard["pods"] != resource.MustParse(podLimit) { err = k8sutils.Update(r.Client, ctx, req, log, falconAdmission, &falconAdmission.Status, rq) if err != nil { return err @@ -324,7 +322,7 @@ func (r *FalconAdmissionReconciler) reconcileTLSSecret(ctx context.Context, req existingTLSSecret := &corev1.Secret{} name := falconAdmission.Name + "-tls" - err := r.Get(ctx, types.NamespacedName{Name: name, Namespace: falconAdmission.Spec.InstallNamespace}, existingTLSSecret) + err := r.Get(ctx, types.NamespacedName{Name: name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingTLSSecret) if err != nil && apierrors.IsNotFound(err) { validity := 3650 if falconAdmission.Spec.AdmissionConfig.TLS.Validity != nil { @@ -332,12 +330,12 @@ func (r *FalconAdmissionReconciler) reconcileTLSSecret(ctx context.Context, req } certInfo := tls.CertInfo{ - CommonName: fmt.Sprintf("%s.%s.svc", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), - DNSNames: []string{fmt.Sprintf("%s.%s.svc", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), fmt.Sprintf("%s.%s.svc.cluster.local", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), - fmt.Sprintf("%s.%s", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), falconAdmission.Name}, + CommonName: fmt.Sprintf("%s.%s.svc", falconAdmission.Name, *falconAdmission.Spec.InstallNamespace), + DNSNames: []string{fmt.Sprintf("%s.%s.svc", falconAdmission.Name, *falconAdmission.Spec.InstallNamespace), fmt.Sprintf("%s.%s.svc.cluster.local", falconAdmission.Name, *falconAdmission.Spec.InstallNamespace), + fmt.Sprintf("%s.%s", falconAdmission.Name, *falconAdmission.Spec.InstallNamespace), falconAdmission.Name}, } - c, k, b, err := tls.CertSetup(falconAdmission.Spec.InstallNamespace, validity, certInfo) + c, k, b, err := tls.CertSetup(*falconAdmission.Spec.InstallNamespace, validity, certInfo) if err != nil { log.Error(err, "Failed to generate FalconAdmission PKI") return &corev1.Secret{}, err @@ -349,7 +347,7 @@ func (r *FalconAdmissionReconciler) reconcileTLSSecret(ctx context.Context, req "ca.crt": b, } - admissionTLSSecret := assets.Secret(name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, secretData, corev1.SecretTypeTLS) + admissionTLSSecret := assets.Secret(name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, secretData, corev1.SecretTypeTLS) err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, admissionTLSSecret) if err != nil { return &corev1.Secret{}, err @@ -372,9 +370,9 @@ func (r *FalconAdmissionReconciler) reconcileService(ctx context.Context, req ct port = *falconAdmission.Spec.AdmissionConfig.Port } - service := assets.Service(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, selector, common.FalconAdmissionServiceHTTPSName, port) + service := assets.Service(falconAdmission.Name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, selector, common.FalconAdmissionServiceHTTPSName, port) - err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: falconAdmission.Spec.InstallNamespace}, existingService) + err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingService) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, service) if err != nil { @@ -404,7 +402,8 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionValidatingWebHook(ctx cont disabledNamespaces := append(common.DefaultDisabledNamespaces, falconAdmission.Spec.AdmissionConfig.DisabledNamespaces.Namespaces...) const webhookName = "validating.admission.falcon.crowdstrike.com" failPolicy := arv1.Ignore - port := int32(443) + port := *falconAdmission.GetKACPort() + failPolicy = *falconAdmission.GetFailurePolicy() if r.OpenShift { ocpNS, err := k8sutils.GetOpenShiftNamespaceNamesSort(ctx, r.Client) @@ -420,16 +419,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionValidatingWebHook(ctx cont } disabledNamespaces = append(disabledNamespaces, falconNS...) - - if falconAdmission.Spec.AdmissionConfig.FailurePolicy != "" { - failPolicy = falconAdmission.Spec.AdmissionConfig.FailurePolicy - } - - if falconAdmission.Spec.AdmissionConfig.Port != nil { - port = *falconAdmission.Spec.AdmissionConfig.Port - } - - webhook := assets.ValidatingWebhook(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, webhookName, cabundle, port, failPolicy, disabledNamespaces) + webhook := assets.ValidatingWebhook(falconAdmission.Name, *falconAdmission.Spec.InstallNamespace, webhookName, cabundle, port, failPolicy, disabledNamespaces) updated := false err = r.Get(ctx, types.NamespacedName{Name: webhookName}, existingWebhook) @@ -481,7 +471,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con } existingDeployment := &appsv1.Deployment{} - dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission, log) + dep := assets.AdmissionDeployment(falconAdmission.Name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission, log) updated := false if len(proxy.ReadProxyVarsFromEnv()) > 0 { @@ -490,7 +480,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con } } - err = r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: falconAdmission.Spec.InstallNamespace}, existingDeployment) + err = r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingDeployment) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, dep) if err != nil { @@ -598,10 +588,10 @@ func (r *FalconAdmissionReconciler) reconcileRegistrySecret(ctx context.Context, } secretData := map[string][]byte{corev1.DockerConfigJsonKey: common.CleanDecodedBase64(pulltoken)} - secret := assets.Secret(common.FalconPullSecretName, falconAdmission.Spec.InstallNamespace, "falcon-operator", secretData, corev1.SecretTypeDockerConfigJson) + secret := assets.Secret(common.FalconPullSecretName, *falconAdmission.Spec.InstallNamespace, "falcon-operator", secretData, corev1.SecretTypeDockerConfigJson) existingSecret := &corev1.Secret{} - err = r.Get(ctx, types.NamespacedName{Name: common.FalconPullSecretName, Namespace: falconAdmission.Spec.InstallNamespace}, existingSecret) + err = r.Get(ctx, types.NamespacedName{Name: common.FalconPullSecretName, Namespace: *falconAdmission.Spec.InstallNamespace}, existingSecret) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, secret) if err != nil { @@ -655,10 +645,10 @@ func (r *FalconAdmissionReconciler) reconcileImageStream(ctx context.Context, re } func (r *FalconAdmissionReconciler) reconcileNamespace(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { - namespace := assets.Namespace(falconAdmission.Spec.InstallNamespace) + namespace := assets.Namespace(*falconAdmission.Spec.InstallNamespace) existingNamespace := &corev1.Namespace{} - err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Spec.InstallNamespace}, existingNamespace) + err := r.Get(ctx, types.NamespacedName{Name: *falconAdmission.Spec.InstallNamespace}, existingNamespace) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, namespace) if err != nil { @@ -677,7 +667,7 @@ func (r *FalconAdmissionReconciler) reconcileNamespace(ctx context.Context, req func (r *FalconAdmissionReconciler) admissionDeploymentUpdate(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { existingDeployment := &appsv1.Deployment{} configVersion := "falcon.config.version" - err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: falconAdmission.Spec.InstallNamespace}, existingDeployment) + err := r.Get(ctx, types.NamespacedName{Name: falconAdmission.Name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingDeployment) if err != nil && apierrors.IsNotFound(err) { return err } else if err != nil { diff --git a/internal/controller/admission/falconadmission_controller_test.go b/internal/controller/admission/falconadmission_controller_test.go index 636fe796..e14f35a1 100644 --- a/internal/controller/admission/falconadmission_controller_test.go +++ b/internal/controller/admission/falconadmission_controller_test.go @@ -26,6 +26,7 @@ var _ = Describe("FalconAdmission controller", func() { const AdmissionControllerNamespace = "falcon-kac" admissionImage := "example.com/image:test" falconCID := "1234567890ABCDEF1234567890ABCDEF-12" + installNamespace := "falcon-kac" ctx := context.Background() @@ -67,13 +68,13 @@ var _ = Describe("FalconAdmission controller", func() { Falcon: falconv1alpha1.FalconSensor{ CID: &falconCID, }, - InstallNamespace: "falcon-kac", + InstallNamespace: &installNamespace, Image: admissionImage, Registry: falconv1alpha1.RegistrySpec{ Type: "crowdstrike", }, AdmissionConfig: falconv1alpha1.FalconAdmissionConfigSpec{ - DepUpdateStrategy: falconv1alpha1.FalconAdmissionUpdateStrategy{ + DepUpdateStrategy: &falconv1alpha1.FalconAdmissionUpdateStrategy{ RollingUpdate: appsv1.RollingUpdateDeployment{ MaxUnavailable: &intstr.IntOrString{IntVal: 1}, MaxSurge: &intstr.IntOrString{IntVal: 1}, diff --git a/internal/controller/admission/image_push.go b/internal/controller/admission/image_push.go index 8d2dbd3c..eaeb9c23 100644 --- a/internal/controller/admission/image_push.go +++ b/internal/controller/admission/image_push.go @@ -219,7 +219,7 @@ func (r *FalconAdmissionReconciler) imageNamespace(falconAdmission *falconv1alph // is shared and images pushed there can be referenced by deployments in other namespaces return "openshift" } - return falconAdmission.Spec.InstallNamespace + return *falconAdmission.Spec.InstallNamespace } func (r *FalconAdmissionReconciler) falconApiConfig(ctx context.Context, falconAdmission *falconv1alpha1.FalconAdmission) *falcon.ApiConfig { diff --git a/internal/controller/admission/rbac.go b/internal/controller/admission/rbac.go index b48a62de..5ce91dc3 100644 --- a/internal/controller/admission/rbac.go +++ b/internal/controller/admission/rbac.go @@ -33,12 +33,12 @@ func (r *FalconAdmissionReconciler) reconcileServiceAccount(ctx context.Context, } serviceAccount := assets.ServiceAccount(common.AdmissionServiceAccountName, - falconAdmission.Spec.InstallNamespace, + *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, falconAdmission.Spec.AdmissionConfig.ServiceAccount.Annotations, imagePullSecrets) - err := r.Get(ctx, types.NamespacedName{Name: common.AdmissionServiceAccountName, Namespace: falconAdmission.Spec.InstallNamespace}, existingServiceAccount) + err := r.Get(ctx, types.NamespacedName{Name: common.AdmissionServiceAccountName, Namespace: *falconAdmission.Spec.InstallNamespace}, existingServiceAccount) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, serviceAccount) if err != nil { @@ -73,7 +73,7 @@ func (r *FalconAdmissionReconciler) reconcileServiceAccount(ctx context.Context, func (r *FalconAdmissionReconciler) reconcileClusterRoleBinding(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { clusterRoleBinding := assets.ClusterRoleBinding(admissionClusterRoleBindingName, - falconAdmission.Spec.InstallNamespace, + *falconAdmission.Spec.InstallNamespace, admissionClusterRoleName, common.AdmissionServiceAccountName, common.FalconAdmissionController, @@ -116,10 +116,10 @@ func (r *FalconAdmissionReconciler) reconcileClusterRoleBinding(ctx context.Cont } func (r *FalconAdmissionReconciler) reconcileRole(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { - role := assets.Role("falcon-admission-controller-role", falconAdmission.Spec.InstallNamespace) + role := assets.Role("falcon-admission-controller-role", *falconAdmission.Spec.InstallNamespace) existingRole := &rbacv1.Role{} - err := r.Get(ctx, types.NamespacedName{Name: "falcon-admission-controller-role", Namespace: falconAdmission.Spec.InstallNamespace}, existingRole) + err := r.Get(ctx, types.NamespacedName{Name: "falcon-admission-controller-role", Namespace: *falconAdmission.Spec.InstallNamespace}, existingRole) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, role) if err != nil { @@ -145,12 +145,12 @@ func (r *FalconAdmissionReconciler) reconcileRole(ctx context.Context, req ctrl. func (r *FalconAdmissionReconciler) reconcileRoleBinding(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) error { roleBinding := assets.RoleBinding("falcon-admission-controller-role-binding", - falconAdmission.Spec.InstallNamespace, + *falconAdmission.Spec.InstallNamespace, "falcon-admission-controller-role", common.AdmissionServiceAccountName) existingRoleBinding := &rbacv1.RoleBinding{} - err := r.Get(ctx, types.NamespacedName{Name: "falcon-admission-controller-role-binding", Namespace: falconAdmission.Spec.InstallNamespace}, existingRoleBinding) + err := r.Get(ctx, types.NamespacedName{Name: "falcon-admission-controller-role-binding", Namespace: *falconAdmission.Spec.InstallNamespace}, existingRoleBinding) if err != nil && apierrors.IsNotFound(err) { err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, roleBinding) if err != nil { diff --git a/internal/controller/assets/deployment.go b/internal/controller/assets/deployment.go index 37e1902a..cceb3f5c 100644 --- a/internal/controller/assets/deployment.go +++ b/internal/controller/assets/deployment.go @@ -1,6 +1,7 @@ package assets import ( + "reflect" "strconv" falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" @@ -22,8 +23,6 @@ const ( FalconWatcher ) -var enforcedSingleReplica = int32(1) - // SideCarDeployment returns a Deployment object for the CrowdStrike Falcon sidecar func SideCarDeployment(name string, namespace string, component string, imageUri string, falconContainer *falconv1alpha1.FalconContainer) *appsv1.Deployment { initContainerName := "crowdstrike-falcon-init-container" @@ -414,29 +413,14 @@ func AdmissionDeployment(name string, namespace string, component string, imageU readOnlyRootFilesystem := true allowPrivilegeEscalation := false shareProcessNamespace := true - resourcesClient := &corev1.ResourceRequirements{} - resourcesWatcher := &corev1.ResourceRequirements{} - resourcesAC := &corev1.ResourceRequirements{} sizeLimitTmp := resource.MustParse("256Mi") sizeLimitPrivate := resource.MustParse("4Ki") sizeLimitWatcher := resource.MustParse("64Mi") labels := common.CRLabels("deployment", name, component) - registryCAConfigMapName := "" - registryCABundleConfigMapName := name + "-registry-certs" + registryCAConfigMapName := falconAdmission.GetRegistryCAConfigMapName(name) + containerPort := *falconAdmission.GetContainerPort() portWatcherHealthCheck := int32(4080) - if falconAdmission.Spec.AdmissionConfig.ResourcesClient != nil { - resourcesClient = falconAdmission.Spec.AdmissionConfig.ResourcesClient - } - - if falconAdmission.Spec.AdmissionConfig.ResourcesWatcher != nil { - resourcesWatcher = falconAdmission.Spec.AdmissionConfig.ResourcesWatcher - } - - if falconAdmission.Spec.AdmissionConfig.ResourcesAC != nil { - resourcesAC = falconAdmission.Spec.AdmissionConfig.ResourcesAC - } - volumes := []corev1.Volume{ { Name: name + "-tls-certs", @@ -472,14 +456,6 @@ func AdmissionDeployment(name string, namespace string, component string, imageU }, } - if falconAdmission.Spec.Registry.TLS.CACertificateConfigMap != "" { - registryCAConfigMapName = falconAdmission.Spec.Registry.TLS.CACertificateConfigMap - } - - if falconAdmission.Spec.Registry.TLS.CACertificate != "" { - registryCAConfigMapName = registryCABundleConfigMapName - } - if registryCAConfigMapName != "" { volumes = append(volumes, corev1.Volume{ Name: registryCAConfigMapName, @@ -501,7 +477,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU { Name: "falcon-client", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: *falconAdmission.GetImagePullPolicy(), Args: []string{"client"}, SecurityContext: &corev1.SecurityContext{ ReadOnlyRootFilesystem: &readOnlyRootFilesystem, @@ -553,7 +529,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU }, Ports: []corev1.ContainerPort{ { - ContainerPort: *falconAdmission.Spec.AdmissionConfig.ContainerPort, + ContainerPort: containerPort, Name: common.FalconServiceHTTPSName, Protocol: corev1.ProtocolTCP, }, @@ -563,7 +539,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: common.FalconAdmissionClientStartupProbePath, - Port: intstr.IntOrString{IntVal: *falconAdmission.Spec.AdmissionConfig.ContainerPort}, + Port: intstr.IntOrString{IntVal: containerPort}, Scheme: corev1.URISchemeHTTPS, }, }, @@ -577,7 +553,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: