From b10105c2148904a7d0d01257189e04e8664c01c1 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Thu, 2 May 2024 10:29:14 -0600 Subject: [PATCH] feat: allow sidecar sensor to customize namespace - Useful for mixed EKS clusters - Prevents running a non-privileged workload next to a privileged workload --- api/falcon/v1alpha1/falconcontainer_types.go | 7 ++++++ ...lcon.crowdstrike.com_falconcontainers.yaml | 8 +++++++ deploy/falcon-operator.yaml | 8 +++++++ .../openshift/resources/container/README.md | 1 + docs/resources/container/README.md | 1 + docs/src/resources/container.md.tmpl | 1 + .../controller/falcon_container/configmap.go | 8 +++---- .../falconcontainer_controller.go | 22 +++++++++++++++-- .../controller/falcon_container/image_push.go | 2 +- .../controller/falcon_container/injector.go | 14 +++++------ internal/controller/falcon_container/ns.go | 24 +++++++------------ internal/controller/falcon_container/rbac.go | 6 ++--- .../controller/falcon_container/registry.go | 4 ++-- .../controller/falcon_container/service.go | 4 ++-- .../controller/falcon_container/webhook.go | 2 +- 15 files changed, 74 insertions(+), 38 deletions(-) diff --git a/api/falcon/v1alpha1/falconcontainer_types.go b/api/falcon/v1alpha1/falconcontainer_types.go index a8d88cc9..94133e1f 100644 --- a/api/falcon/v1alpha1/falconcontainer_types.go +++ b/api/falcon/v1alpha1/falconcontainer_types.go @@ -14,6 +14,13 @@ type FalconContainerSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file + // Namespace where the Falcon Sensor should be installed. + // For best security practices, this should be a dedicated namespace that is not used for any other purpose. + // It also should not be the same namespace where the Falcon Operator, or other Falcon resources are deployed. + // +kubebuilder:default:=falcon-system + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} + InstallNamespace string `json:"installNamespace,omitempty"` + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Configuration",order=1 Falcon FalconSensor `json:"falcon,omitempty"` // FalconAPI configures connection from your local Falcon operator to CrowdStrike Falcon platform. diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml index 3f6c3f89..27b849ee 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml @@ -1877,6 +1877,14 @@ spec: x-kubernetes-int-or-string: true type: object type: object + installNamespace: + default: falcon-system + description: Namespace where the Falcon Sensor should be installed. + For best security practices, this should be a dedicated namespace + that is not used for any other purpose. It also should not be the + same namespace where the Falcon Operator, or other Falcon resources + are deployed. + type: string registry: description: Registry configures container image registry to which the Falcon Container image will be pushed diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index 2319b0bc..d9ab0e20 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -2437,6 +2437,14 @@ spec: x-kubernetes-int-or-string: true type: object type: object + installNamespace: + default: falcon-system + description: Namespace where the Falcon Sensor should be installed. + For best security practices, this should be a dedicated namespace + that is not used for any other purpose. It also should not be the + same namespace where the Falcon Operator, or other Falcon resources + are deployed. + type: string registry: description: Registry configures container image registry to which the Falcon Container image will be pushed diff --git a/docs/deployment/openshift/resources/container/README.md b/docs/deployment/openshift/resources/container/README.md index 8f72089f..01df3be2 100644 --- a/docs/deployment/openshift/resources/container/README.md +++ b/docs/deployment/openshift/resources/container/README.md @@ -55,6 +55,7 @@ spec: #### Sidecar Injection Configuration Settings | Spec | Description | | :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| installNamespace | (optional) Override the default namespace of falcon-sidecar | | image | (optional) Leverage a Falcon Container Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require injector.imagePullSecretName to be set | | version | (optional) Enforce particular Falcon Container version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") | | registry.type | Registry to mirror Falcon Container (allowed values: acr, ecr, crowdstrike, gcr, openshift) | diff --git a/docs/resources/container/README.md b/docs/resources/container/README.md index adcea885..5de7ca2f 100644 --- a/docs/resources/container/README.md +++ b/docs/resources/container/README.md @@ -55,6 +55,7 @@ spec: #### Sidecar Injection Configuration Settings | Spec | Description | | :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| installNamespace | (optional) Override the default namespace of falcon-sidecar | | image | (optional) Leverage a Falcon Container Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require injector.imagePullSecretName to be set | | version | (optional) Enforce particular Falcon Container version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") | | registry.type | Registry to mirror Falcon Container (allowed values: acr, ecr, crowdstrike, gcr, openshift) | diff --git a/docs/src/resources/container.md.tmpl b/docs/src/resources/container.md.tmpl index dbf505a6..aacbadad 100644 --- a/docs/src/resources/container.md.tmpl +++ b/docs/src/resources/container.md.tmpl @@ -55,6 +55,7 @@ spec: #### Sidecar Injection Configuration Settings | Spec | Description | | :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| installNamespace | (optional) Override the default namespace of falcon-sidecar | | image | (optional) Leverage a Falcon Container Sensor image that is not managed by the operator; typically used with custom repositories; overrides all registry settings; might require injector.imagePullSecretName to be set | | version | (optional) Enforce particular Falcon Container version to be installed (example: "6.31", "6.31.0", "6.31.0-1409") | | registry.type | Registry to mirror Falcon Container (allowed values: acr, ecr, crowdstrike, gcr, openshift) | diff --git a/internal/controller/falcon_container/configmap.go b/internal/controller/falcon_container/configmap.go index 287816b6..a6c8cd1d 100644 --- a/internal/controller/falcon_container/configmap.go +++ b/internal/controller/falcon_container/configmap.go @@ -32,7 +32,7 @@ func (r *FalconContainerReconciler) reconcileGenericConfigMap(name string, genFu return configMap, fmt.Errorf("unable to render expected configmap: %v", err) } existingConfigMap := &corev1.ConfigMap{} - err = r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: r.Namespace()}, existingConfigMap) + err = r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: falconContainer.Spec.InstallNamespace}, existingConfigMap) if err != nil { if errors.IsNotFound(err) { if err = ctrl.SetControllerReference(falconContainer, configMap, r.Scheme); err != nil { @@ -55,14 +55,14 @@ func (r *FalconContainerReconciler) newCABundleConfigMap(ctx context.Context, lo if falconContainer.Spec.Registry.TLS.CACertificate != "" { data["tls.crt"] = string(common.DecodeBase64Interface(falconContainer.Spec.Registry.TLS.CACertificate)) - return assets.SensorConfigMap(registryCABundleConfigMapName, r.Namespace(), common.FalconSidecarSensor, data), nil + return assets.SensorConfigMap(registryCABundleConfigMapName, falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil } return &corev1.ConfigMap{}, fmt.Errorf("unable to determine contents of Registry TLS CACertificate attribute") } func (r *FalconContainerReconciler) newConfigMap(ctx context.Context, log logr.Logger, falconContainer *falconv1alpha1.FalconContainer) (*corev1.ConfigMap, error) { data := common.MakeSensorEnvMap(falconContainer.Spec.Falcon) - data["CP_NAMESPACE"] = r.Namespace() + data["CP_NAMESPACE"] = falconContainer.Spec.InstallNamespace