From 51d917b1f72c923a334f522422c904358f331e60 Mon Sep 17 00:00:00 2001 From: Greg Pontejos Date: Mon, 14 Oct 2024 16:57:33 -0500 Subject: [PATCH] fix: update OpenShift manifests for falcon-watcher --- Makefile | 2 +- ...falcon-operator.clusterserviceversion.yaml | 48 +++++++++++++++++-- ...lcon.crowdstrike.com_falconadmissions.yaml | 20 ++++---- ...lcon.crowdstrike.com_falconcontainers.yaml | 24 ++++++++++ ...con.crowdstrike.com_falconnodesensors.yaml | 25 ++++++++++ config/manager/kustomization.yaml | 2 +- ...falcon-operator.clusterserviceversion.yaml | 40 +++++++++++++++- 7 files changed, 145 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index 6fa313f5..7d772010 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ # To re-generate a bundle for another specific version without changing the standard setup, you can: # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) -VERSION ?= 1.3.0 +VERSION ?= 1.3.1 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml index 2e49cc27..1b153984 100644 --- a/bundle/manifests/falcon-operator.clusterserviceversion.yaml +++ b/bundle/manifests/falcon-operator.clusterserviceversion.yaml @@ -125,7 +125,7 @@ metadata: capabilities: Seamless Upgrades categories: Security,Monitoring containerImage: quay.io/crowdstrike/falcon-operator - createdAt: "2024-08-23T19:08:01Z" + createdAt: "2024-10-14T21:55:08Z" description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "false" @@ -142,7 +142,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/CrowdStrike/falcon-operator support: Community Only - name: falcon-operator.v1.0.0 + name: falcon-operator.v1.3.1 namespace: placeholder spec: apiservicedefinitions: {} @@ -285,7 +285,7 @@ spec: - description: Additional configuration for Falcon Admission Controller deployment. displayName: Falcon Admission Controller Configuration path: admissionConfig - - description: Currently ignored and internally set to 1. + - description: Currently ignored and internally set to 1 displayName: Admission Controller Replica Count path: admissionConfig.replicas x-descriptors: @@ -346,6 +346,10 @@ spec: - description: Ignore admission control for a specific set of namespaces. displayName: Ignore Namespace List path: admissionConfig.disabledNamespaces + - description: Determines if with falcon-watcher container is included in the + Pod + displayName: Deploy Watcher Container + path: admissionConfig.deployWatcher - displayName: Falcon Admission Controller Watcher Resources path: admissionConfig.resourcesWatcher x-descriptors: @@ -367,6 +371,10 @@ spec: kind: FalconContainer name: falconcontainers.falcon.crowdstrike.com specDescriptors: + - description: UpdatePolicy is the name of a sensor update policy configured + and enabled in Falcon UI. It is ignored when Image and/or Version are set. + displayName: Falcon Sensor Update Policy + path: advanced.updatePolicy - displayName: Falcon Sensor Configuration path: falcon - description: Falcon Customer ID (CID) @@ -400,6 +408,13 @@ spec: - description: Type of container registry to be used displayName: Registry Type path: registry.type + - description: AutoUpdate determines whether to install new versions of the + sensor as they become available. Defaults to "off" and is ignored if FalconAPI + is not set. Setting this to "force" causes the reconciler to run on every + polling cycle, even if a new sensor version is not available. Setting it + to "normal" only reconciles when a new version is detected. + displayName: Falcon Sensor Automatic Updates + path: advanced.autoUpdate - description: Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). displayName: Provisioning Token @@ -499,6 +514,12 @@ spec: path: injector.azureConfigPath - displayName: Injector replica count path: injector.replicas + - description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these settings + may result in incorrect or undesirable behavior. Proceed at your own risk. + For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + displayName: Falcon Container Advanced Settings + path: advanced - description: Define annotations that will be passed down to the Service Account. This is useful for passing along AWS IAM Role or GCP Workload Identity. displayName: Annotations @@ -681,6 +702,10 @@ spec: path: installNamespace x-descriptors: - urn:alm:descriptor:io.kubernetes:Namespace + - description: UpdatePolicy is the name of a sensor update policy configured + and enabled in Falcon UI. It is ignored when Image and/or Version are set. + displayName: Falcon Sensor Update Policy + path: node.advanced.updatePolicy - description: ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. @@ -697,6 +722,13 @@ spec: path: falcon_api.client_secret x-descriptors: - urn:alm:descriptor:com.tectonic.ui:password + - description: AutoUpdate determines whether to install new versions of the + sensor as they