From 18f1eb979cc3f86b70107a8889e7b4d9601b9be6 Mon Sep 17 00:00:00 2001 From: Milo Hyson Date: Fri, 14 Jun 2024 10:08:45 -0700 Subject: [PATCH 1/3] fix: force the use of a single replica in FalconAdmission --- api/falcon/v1alpha1/falconadmission_types.go | 8 -------- api/falcon/v1alpha1/zz_generated.deepcopy.go | 5 ----- .../bases/falcon.crowdstrike.com_falconadmissions.yaml | 9 --------- deploy/falcon-operator.yaml | 9 --------- internal/controller/assets/deployment.go | 4 +++- internal/controller/assets/deployment_test.go | 3 +-- 6 files changed, 4 insertions(+), 34 deletions(-) diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go index 96a30e00..a019e2a6 100644 --- a/api/falcon/v1alpha1/falconadmission_types.go +++ b/api/falcon/v1alpha1/falconadmission_types.go @@ -99,14 +99,6 @@ type FalconAdmissionConfigSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12 DisabledNamespaces FalconAdmissionNamespace `json:"disabledNamespaces,omitempty"` - // Number of replicas for the Falcon Admission Controller deployment. - // +kubebuilder:default:=2 - // +kubebuilder:validation:XIntOrString - // +kubebuilder:validation:Minimum:=0 - // +kubebuilder:validation:Maximum:=65535 - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Admission Controller Replica Count",order=5,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:number"} - Replicas *int32 `json:"replicas,omitempty"` - // +kubebuilder:default:=Always // +kubebuilder:validation:Enum=Always;IfNotPresent;Never // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Image Pull Policy",order=2,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:imagePullPolicy"} diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index 8375a772..2a9c22df 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -323,11 +323,6 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec } in.TLS.DeepCopyInto(&out.TLS) in.DisabledNamespaces.DeepCopyInto(&out.DisabledNamespaces) - if in.Replicas != nil { - in, out := &in.Replicas, &out.Replicas - *out = new(int32) - **out = **in - } if in.ImagePullSecrets != nil { in, out := &in.ImagePullSecrets, &out.ImagePullSecrets *out = make([]corev1.LocalObjectReference, len(*in)) diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index d7e6b338..b65cbbe7 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -97,15 +97,6 @@ spec: type: object x-kubernetes-map-type: atomic type: array - replicas: - default: 2 - description: Number of replicas for the Falcon Admission Controller - deployment. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - x-kubernetes-int-or-string: true resources: default: limits: diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index 8e9d8247..b3d9cca2 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -111,15 +111,6 @@ spec: type: object x-kubernetes-map-type: atomic type: array - replicas: - default: 2 - description: Number of replicas for the Falcon Admission Controller - deployment. - format: int32 - maximum: 65535 - minimum: 0 - type: integer - x-kubernetes-int-or-string: true resources: default: limits: diff --git a/internal/controller/assets/deployment.go b/internal/controller/assets/deployment.go index ba190c24..4d5d21b2 100644 --- a/internal/controller/assets/deployment.go +++ b/internal/controller/assets/deployment.go @@ -10,6 +10,8 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +var enforcedSingleReplica = int32(1) + // SideCarDeployment returns a Deployment object for the CrowdStrike Falcon sidecar func SideCarDeployment(name string, namespace string, component string, imageUri string, falconContainer *falconv1alpha1.FalconContainer) *appsv1.Deployment { initContainerName := "crowdstrike-falcon-init-container" @@ -475,7 +477,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU Labels: labels, }, Spec: appsv1.DeploymentSpec{ - Replicas: falconAdmission.Spec.AdmissionConfig.Replicas, + Replicas: &enforcedSingleReplica, Selector: &metav1.LabelSelector{ MatchLabels: labels, }, diff --git a/internal/controller/assets/deployment_test.go b/internal/controller/assets/deployment_test.go index 7d6cdd0d..fee7d003 100644 --- a/internal/controller/assets/deployment_test.go +++ b/internal/controller/assets/deployment_test.go @@ -38,7 +38,6 @@ func TestAdmissionDeployment(t *testing.T) { falconAdmission.Spec.AdmissionConfig.ResourcesAC = &corev1.ResourceRequirements{} port := int32(123) falconAdmission.Spec.AdmissionConfig.Port = &port - falconAdmission.Spec.AdmissionConfig.Replicas = &port falconAdmission.Spec.AdmissionConfig.ContainerPort = &port want := testAdmissionDeployment("test", "test", "test", "test", falconAdmission) @@ -346,7 +345,7 @@ func