Merge pull request #560 from CrowdStrike/two-kac-bug

fix: force the use of a single replica in FalconAdmission

api/falcon/v1alpha1/falconadmission_types.go

@@ -99,7 +99,7 @@ type FalconAdmissionConfigSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12
 	DisabledNamespaces FalconAdmissionNamespace `json:"disabledNamespaces,omitempty"`
 
-	// Number of replicas for the Falcon Admission Controller deployment.
+	// Currently ignored and internally set to 1.
 	// +kubebuilder:default:=2
 	// +kubebuilder:validation:XIntOrString
 	// +kubebuilder:validation:Minimum:=0

config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml

@@ -99,8 +99,7 @@ spec:
                     type: array
                   replicas:
                     default: 2
-                    description: Number of replicas for the Falcon Admission Controller
-                      deployment.
+                    description: Currently ignored and internally set to 1.
                     format: int32
                     maximum: 65535
                     minimum: 0

deploy/falcon-operator.yaml

@@ -113,8 +113,7 @@ spec:
                     type: array
                   replicas:
                     default: 2
-                    description: Number of replicas for the Falcon Admission Controller
-                      deployment.
+                    description: Currently ignored and internally set to 1.
                     format: int32
                     maximum: 65535
                     minimum: 0

docs/deployment/openshift/resources/admission/README.md

@@ -59,7 +59,7 @@ spec:
 | admissionConfig.tls.validity              | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller                                                                                                                         |
 | admissionConfig.failurePolicy             | (optional) Configure the failure policy of the Falcon Admission Controller                                                                                                                                             |
 | admissionConfig.disabledNamespaces.namespaces                | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore                                                                                         |
-| admissionConfig.replicas                  | (optional) Configure the number of replicas of the Falcon Admission Controller                                                                                                                                          |
+| admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Admission Controller                                                                                                                                           |
 | admissionConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Admission Controller                                                                                                                                          |
 | admissionConfig.resourcesClient           | (optional) Configure the resources client of the Falcon Admission Controller                                                                                                                                            |

docs/resources/admission/README.md

@@ -59,7 +59,7 @@ spec:
 | admissionConfig.tls.validity              | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller                                                                                                                         |
 | admissionConfig.failurePolicy             | (optional) Configure the failure policy of the Falcon Admission Controller                                                                                                                                             |
 | admissionConfig.disabledNamespaces.namespaces                | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore                                                                                         |
-| admissionConfig.replicas                  | (optional) Configure the number of replicas of the Falcon Admission Controller                                                                                                                                          |
+| admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Admission Controller                                                                                                                                           |
 | admissionConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Admission Controller                                                                                                                                          |
 | admissionConfig.resourcesClient           | (optional) Configure the resources client of the Falcon Admission Controller                                                                                                                                            |

docs/src/resources/admission.md.tmpl

@@ -59,7 +59,7 @@ spec:
 | admissionConfig.tls.validity              | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller                                                                                                                         |
 | admissionConfig.failurePolicy             | (optional) Configure the failure policy of the Falcon Admission Controller                                                                                                                                             |
 | admissionConfig.disabledNamespaces.namespaces                | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore                                                                                         |
-| admissionConfig.replicas                  | (optional) Configure the number of replicas of the Falcon Admission Controller                                                                                                                                          |
+| admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.imagePullPolicy           | (optional) Configure the image pull policy of the Falcon Admission Controller                                                                                                                                           |
 | admissionConfig.imagePullSecrets          | (optional) Configure the image pull secrets of the Falcon Admission Controller                                                                                                                                          |
 | admissionConfig.resourcesClient           | (optional) Configure the resources client of the Falcon Admission Controller                                                                                                                                            |

internal/controller/admission/falconadmission_controller.go

@@ -482,7 +482,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con
 	}
 
 	existingDeployment := &appsv1.Deployment{}
-	dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission)
+	dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission, log)
 	updated := false
 
 	if len(proxy.ReadProxyVarsFromEnv()) > 0 {

internal/controller/assets/deployment.go

@@ -3,13 +3,16 @@ package assets
 import (
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
 	"github.com/crowdstrike/falcon-operator/pkg/common"
+	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
+var enforcedSingleReplica = int32(1)
+
 // SideCarDeployment returns a Deployment object for the CrowdStrike Falcon sidecar
 func SideCarDeployment(name string, namespace string, component string, imageUri string, falconContainer *falconv1alpha1.FalconContainer) *appsv1.Deployment {
 	initContainerName := "crowdstrike-falcon-init-container"
@@ -395,7 +398,7 @@ func ImageAnalyzerDeployment(name string, namespace string, component string, im
 }
 
 // AdmissionDeployment returns a Deployment object for the CrowdStrike Falcon Admission Controller
-func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission) *appsv1.Deployment {
+func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission, log logr.Logger) *appsv1.Deployment {
 	runNonRoot := true
 	readOnlyRootFilesystem := true
 	allowPrivilegeEscalation := false
@@ -464,6 +467,10 @@ func AdmissionDeployment(name string, namespace string, component string, imageU
 		})
 	}
 
+	if falconAdmission.Spec.AdmissionConfig.Replicas == nil || *falconAdmission.Spec.AdmissionConfig.Replicas != 1 {
+		log.Info("ignoring Replicas setting as only one is currently supported")
+	}
+
 	return &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: appsv1.SchemeGroupVersion.String(),
@@ -475,7 +482,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU
 			Labels:    labels,
 		},
 		Spec: appsv1.DeploymentSpec{
-			Replicas: falconAdmission.Spec.AdmissionConfig.Replicas,
+			Replicas: &enforcedSingleReplica,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: labels,
 			},

internal/controller/assets/deployment_test.go

@@ -1,6 +1,7 @@
 package assets
 
 import (
+	"context"
 	"testing"
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
@@ -11,6 +12,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // TestDeployment tests the Deployment function
@@ -36,13 +38,14 @@ func TestAdmissionDeployment(t *testing.T) {
 	falconAdmission := &falconv1alpha1.FalconAdmission{}
 	falconAdmission.Spec.AdmissionConfig.ResourcesClient = &corev1.ResourceRequirements{}
 	falconAdmission.Spec.AdmissionConfig.ResourcesAC = &corev1.ResourceRequirements{}
-	port := int32(123)
+	port := int32(1)
 	falconAdmission.Spec.AdmissionConfig.Port = &port
 	falconAdmission.Spec.AdmissionConfig.Replicas = &port
 	falconAdmission.Spec.AdmissionConfig.ContainerPort = &port
 	want := testAdmissionDeployment("test", "test", "test", "test", falconAdmission)
 
-	got := AdmissionDeployment("test", "test", "test", "test", falconAdmission)
+	logger := log.FromContext(context.Background())
+	got := AdmissionDeployment("test", "test", "test", "test", falconAdmission, logger)
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("Deployment() mismatch (-want +got): %s", diff)
 	}