Skip to content

Commit

Permalink
fix: update OpenShift manifests for falcon-watcher
Browse files Browse the repository at this point in the history
  • Loading branch information
@gpontejos
gpontejos committed Oct 14, 2024
1 parent 936cf1a commit 51d917b
Show file tree
Hide file tree
Showing 7 changed files with 145 additions and 16 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# To re-generate a bundle for another specific version without changing the standard setup, you can:
# - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
# - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
VERSION ?= 1.3.0
VERSION ?= 1.3.1

# CHANNELS define the bundle channels used in the bundle.
# Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
Expand Down
48 changes: 43 additions & 5 deletions bundle/manifests/falcon-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Security,Monitoring
containerImage: quay.io/crowdstrike/falcon-operator
createdAt: "2024-08-23T19:08:01Z"
createdAt: "2024-10-14T21:55:08Z"
description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
Expand All @@ -142,7 +142,7 @@ metadata:
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
repository: https://github.com/CrowdStrike/falcon-operator
support: Community Only
name: falcon-operator.v1.0.0
name: falcon-operator.v1.3.1
namespace: placeholder
spec:
apiservicedefinitions: {}
Expand Down Expand Up @@ -285,7 +285,7 @@ spec:
- description: Additional configuration for Falcon Admission Controller deployment.
displayName: Falcon Admission Controller Configuration
path: admissionConfig
- description: Currently ignored and internally set to 1.
- description: Currently ignored and internally set to 1
displayName: Admission Controller Replica Count
path: admissionConfig.replicas
x-descriptors:
Expand Down Expand Up @@ -346,6 +346,10 @@ spec:
- description: Ignore admission control for a specific set of namespaces.
displayName: Ignore Namespace List
path: admissionConfig.disabledNamespaces
- description: Determines if with falcon-watcher container is included in the
Pod
displayName: Deploy Watcher Container
path: admissionConfig.deployWatcher
- displayName: Falcon Admission Controller Watcher Resources
path: admissionConfig.resourcesWatcher
x-descriptors:
Expand All @@ -367,6 +371,10 @@ spec:
kind: FalconContainer
name: falconcontainers.falcon.crowdstrike.com
specDescriptors:
- description: UpdatePolicy is the name of a sensor update policy configured
and enabled in Falcon UI. It is ignored when Image and/or Version are set.
displayName: Falcon Sensor Update Policy
path: advanced.updatePolicy
- displayName: Falcon Sensor Configuration
path: falcon
- description: Falcon Customer ID (CID)
Expand Down Expand Up @@ -400,6 +408,13 @@ spec:
- description: Type of container registry to be used
displayName: Registry Type
path: registry.type
- description: AutoUpdate determines whether to install new versions of the
sensor as they become available. Defaults to "off" and is ignored if FalconAPI
is not set. Setting this to "force" causes the reconciler to run on every
polling cycle, even if a new sensor version is not available. Setting it
to "normal" only reconciles when a new version is detected.
displayName: Falcon Sensor Automatic Updates
path: advanced.autoUpdate
- description: Installation token that prevents unauthorized hosts from being
accidentally or maliciously added to your customer ID (CID).
displayName: Provisioning Token
Expand Down Expand Up @@ -499,6 +514,12 @@ spec:
path: injector.azureConfigPath
- displayName: Injector replica count
path: injector.replicas
- description: Advanced configures various options that go against industry
practices or are otherwise not recommended for use. Adjusting these settings
may result in incorrect or undesirable behavior. Proceed at your own risk.
For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
displayName: Falcon Container Advanced Settings
path: advanced
- description: Define annotations that will be passed down to the Service Account.
This is useful for passing along AWS IAM Role or GCP Workload Identity.
displayName: Annotations
Expand Down Expand Up @@ -681,6 +702,10 @@ spec:
path: installNamespace
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Namespace
- description: UpdatePolicy is the name of a sensor update policy configured
and enabled in Falcon UI. It is ignored when Image and/or Version are set.
displayName: Falcon Sensor Update Policy
path: node.advanced.updatePolicy
- description: ImagePullSecrets is an optional list of references to secrets
in the falcon-system namespace to use for pulling image from image_override
location.
Expand All @@ -697,6 +722,13 @@ spec:
path: falcon_api.client_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:password
- description: AutoUpdate determines whether to install new versions of the
sensor as they become available. Defaults to "off" and is ignored if FalconAPI
is not set. Setting this to "force" causes the reconciler to run on every