testAdmissionDeployment(name string, namespace string, component string, im Labels: labels, }, Spec: appsv1.DeploymentSpec{ - Replicas: falconAdmission.Spec.AdmissionConfig.Replicas, + Replicas: &enforcedSingleReplica, Selector: &metav1.LabelSelector{ MatchLabels: labels, }, From 1d45b2af6700df144515aea3ef371f55aa70a013 Mon Sep 17 00:00:00 2001 From: Milo Hyson Date: Tue, 9 Jul 2024 14:45:07 -0700 Subject: [PATCH 2/3] fix: ignore the KAC replica setting but say so in the logs --- api/falcon/v1alpha1/falconadmission_types.go | 8 ++++++++ api/falcon/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../bases/falcon.crowdstrike.com_falconadmissions.yaml | 8 ++++++++ deploy/falcon-operator.yaml | 8 ++++++++ docs/resources/admission/README.md | 2 +- .../controller/admission/falconadmission_controller.go | 2 +- internal/controller/assets/deployment.go | 7 ++++++- internal/controller/assets/deployment_test.go | 10 +++++++--- 8 files changed, 44 insertions(+), 6 deletions(-) diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go index a019e2a6..cfa3ac3c 100644 --- a/api/falcon/v1alpha1/falconadmission_types.go +++ b/api/falcon/v1alpha1/falconadmission_types.go @@ -99,6 +99,14 @@ type FalconAdmissionConfigSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12 DisabledNamespaces FalconAdmissionNamespace `json:"disabledNamespaces,omitempty"` + // Currently ignored and internally set to 1. + // +kubebuilder:default:=2 + // +kubebuilder:validation:XIntOrString + // +kubebuilder:validation:Minimum:=0 + // +kubebuilder:validation:Maximum:=65535 + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Admission Controller Replica Count",order=5,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:number"} + Replicas *int32 `json:"replicas,omitempty"` + // +kubebuilder:default:=Always // +kubebuilder:validation:Enum=Always;IfNotPresent;Never // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Image Pull Policy",order=2,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:imagePullPolicy"} diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index 2a9c22df..8375a772 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -323,6 +323,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec } in.TLS.DeepCopyInto(&out.TLS) in.DisabledNamespaces.DeepCopyInto(&out.DisabledNamespaces) + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in + } if in.ImagePullSecrets != nil { in, out := &in.ImagePullSecrets, &out.ImagePullSecrets *out = make([]corev1.LocalObjectReference, len(*in)) diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index b65cbbe7..89161a80 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -97,6 +97,14 @@ spec: type: object x-kubernetes-map-type: atomic type: array + replicas: + default: 2 + description: Currently ignored and internally set to 1. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true resources: default: limits: diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index b3d9cca2..21a86f02 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -111,6 +111,14 @@ spec: type: object x-kubernetes-map-type: atomic type: array + replicas: + default: 2 + description: Currently ignored and internally set to 1. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true resources: default: limits: diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md index 28f25fea..dcbd2580 100644 --- a/docs/resources/admission/README.md +++ b/docs/resources/admission/README.md @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/internal/controller/admission/falconadmission_controller.go b/internal/controller/admission/falconadmission_controller.go index 1cd3a1dd..c1cd55a8 100644 --- a/internal/controller/admission/falconadmission_controller.go +++ b/internal/controller/admission/falconadmission_controller.go @@ -482,7 +482,7 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con } existingDeployment := &appsv1.Deployment{} - dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission) + dep := assets.AdmissionDeployment(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, imageUri, falconAdmission, log) updated := false if len(proxy.ReadProxyVarsFromEnv()) > 0 { diff --git a/internal/controller/assets/deployment.go b/internal/controller/assets/deployment.go index 4d5d21b2..11c3dbd0 100644 --- a/internal/controller/assets/deployment.go +++ b/internal/controller/assets/deployment.go @@ -3,6 +3,7 @@ package assets import ( falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" "github.com/crowdstrike/falcon-operator/pkg/common" + "github.com/go-logr/logr" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" @@ -397,7 +398,7 @@ func ImageAnalyzerDeployment(name