diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go index 96a30e00..cfa3ac3c 100644 --- a/api/falcon/v1alpha1/falconadmission_types.go +++ b/api/falcon/v1alpha1/falconadmission_types.go @@ -99,7 +99,7 @@ type FalconAdmissionConfigSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12 DisabledNamespaces FalconAdmissionNamespace `json:"disabledNamespaces,omitempty"` - // Number of replicas for the Falcon Admission Controller deployment. + // Currently ignored and internally set to 1. // +kubebuilder:default:=2 // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Minimum:=0 diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index d7e6b338..89161a80 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -99,8 +99,7 @@ spec: type: array replicas: default: 2 - description: Number of replicas for the Falcon Admission Controller - deployment. + description: Currently ignored and internally set to 1. format: int32 maximum: 65535 minimum: 0 diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index 26081a39..94635ba1 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -113,8 +113,7 @@ spec: type: array replicas: default: 2 - description: Number of replicas for the Falcon Admission Controller - deployment. + description: Currently ignored and internally set to 1. format: int32 maximum: 65535 minimum: 0 diff --git a/docs/deployment/openshift/resources/admission/README.md b/docs/deployment/openshift/resources/admission/README.md index aa4a5ae6..50562da0 100644 --- a/docs/deployment/openshift/resources/admission/README.md +++ b/docs/deployment/openshift/resources/admission/README.md @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md index 28f25fea..4c9b113e 100644 --- a/docs/resources/admission/README.md +++ b/docs/resources/admission/README.md @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/docs/src/resources/admission.md.tmpl b/docs/src/resources/admission.md.tmpl index f533d677..0b692a9d 100644 --- a/docs/src/resources/admission.md.tmpl +++ b/docs/src/resources/admission.md.tmpl @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/internal/controller/admission/falconadmission_controller.go b/internal/controller/admission/falconadmission_controller.go index 1cd3a1dd..c1cd55a8 100644 --- a/internal/controller/admission/falconadmission_controller.go +++ b/internal/controller/admission/falconadmission_controller.go @@ -482,7 +482,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con } existingDeployment := &appsv1.Deployment{} - dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission) + dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission, log) updated := false if len(proxy.ReadProxyVarsFromEnv()) > 0 { diff --git a/internal/controller/assets/deployment.go b/internal/controller/assets/deployment.go index ba190c24..11c3dbd0 100644 --- a/internal/controller/assets/deployment.go +++ b/internal/controller/assets/deployment.go @@ -3,6 +3,7 @@ package assets import ( falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" "github.com/crowdstrike/falcon-operator/pkg/common" + "github.com/go-logr/logr" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" @@ -10,6 +11,8 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +var enforcedSingleReplica = int32(1) + // SideCarDeployment returns a Deployment object for the CrowdStrike Falcon sidecar func SideCarDeployment(name string, namespace string, component string, imageUri string, falconContainer *falconv1alpha1.FalconContainer) *appsv1.Deployment { initContainerName := "crowdstrike-falcon-init-container" @@ -395,7 +398,7 @@ func ImageAnalyzerDeployment(name string, namespace string, component string, im } // AdmissionDeployment returns a Deployment object for the CrowdStrike Falcon Admission Controller -func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission) *appsv1.Deployment { +func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission, log logr.Logger) *appsv1.Deployment { runNonRoot := true readOnlyRootFilesystem := true allowPrivilegeEscalation := false @@ -464,6 +467,10 @@ func AdmissionDeployment(name string, namespace string, component string, imageU }) } + if falconAdmission.Spec.AdmissionConfig.Replicas == nil || *falconAdmission.Spec.AdmissionConfig.Replicas != 1 { + log.Info("ignoring Replicas setting as only one is currently supported") + } + return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ APIVersion: appsv1.SchemeGroupVersion.String(), @@ -475,7 +482,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU Labels: labels, }, Spec: appsv1.DeploymentSpec{ - Replicas: falconAdmission.Spec.AdmissionConfig.Replicas, + Replicas: &enforcedSingleReplica, Selector: &metav1.LabelSelector{ MatchLabels: labels, }, diff --git a/internal/controller/assets/deployment_test.go b/internal/controller/assets/deployment_test.go index 7d6cdd0d..062c114e 100644 --- a/internal/controller/assets/deployment_test.go +++ b/internal/controller/assets/deployment_test.go @@ -1,6 +1,7 @@ package assets import ( + "context" "testing" falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" @@ -11,6 +12,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "sigs.k8s.io/controller-runtime/pkg/log" ) // TestDeployment tests the Deployment function @@ -36,13 +38,14 @@ func TestAdmissionDeployment(t *testing.T) { falconAdmission := &falconv1alpha1.FalconAdmission{} falconAdmission.Spec.AdmissionConfig.ResourcesClient = &corev1.ResourceRequirements{} falconAdmission.Spec.AdmissionConfig.ResourcesAC = &corev1.ResourceRequirements{} - port := int32(123) + port := int32(1) falconAdmission.Spec.AdmissionConfig.Port = &port falconAdmission.Spec.AdmissionConfig.Replicas = &port falconAdmission.Spec.AdmissionConfig.ContainerPort = &port want := testAdmissionDeployment("test", "test", "test", "test", falconAdmission) - got := AdmissionDeployment("test", "test", "test", "test", falconAdmission) + logger := log.FromContext(context.Background()) + got := AdmissionDeployment("test", "test", "test", "test", falconAdmission, logger) if diff := cmp.Diff(want, got); diff != "" { t.Errorf("Deployment() mismatch (-want +got): %s", diff) }