polling cycle, even if a new sensor version is not available. Setting it
to "normal" only reconciles when a new version is detected.
displayName: Falcon Sensor Automatic Updates
path: node.advanced.autoUpdate
- description: Location of the Falcon Sensor image. Use only in cases when you
mirror the original image to your repository/name:tag
displayName: Image
Expand Down Expand Up @@ -781,6 +813,12 @@ spec:
Autopilot clusters, but can be set for any cluster.
displayName: Priority Class
path: node.priorityClass
- description: Advanced configures various options that go against industry
practices or are otherwise not recommended for use. Adjusting these settings
may result in incorrect or undesirable behavior. Proceed at your own risk.
For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
displayName: DaemonSet Advanced Settings
path: node.advanced
- description: Enables the use of GKE Autopilot.
displayName: Enabled
path: node.gke.autopilot
Expand Down Expand Up @@ -1322,7 +1360,7 @@ spec:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: OPERATOR_NAME
value: falcon-operator
image: quay.io/crowdstrike/falcon-operator:1.2.0
image: quay.io/crowdstrike/falcon-operator:1.3.1
livenessProbe:
httpGet:
path: /healthz
Expand Down Expand Up @@ -1417,4 +1455,4 @@ spec:
provider:
name: CrowdStrike
url: https://crowdStrike.com
version: 1.0.0
version: 1.3.1
20 changes: 12 additions & 8 deletions bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ spec:
minimum: 0
type: integer
x-kubernetes-int-or-string: true
deployWatcher:
default: true
description: Determines if with falcon-watcher container is included
in the Pod
type: boolean
disabledNamespaces:
description: Ignore admission control for a specific set of namespaces.
properties:
Expand Down Expand Up @@ -99,8 +104,7 @@ spec:
type: array
replicas:
default: 2
description: Number of replicas for the Falcon Admission Controller
deployment.
description: Currently ignored and internally set to 1
format: int32
maximum: 65535
minimum: 0
Expand All @@ -110,10 +114,10 @@ spec:
default:
limits:
cpu: 300m
memory: 512Mi
memory: 256Mi
requests:
cpu: 300m
memory: 512Mi
memory: 256Mi
description: ResourceRequirements describes the compute resource
requirements.
properties:
Expand Down Expand Up @@ -167,10 +171,10 @@ spec:
default:
limits:
cpu: 750m
memory: 256Mi
memory: 384Mi
requests:
cpu: 500m
memory: 256Mi
memory: 384Mi
description: ResourceRequirements describes the compute resource
requirements.
properties:
Expand Down Expand Up @@ -224,10 +228,10 @@ spec:
default:
limits:
cpu: 750m
memory: 256Mi
memory: 384Mi
requests:
cpu: 500m
memory: 256Mi
memory: 384Mi
description: ResourceRequirements describes the compute resource
requirements.
properties:
Expand Down
24 changes: 24 additions & 0 deletions bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,30 @@ spec:
spec:
description: FalconContainerSpec defines the desired state of FalconContainer
properties:
advanced:
description: Advanced configures various options that go against industry
practices or are otherwise not recommended for use. Adjusting these
settings may result in incorrect or undesirable behavior. Proceed
at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
properties:
autoUpdate:
description: AutoUpdate determines whether to install new versions
of the sensor as they become available. Defaults to "off" and
is ignored if FalconAPI is not set. Setting this to "force"
causes the reconciler to run on every polling cycle, even if
a new sensor version is not available. Setting it to "normal"
only reconciles when a new version is detected.
enum:
- "off"
- normal
- force
type: string
updatePolicy:
description: UpdatePolicy is the name of a sensor update policy
configured and enabled in Falcon UI. It is ignored when Image
and/or Version are set.
type: string
type: object
falcon:
description: CrowdStrike Falcon Sensor configuration settings.
properties:
Expand Down
25 changes: 25 additions & 0 deletions bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,31 @@ spec:
node:
description: Various configuration for DaemonSet Deployment
properties:
advanced:
description: Advanced configures various options that go against
industry practices or are otherwise not recommended for use.
Adjusting these settings may result in incorrect or undesirable
behavior. Proceed at your own risk. For more information, please
see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
properties:
autoUpdate:
description: AutoUpdate determines whether to install new
versions of the sensor as they become available. Defaults
to "off" and is ignored if FalconAPI is not set. Setting
this to "force" causes the reconciler to run on every polling
cycle, even if a new sensor version is not available. Setting
it to "normal" only reconciles when a new version is detected.
enum:
- "off"
- normal
- force
type: string
updatePolicy:
description: UpdatePolicy is the name of a sensor update policy
configured and enabled in Falcon UI. It is ignored when
Image and/or Version are set.
type: string