become available. Defaults to "off" and is ignored if FalconAPI + is not set. Setting this to "force" causes the reconciler to run on every + polling cycle, even if a new sensor version is not available. Setting it + to "normal" only reconciles when a new version is detected. + displayName: Falcon Sensor Automatic Updates + path: node.advanced.autoUpdate - description: Location of the Falcon Sensor image. Use only in cases when you mirror the original image to your repository/name:tag displayName: Image @@ -781,6 +813,12 @@ spec: Autopilot clusters, but can be set for any cluster. displayName: Priority Class path: node.priorityClass + - description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these settings + may result in incorrect or undesirable behavior. Proceed at your own risk. + For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + displayName: DaemonSet Advanced Settings + path: node.advanced - description: Enables the use of GKE Autopilot. displayName: Enabled path: node.gke.autopilot @@ -1322,7 +1360,7 @@ spec: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: OPERATOR_NAME value: falcon-operator - image: quay.io/crowdstrike/falcon-operator:1.2.0 + image: quay.io/crowdstrike/falcon-operator:1.3.1 livenessProbe: httpGet: path: /healthz @@ -1417,4 +1455,4 @@ spec: provider: name: CrowdStrike url: https://crowdStrike.com - version: 1.0.0 + version: 1.3.1 diff --git a/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml index eef89a09..abb9962d 100644 --- a/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml +++ b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml @@ -56,6 +56,11 @@ spec: minimum: 0 type: integer x-kubernetes-int-or-string: true + deployWatcher: + default: true + description: Determines if with falcon-watcher container is included + in the Pod + type: boolean disabledNamespaces: description: Ignore admission control for a specific set of namespaces. properties: @@ -99,8 +104,7 @@ spec: type: array replicas: default: 2 - description: Number of replicas for the Falcon Admission Controller - deployment. + description: Currently ignored and internally set to 1 format: int32 maximum: 65535 minimum: 0 @@ -110,10 +114,10 @@ spec: default: limits: cpu: 300m - memory: 512Mi + memory: 256Mi requests: cpu: 300m - memory: 512Mi + memory: 256Mi description: ResourceRequirements describes the compute resource requirements. properties: @@ -167,10 +171,10 @@ spec: default: limits: cpu: 750m - memory: 256Mi + memory: 384Mi requests: cpu: 500m - memory: 256Mi + memory: 384Mi description: ResourceRequirements describes the compute resource requirements. properties: @@ -224,10 +228,10 @@ spec: default: limits: cpu: 750m - memory: 256Mi + memory: 384Mi requests: cpu: 500m - memory: 256Mi + memory: 384Mi description: ResourceRequirements describes the compute resource requirements. properties: diff --git a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml index 9cd3ebc5..5d408952 100644 --- a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml +++ b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml @@ -43,6 +43,30 @@ spec: spec: description: FalconContainerSpec defines the desired state of FalconContainer properties: + advanced: + description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these + settings may result in incorrect or undesirable behavior. Proceed + at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new versions + of the sensor as they become available. Defaults to "off" and + is ignored if FalconAPI is not set. Setting this to "force" + causes the reconciler to run on every polling cycle, even if + a new sensor version is not available. Setting it to "normal" + only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when Image + and/or Version are set. + type: string + type: object falcon: description: CrowdStrike Falcon Sensor configuration settings. properties: diff --git a/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml b/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml index 83a1b29a..ccb53ce2 100644 --- a/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml +++ b/bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml @@ -138,6 +138,31 @@ spec: node: description: Various configuration for DaemonSet Deployment properties: + advanced: + description: Advanced configures various options that go against + industry practices or are otherwise not recommended for use. + Adjusting these settings may result in incorrect or undesirable + behavior. Proceed at your own risk. For more information, please + see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new + versions of the sensor as they become available. Defaults + to "off" and is ignored if FalconAPI is not set. Setting + this to "force" causes the reconciler to run on every polling + cycle, even if a new sensor version is not