data["FALCON_INJECTOR_LISTEN_PORT"] = strconv.Itoa(int(*falconContainer.Spec.Injector.ListenPort)) imageUri, err := r.imageUri(ctx, falconContainer) @@ -117,5 +117,5 @@ func (r *FalconContainerReconciler) newConfigMap(ctx context.Context, log logr.L } } - return assets.SensorConfigMap(injectorConfigMapName, r.Namespace(), common.FalconSidecarSensor, data), nil + return assets.SensorConfigMap(injectorConfigMapName, falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil } diff --git a/internal/controller/falcon_container/falconcontainer_controller.go b/internal/controller/falcon_container/falconcontainer_controller.go index 28d32662..197e337c 100644 --- a/internal/controller/falcon_container/falconcontainer_controller.go +++ b/internal/controller/falcon_container/falconcontainer_controller.go @@ -96,6 +96,24 @@ func (r *FalconContainerReconciler) Reconcile(ctx context.Context, req ctrl.Requ } } + validate, err := k8sutils.CheckRunningPodLabels(r.Client, ctx, falconContainer.Spec.InstallNamespace, common.CRLabels("deployment", injectorName, common.FalconSidecarSensor)) + if err != nil { + return ctrl.Result{}, err + } + if !validate { + err = r.StatusUpdate(ctx, req, log, falconContainer, + falconv1alpha1.ConditionFailed, + metav1.ConditionFalse, + falconv1alpha1.ReasonReqNotMet, + "FalconContainer must not be installed in a namespace with other workloads running. Please change the namespace in the CR configuration.", + ) + if err != nil { + return ctrl.Result{}, err + } + log.Error(nil, "FalconContainer is attempting to install in a namespace with existing pods. Please update the CR configuration to a namespace that does not have workoads already running.", "namespace", falconContainer.Spec.InstallNamespace, "labels", common.CRLabels("deployment", falconContainer.Name, common.FalconSidecarSensor)) + return ctrl.Result{}, nil + } + if falconContainer.Status.Version != version.Get() { falconContainer.Status.Version = version.Get() err := retry.RetryOnConflict(retry.DefaultRetry, func() error { @@ -250,7 +268,7 @@ func (r *FalconContainerReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, fmt.Errorf("failed to reconcile injector Service: %v", err) } - pod, err := k8sutils.GetReadyPod(r.Client, ctx, r.Namespace(), map[string]string{common.FalconComponentKey: common.FalconSidecarSensor}) + pod, err := k8sutils.GetReadyPod(r.Client, ctx, falconContainer.Spec.InstallNamespace, map[string]string{common.FalconComponentKey: common.FalconSidecarSensor}) if err != nil && err.Error() != "No webhook service pod found in a Ready state" { err = r.StatusUpdate(ctx, req, log, falconContainer, falconv1alpha1.ConditionFailed, metav1.ConditionFalse, "Reconciling", fmt.Sprintf("failed to find Ready injector pod: %v", err)) if err != nil { @@ -259,7 +277,7 @@ func (r *FalconContainerReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, fmt.Errorf("failed to find Ready injector pod: %v", err) } if pod.Name == "" { - log.Info("Looking for a Ready injector pod", "namespace", r.Namespace()) + log.Info("Looking for a Ready injector pod", "namespace", falconContainer.Spec.InstallNamespace) return ctrl.Result{RequeueAfter: 5 * time.Second}, nil } diff --git a/internal/controller/falcon_container/image_push.go b/internal/controller/falcon_container/image_push.go index ae2c21c0..6fa32722 100644 --- a/internal/controller/falcon_container/image_push.go +++ b/internal/controller/falcon_container/image_push.go @@ -228,7 +228,7 @@ func (r *FalconContainerReconciler) imageNamespace(falconContainer *falconv1alph // is shared and images pushed there can be referenced by deployments in other namespaces return "openshift" } - return r.Namespace() + return falconContainer.Spec.InstallNamespace } func (r *FalconContainerReconciler) falconApiConfig(ctx context.Context, falconContainer *falconv1alpha1.FalconContainer) *falcon.ApiConfig { diff --git a/internal/controller/falcon_container/injector.go b/internal/controller/falcon_container/injector.go