common.FalconAdmissionClientLivenessProbePath, - Port: intstr.IntOrString{IntVal: *falconAdmission.Spec.AdmissionConfig.ContainerPort}, + Port: intstr.IntOrString{IntVal: containerPort}, Scheme: corev1.URISchemeHTTPS, }, }, @@ -587,12 +563,12 @@ func AdmissionDeployment(name string, namespace string, component string, imageU SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesClient, + Resources: *falconAdmission.GetResourcesClient(), }, { Name: "falcon-kac", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: *falconAdmission.GetImagePullPolicy(), SecurityContext: &corev1.SecurityContext{ ReadOnlyRootFilesystem: &readOnlyRootFilesystem, @@ -618,7 +594,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: common.FalconAdmissionStartupProbePath, - Port: intstr.IntOrString{IntVal: *falconAdmission.Spec.AdmissionConfig.ContainerPort}, + Port: intstr.IntOrString{IntVal: containerPort}, Scheme: corev1.URISchemeHTTPS, }, }, @@ -632,7 +608,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ Path: common.FalconAdmissionLivenessProbePath, - Port: intstr.IntOrString{IntVal: *falconAdmission.Spec.AdmissionConfig.ContainerPort}, + Port: intstr.IntOrString{IntVal: containerPort}, Scheme: corev1.URISchemeHTTPS, }, }, @@ -642,7 +618,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesAC, + Resources: *falconAdmission.GetResourcesAC(), }, } @@ -650,7 +626,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU *kacContainers = append(*kacContainers, corev1.Container{ Name: "falcon-watcher", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: *falconAdmission.GetImagePullPolicy(), Args: []string{ "client", "-app=watcher", @@ -717,7 +693,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesWatcher, + Resources: *falconAdmission.GetResourcesWatcher(), }) } @@ -732,7 +708,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU Labels: labels, }, Spec: appsv1.DeploymentSpec{ - Replicas: &enforcedSingleReplica, + Replicas: &falconv1alpha1.KACReplicasDefault, Selector: &metav1.LabelSelector{ MatchLabels: labels, }, @@ -837,13 +813,14 @@ func admissionDepVolumeMounts(name string, registryCAConfigMapName string, conta func admissionDepUpdateStrategy(admission *falconv1alpha1.FalconAdmission) appsv1.DeploymentStrategy { rollingUpdateSettings := appsv1.RollingUpdateDeployment{} + newUpdateStrategy := admission.GetDepUpdateStrategy() - if admission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxSurge != nil { - rollingUpdateSettings.MaxSurge = admission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxSurge + if !reflect.DeepEqual(rollingUpdateSettings.MaxSurge, newUpdateStrategy.RollingUpdate.MaxSurge) { + rollingUpdateSettings.MaxSurge = newUpdateStrategy.RollingUpdate.MaxSurge } - if admission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxUnavailable != nil { - rollingUpdateSettings.MaxUnavailable = admission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxUnavailable + if !reflect.DeepEqual(rollingUpdateSettings.MaxUnavailable, newUpdateStrategy.RollingUpdate.MaxUnavailable) { + rollingUpdateSettings.MaxUnavailable = newUpdateStrategy.RollingUpdate.MaxUnavailable } return appsv1.DeploymentStrategy{ diff --git a/internal/controller/assets/deployment_test.go b/internal/controller/assets/deployment_test.go index 0c657626..34057fcd 100644 --- a/internal/controller/assets/deployment_test.go +++ b/internal/controller/assets/deployment_test.go @@ -36,8 +36,6 @@ func TestSideCarDeployment(t *testing.T) { // TestAdmissionDeployment tests the Admission Controller Deployment function func TestAdmissionDeployment(t *testing.T) { falconAdmission := &falconv1alpha1.FalconAdmission{} - falconAdmission.Spec.AdmissionConfig.ResourcesClient = &corev1.ResourceRequirements{} - falconAdmission.Spec.AdmissionConfig.ResourcesAC = &corev1.ResourceRequirements{} port := int32(1) falconAdmission.Spec.AdmissionConfig.Port = &port @@ -84,8 +82,12 @@ func TestAdmissionDepUpdateStrategy(t *testing.T) { }, } - falconAdmission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxUnavailable = &intstr.IntOrString{Type: intstr.Int, IntVal: 1} - falconAdmission.Spec.AdmissionConfig.DepUpdateStrategy.RollingUpdate.MaxSurge = &intstr.IntOrString{Type: intstr.Int, IntVal: 1} + falconAdmission.Spec.AdmissionConfig.DepUpdateStrategy = &falconv1alpha1.FalconAdmissionUpdateStrategy{ + RollingUpdate: appsv1.RollingUpdateDeployment{ + MaxUnavailable: &intstr.IntOrString{IntVal: 1}, + MaxSurge: &intstr.IntOrString{IntVal: 1}, + }, + } got := admissionDepUpdateStrategy(&falconAdmission) if diff := cmp.Diff(want, got); diff != "" { @@ -338,32 +340,47 @@ func testAdmissionDeployment(name string, namespace string, component string, im readOnlyRootFilesystem := true allowPrivilegeEscalation := false shareProcessNamespace := true - resourcesClient := &corev1.ResourceRequirements{} - resourcesWatcher := &corev1.ResourceRequirements{} - resourcesAC := &corev1.ResourceRequirements{} + resourcesClient := corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesClientLimitCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesClientLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesClientReqCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesClientLimitMemDefault), + }, + } + resourcesWatcher := corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesWatcherLimitCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesWatcherLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesWatcherReqCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesWatcherReqMemDefault), + }, + } + resourcesAC := corev1.ResourceRequirements{ + Limits: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesAcLimitCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesAcLimitMemDefault), + }, + Requests: corev1.ResourceList{ + "cpu": resource.MustParse(falconv1alpha1.KACResourcesAcReqCpuDefault), + "memory": resource.MustParse(falconv1alpha1.KACResourcesAcReqMemDefault), + }, + } sizeLimitTmp := resource.MustParse("256Mi") sizeLimitPrivate := resource.MustParse("4Ki") sizeLimitWatcher := resource.MustParse("64Mi") portWatcherHealthCheck := int32(4080) labels := common.CRLabels("deployment", name, component) - if falconAdmission.Spec.AdmissionConfig.ResourcesClient != nil { - resourcesClient = falconAdmission.Spec.AdmissionConfig.ResourcesClient - } - - if falconAdmission.Spec.AdmissionConfig.ResourcesWatcher != nil { - resourcesWatcher = falconAdmission.Spec.AdmissionConfig.ResourcesWatcher - } - - if falconAdmission.Spec.AdmissionConfig.ResourcesAC != nil { - resourcesAC = falconAdmission.Spec.AdmissionConfig.ResourcesAC - } - kacContainers := &[]corev1.Container{ { Name: "falcon-client", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: falconv1alpha1.KACImagePullPolicyDefault, Args: []string{"client"}, SecurityContext: &corev1.SecurityContext{ ReadOnlyRootFilesystem: &readOnlyRootFilesystem, @@ -463,12 +480,12 @@ func testAdmissionDeployment(name string, namespace string, component string, im SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesClient, + Resources: resourcesClient, }, { Name: "falcon-kac", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: falconv1alpha1.KACImagePullPolicyDefault, SecurityContext: &corev1.SecurityContext{ ReadOnlyRootFilesystem: &readOnlyRootFilesystem, @@ -531,7 +548,7 @@ func testAdmissionDeployment(name string, namespace string, component string, im SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesAC, + Resources: resourcesAC, }, } @@ -539,7 +556,7 @@ func testAdmissionDeployment(name string, namespace string, component string, im *kacContainers = append(*kacContainers, corev1.Container{ Name: "falcon-watcher", Image: imageUri, - ImagePullPolicy: falconAdmission.Spec.AdmissionConfig.ImagePullPolicy, + ImagePullPolicy: falconv1alpha1.KACImagePullPolicyDefault, Args: []string{ "client", "-app=watcher", @@ -659,7 +676,7 @@ func testAdmissionDeployment(name string, namespace string, component string, im SuccessThreshold: 1, FailureThreshold: 3, }, - Resources: *resourcesWatcher, + Resources: resourcesWatcher, }) }