type: object
backend:
default: bpf
description: Sets the backend to be used by the DaemonSet Sensor.
Expand Down
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ kind: Kustomization
images:
- name: controller
newName: quay.io/crowdstrike/falcon-operator
newTag: 1.0.0
newTag: 1.3.1
40 changes: 39 additions & 1 deletion config/manifests/bases/falcon-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ spec:
- description: Additional configuration for Falcon Admission Controller deployment.
displayName: Falcon Admission Controller Configuration
path: admissionConfig
- description: Currently ignored and internally set to 1.
- description: Currently ignored and internally set to 1
displayName: Admission Controller Replica Count
path: admissionConfig.replicas
x-descriptors:
Expand Down Expand Up @@ -225,6 +225,10 @@ spec:
- description: Ignore admission control for a specific set of namespaces.
displayName: Ignore Namespace List
path: admissionConfig.disabledNamespaces
- description: Determines if with falcon-watcher container is included in the
Pod
displayName: Deploy Watcher Container
path: admissionConfig.deployWatcher
- displayName: Falcon Admission Controller Watcher Resources
path: admissionConfig.resourcesWatcher
x-descriptors:
Expand All @@ -246,6 +250,10 @@ spec:
kind: FalconContainer
name: falconcontainers.falcon.crowdstrike.com
specDescriptors:
- description: UpdatePolicy is the name of a sensor update policy configured
and enabled in Falcon UI. It is ignored when Image and/or Version are set.
displayName: Falcon Sensor Update Policy
path: advanced.updatePolicy
- displayName: Falcon Sensor Configuration
path: falcon
- description: Falcon Customer ID (CID)
Expand Down Expand Up @@ -279,6 +287,13 @@ spec:
- description: Type of container registry to be used
displayName: Registry Type
path: registry.type
- description: AutoUpdate determines whether to install new versions of the
sensor as they become available. Defaults to "off" and is ignored if FalconAPI
is not set. Setting this to "force" causes the reconciler to run on every
polling cycle, even if a new sensor version is not available. Setting it
to "normal" only reconciles when a new version is detected.
displayName: Falcon Sensor Automatic Updates
path: advanced.autoUpdate
- description: Installation token that prevents unauthorized hosts from being
accidentally or maliciously added to your customer ID (CID).
displayName: Provisioning Token
Expand Down Expand Up @@ -378,6 +393,12 @@ spec:
path: injector.azureConfigPath
- displayName: Injector replica count
path: injector.replicas
- description: Advanced configures various options that go against industry
practices or are otherwise not recommended for use. Adjusting these settings
may result in incorrect or undesirable behavior. Proceed at your own risk.
For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
displayName: Falcon Container Advanced Settings
path: advanced
- description: Define annotations that will be passed down to the Service Account.
This is useful for passing along AWS IAM Role or GCP Workload Identity.
displayName: Annotations
Expand Down Expand Up @@ -560,6 +581,10 @@ spec:
path: installNamespace
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Namespace
- description: UpdatePolicy is the name of a sensor update policy configured
and enabled in Falcon UI. It is ignored when Image and/or Version are set.
displayName: Falcon Sensor Update Policy
path: node.advanced.updatePolicy
- description: ImagePullSecrets is an optional list of references to secrets
in the falcon-system namespace to use for pulling image from image_override
location.
Expand All @@ -576,6 +601,13 @@ spec:
path: falcon_api.client_secret
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:password
- description: AutoUpdate determines whether to install new versions of the
sensor as they become available. Defaults to "off" and is ignored if FalconAPI
is not set. Setting this to "force" causes the reconciler to run on every
polling cycle, even if a new sensor version is not available. Setting it
to "normal" only reconciles when a new version is detected.
displayName: Falcon Sensor Automatic Updates
path: node.advanced.autoUpdate
- description: Location of the Falcon Sensor image. Use only in cases when you
mirror the original image to your repository/name:tag
displayName: Image
Expand Down Expand Up @@ -660,6 +692,12 @@ spec:
Autopilot clusters, but can be set for any cluster.
displayName: Priority Class
path: node.priorityClass
- description: Advanced configures various options that go against industry
practices or are otherwise not recommended for use. Adjusting these settings
may result in incorrect or undesirable behavior. Proceed at your own risk.
For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
displayName: DaemonSet Advanced Settings
path: node.advanced
- description: Enables the use of GKE Autopilot.
displayName: Enabled
path: node.gke.autopilot
Expand Down

0 comments on commit 51d917b

Please sign in to comment.