string, namespace string, component string, im } // AdmissionDeployment returns a Deployment object for the CrowdStrike Falcon Admission Controller -func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission) *appsv1.Deployment { +func AdmissionDeployment(name string, namespace string, component string, imageUri string, falconAdmission *falconv1alpha1.FalconAdmission, log logr.Logger) *appsv1.Deployment { runNonRoot := true readOnlyRootFilesystem := true allowPrivilegeEscalation := false @@ -466,6 +467,10 @@ func AdmissionDeployment(name string, namespace string, component string, imageU }) } + if falconAdmission.Spec.AdmissionConfig.Replicas == nil || *falconAdmission.Spec.AdmissionConfig.Replicas != 1 { + log.Info("ignoring Replicas setting as only one is currently supported") + } + return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ APIVersion: appsv1.SchemeGroupVersion.String(), diff --git a/internal/controller/assets/deployment_test.go b/internal/controller/assets/deployment_test.go index fee7d003..062c114e 100644 --- a/internal/controller/assets/deployment_test.go +++ b/internal/controller/assets/deployment_test.go @@ -1,6 +1,7 @@ package assets import ( + "context" "testing" falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" @@ -11,6 +12,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "sigs.k8s.io/controller-runtime/pkg/log" ) // TestDeployment tests the Deployment function @@ -36,12 +38,14 @@ func TestAdmissionDeployment(t *testing.T) { falconAdmission := &falconv1alpha1.FalconAdmission{} falconAdmission.Spec.AdmissionConfig.ResourcesClient = &corev1.ResourceRequirements{} falconAdmission.Spec.AdmissionConfig.ResourcesAC = &corev1.ResourceRequirements{} - port := int32(123) + port := int32(1) falconAdmission.Spec.AdmissionConfig.Port = &port + falconAdmission.Spec.AdmissionConfig.Replicas = &port falconAdmission.Spec.AdmissionConfig.ContainerPort = &port want := testAdmissionDeployment("test", "test", "test", "test", falconAdmission) - got := AdmissionDeployment("test", "test", "test", "test", falconAdmission) + logger := log.FromContext(context.Background()) + got := AdmissionDeployment("test", "test", "test", "test", falconAdmission, logger) if diff := cmp.Diff(want, got); diff != "" { t.Errorf("Deployment() mismatch (-want +got): %s", diff) } @@ -345,7 +349,7 @@ func testAdmissionDeployment(name string, namespace string, component string, im Labels: labels, }, Spec: appsv1.DeploymentSpec{ - Replicas: &enforcedSingleReplica, + Replicas: falconAdmission.Spec.AdmissionConfig.Replicas, Selector: &metav1.LabelSelector{ MatchLabels: labels, }, From 71cc60bdc8f3c610420037075b85746ef1268078 Mon Sep 17 00:00:00 2001 From: Milo Hyson Date: Wed, 10 Jul 2024 11:42:05 -0700 Subject: [PATCH 3/3] fix: correct documentation template --- docs/deployment/openshift/resources/admission/README.md | 2 +- docs/resources/admission/README.md | 2 +- docs/src/resources/admission.md.tmpl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/deployment/openshift/resources/admission/README.md b/docs/deployment/openshift/resources/admission/README.md index aa4a5ae6..50562da0 100644 --- a/docs/deployment/openshift/resources/admission/README.md +++ b/docs/deployment/openshift/resources/admission/README.md @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md index dcbd2580..4c9b113e 100644 --- a/docs/resources/admission/README.md +++ b/docs/resources/admission/README.md @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller | diff --git a/docs/src/resources/admission.md.tmpl b/docs/src/resources/admission.md.tmpl index f533d677..0b692a9d 100644 --- a/docs/src/resources/admission.md.tmpl +++ b/docs/src/resources/admission.md.tmpl @@ -59,7 +59,7 @@ spec: | admissionConfig.tls.validity | (optional) Configure the validity of the TLS certificate used by the Falcon Admission Controller | | admissionConfig.failurePolicy | (optional) Configure the failure policy of the Falcon Admission Controller | | admissionConfig.disabledNamespaces.namespaces | (optional) Configure the list of namespaces the Falcon Admission Controller validating webhook should ignore | -| admissionConfig.replicas | (optional) Configure the number of replicas of the Falcon Admission Controller | +| admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.imagePullPolicy | (optional) Configure the image pull policy of the Falcon Admission Controller | | admissionConfig.imagePullSecrets | (optional) Configure the image pull secrets of the Falcon Admission Controller | | admissionConfig.resourcesClient | (optional) Configure the resources client of the Falcon Admission Controller |