available. Setting + it to "normal" only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when + Image and/or Version are set. + type: string + type: object backend: default: bpf description: Sets the backend to be used by the DaemonSet Sensor. diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 66ed1272..4b9005bc 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -9,4 +9,4 @@ kind: Kustomization images: - name: controller newName: quay.io/crowdstrike/falcon-operator - newTag: 1.0.0 + newTag: 1.3.1 diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml index 5fa8f882..ddfa7266 100644 --- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml @@ -164,7 +164,7 @@ spec: - description: Additional configuration for Falcon Admission Controller deployment. displayName: Falcon Admission Controller Configuration path: admissionConfig - - description: Currently ignored and internally set to 1. + - description: Currently ignored and internally set to 1 displayName: Admission Controller Replica Count path: admissionConfig.replicas x-descriptors: @@ -225,6 +225,10 @@ spec: - description: Ignore admission control for a specific set of namespaces. displayName: Ignore Namespace List path: admissionConfig.disabledNamespaces + - description: Determines if with falcon-watcher container is included in the + Pod + displayName: Deploy Watcher Container + path: admissionConfig.deployWatcher - displayName: Falcon Admission Controller Watcher Resources path: admissionConfig.resourcesWatcher x-descriptors: @@ -246,6 +250,10 @@ spec: kind: FalconContainer name: falconcontainers.falcon.crowdstrike.com specDescriptors: + - description: UpdatePolicy is the name of a sensor update policy configured + and enabled in Falcon UI. It is ignored when Image and/or Version are set. + displayName: Falcon Sensor Update Policy + path: advanced.updatePolicy - displayName: Falcon Sensor Configuration path: falcon - description: Falcon Customer ID (CID) @@ -279,6 +287,13 @@ spec: - description: Type of container registry to be used displayName: Registry Type path: registry.type + - description: AutoUpdate determines whether to install new versions of the + sensor as they become available. Defaults to "off" and is ignored if FalconAPI + is not set. Setting this to "force" causes the reconciler to run on every + polling cycle, even if a new sensor version is not available. Setting it + to "normal" only reconciles when a new version is detected. + displayName: Falcon Sensor Automatic Updates + path: advanced.autoUpdate - description: Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). displayName: Provisioning Token @@ -378,6 +393,12 @@ spec: path: injector.azureConfigPath - displayName: Injector replica count path: injector.replicas + - description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these settings + may result in incorrect or undesirable behavior. Proceed at your own risk. + For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + displayName: Falcon Container Advanced Settings + path: advanced - description: Define annotations that will be passed down to the Service Account. This is useful for passing along AWS IAM Role or GCP Workload Identity. displayName: Annotations @@ -560,6 +581,10 @@ spec: path: installNamespace x-descriptors: - urn:alm:descriptor:io.kubernetes:Namespace + - description: UpdatePolicy is the name of a sensor update policy configured + and enabled in Falcon UI. It is ignored when Image and/or Version are set. + displayName: Falcon Sensor Update Policy + path: node.advanced.updatePolicy - description: ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. @@ -576,6 +601,13 @@ spec: path: falcon_api.client_secret x-descriptors: - urn:alm:descriptor:com.tectonic.ui:password + - description: AutoUpdate determines whether to install new versions of the + sensor as they become available. Defaults to "off" and is ignored if FalconAPI + is not set. Setting this to "force" causes the reconciler to run on every + polling cycle, even if a new sensor version is not available. Setting it + to "normal" only reconciles when a new version is detected. + displayName: Falcon Sensor Automatic Updates + path: node.advanced.autoUpdate - description: Location of the Falcon Sensor image. Use only in cases when you mirror the original image to your repository/name:tag displayName: Image @@ -660,6 +692,12 @@ spec: Autopilot clusters, but can be set for any cluster. displayName: Priority Class path: node.priorityClass + - description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these settings + may result in incorrect or undesirable behavior. Proceed at your own risk. + For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + displayName: DaemonSet Advanced Settings + path: node.advanced - description: Enables the use of GKE Autopilot. displayName: Enabled path: node.gke.autopilot