index ee8680b3..07aba60c 100644 --- a/internal/controller/falcon_container/injector.go +++ b/internal/controller/falcon_container/injector.go @@ -29,7 +29,7 @@ const ( func (r *FalconContainerReconciler) reconcileInjectorTLSSecret(ctx context.Context, log logr.Logger, falconContainer *falconv1alpha1.FalconContainer) (*corev1.Secret, error) { existingInjectorTLSSecret := &corev1.Secret{} - err := r.Client.Get(ctx, types.NamespacedName{Name: injectorTLSSecretName, Namespace: r.Namespace()}, existingInjectorTLSSecret) + err := r.Client.Get(ctx, types.NamespacedName{Name: injectorTLSSecretName, Namespace: falconContainer.Spec.InstallNamespace}, existingInjectorTLSSecret) if err != nil { if errors.IsNotFound(err) { validity := 3650 @@ -38,11 +38,11 @@ func (r *FalconContainerReconciler) reconcileInjectorTLSSecret(ctx context.Conte } certInfo := tls.CertInfo{ - CommonName: fmt.Sprintf("%s.%s.svc", injectorName, r.Namespace()), - DNSNames: []string{fmt.Sprintf("%s.%s.svc", injectorName, r.Namespace()), fmt.Sprintf("%s.%s.svc.cluster.local", injectorName, r.Namespace())}, + CommonName: fmt.Sprintf("%s.%s.svc", injectorName, falconContainer.Spec.InstallNamespace), + DNSNames: []string{fmt.Sprintf("%s.%s.svc", injectorName, falconContainer.Spec.InstallNamespace), fmt.Sprintf("%s.%s.svc.cluster.local", injectorName, falconContainer.Spec.InstallNamespace)}, } - c, k, b, err := tls.CertSetup(r.Namespace(), validity, certInfo) + c, k, b, err := tls.CertSetup(falconContainer.Spec.InstallNamespace, validity, certInfo) if err != nil { return &corev1.Secret{}, fmt.Errorf("failed to generate Falcon Container PKI: %v", err) } @@ -51,7 +51,7 @@ func (r *FalconContainerReconciler) reconcileInjectorTLSSecret(ctx context.Conte "tls.key": k, "ca.crt": b, } - injectorTLSSecret := assets.Secret(injectorTLSSecretName, r.Namespace(), common.FalconSidecarSensor, secretData, corev1.SecretTypeTLS) + injectorTLSSecret := assets.Secret(injectorTLSSecretName, falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor, secretData, corev1.SecretTypeTLS) if err = ctrl.SetControllerReference(falconContainer, injectorTLSSecret, r.Scheme); err != nil { return &corev1.Secret{}, fmt.Errorf("unable to set controller reference on injector TLS Secret%s: %v", injectorTLSSecret.ObjectMeta.Name, err) } @@ -71,7 +71,7 @@ func (r *FalconContainerReconciler) reconcileDeployment(ctx context.Context, log return &appsv1.Deployment{}, fmt.Errorf("unable to determine falcon container image URI: %v", err) } - deployment := assets.SideCarDeployment(injectorName, r.Namespace(), common.FalconSidecarSensor, imageUri, falconContainer) + deployment := assets.SideCarDeployment(injectorName, falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor, imageUri, falconContainer) existingDeployment := &appsv1.Deployment{} if len(proxy.ReadProxyVarsFromEnv()) > 0 { @@ -80,7 +80,7 @@ func (r *FalconContainerReconciler) reconcileDeployment(ctx context.Context, log } } - err = r.Client.Get(ctx, types.NamespacedName{Name: injectorName, Namespace: r.Namespace()}, existingDeployment) + err = r.Client.Get(ctx, types.NamespacedName{Name: injectorName, Namespace: falconContainer.Spec.InstallNamespace}, existingDeployment) if err != nil { if errors.IsNotFound(err) { if err = ctrl.SetControllerReference(falconContainer, deployment, r.Scheme); err != nil { diff --git a/internal/controller/falcon_container/ns.go b/internal/controller/falcon_container/ns.go index c1a95211..fb215685 100644 --- a/internal/controller/falcon_container/ns.go +++ b/internal/controller/falcon_container/ns.go @@ -14,10 +14,6 @@ import ( ctrl "sigs.k8s.io/controller-runtime" ) -const ( - injectorNamespace = "falcon-system" -) - var ( namespaceLabels = map[string]string{ common.FalconContainerInjection: "disabled", @@ -25,12 +21,8 @@ var ( } ) -func (r *FalconContainerReconciler) Namespace() string { - return injectorNamespace -} - -func (r *FalconContainerReconciler) NamespaceLabels() map[string]string { - nsLabels := common.CRLabels("namespace", r.Namespace(), common.FalconSidecarSensor) +func (r *FalconContainerReconciler) NamespaceLabels(falconContainer *falconv1alpha1.FalconContainer) map[string]string { + nsLabels := common.CRLabels("namespace", falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor) for k, v := range namespaceLabels { nsLabels[k] = v } @@ -38,9 +30,9 @@ func (r *FalconContainerReconciler) NamespaceLabels() map[string]string { } func (r *FalconContainerReconciler) reconcileNamespace(ctx context.Context, log logr.Logger, falconContainer *falconv1alpha1.FalconContainer) (*corev1.Namespace, error) { - namespace := r.newNamespace() + namespace := r.newNamespace(falconContainer) existingNamespace := &corev1.Namespace{} - err := r.Client.Get(ctx, types.NamespacedName{Name: r.Namespace()}, existingNamespace) + err := r.Client.Get(ctx, types.NamespacedName{Name: falconContainer.Spec.InstallNamespace}, existingNamespace) if err != nil { if errors.IsNotFound(err) { if err = ctrl.SetControllerReference(falconContainer, namespace, r.Scheme); err != nil { @@ -48,21 +40,21 @@ func (r *FalconContainerReconciler) reconcileNamespace(ctx context.Context, log } return namespace, r.Create(ctx, log, falconContainer, namespace) } - return &corev1.Namespace{}, fmt.Errorf("unable to query existing namespace %s: %v", r.Namespace(), err) + return &corev1.Namespace{}, fmt.Errorf("unable to query existing namespace %s: %v", falconContainer.Spec.InstallNamespace, err) } return existingNamespace, nil } -func (r *FalconContainerReconciler) newNamespace() *corev1.Namespace { +func (r *FalconContainerReconciler) newNamespace(falconContainer *falconv1alpha1.FalconContainer) *corev1.Namespace { return &corev1.Namespace{ TypeMeta: metav1.TypeMeta{ APIVersion: corev1.SchemeGroupVersion.String(), Kind: "Namespace", }, ObjectMeta: metav1.ObjectMeta{ - Name: r.Namespace(), - Labels: r.NamespaceLabels(), + Name: falconContainer.Spec.InstallNamespace, + Labels: r.NamespaceLabels(falconContainer), }, } } diff --git a/internal/controller/falcon_container/rbac.go b/internal/controller/falcon_container/rbac.go index 2219f383..6f1283fe 100644 --- a/internal/controller/falcon_container/rbac.go +++ b/internal/controller/falcon_container/rbac.go @@ -25,7 +25,7 @@ func (r *FalconContainerReconciler) reconcileServiceAccount(ctx context.Context, update := false serviceAccount := r.newServiceAccount(falconContainer) existingServiceAccount := &corev1.ServiceAccount{} - err := r.Client.Get(ctx, types.NamespacedName{Name: common.SidecarServiceAccountName, Namespace: r.Namespace()}, existingServiceAccount) + err := r.Client.Get(ctx, types.NamespacedName{Name: common.SidecarServiceAccountName, Namespace: falconContainer.Spec.InstallNamespace}, existingServiceAccount) if err != nil { if errors.IsNotFound(err) { if err = ctrl.SetControllerReference(falconContainer, serviceAccount, r.Scheme); err != nil { @@ -94,7 +94,7 @@ func (r *FalconContainerReconciler) newServiceAccount(falconContainer *falconv1a }, ObjectMeta: metav1.ObjectMeta{ Name: common.SidecarServiceAccountName, - Namespace: r.Namespace(), + Namespace: falconContainer.Spec.InstallNamespace, Labels: common.CRLabels("serviceaccount", common.SidecarServiceAccountName, common.FalconSidecarSensor), Annotations: falconContainer.Spec.Injector.ServiceAccount.Annotations, }, @@ -115,7 +115,7 @@ func (r *FalconContainerReconciler) newClusterRoleBinding(falconContainer *falco Subjects: []rbacv1.Subject{{ Kind: "ServiceAccount", Name: common.SidecarServiceAccountName, - Namespace: r.Namespace(), + Namespace: falconContainer.Spec.InstallNamespace, }}, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", diff --git a/internal/controller/falcon_container/registry.go b/internal/controller/falcon_container/registry.go index 113ce910..e475dd63 100644 --- a/internal/controller/falcon_container/registry.go +++ b/internal/controller/falcon_container/registry.go @@ -43,12 +43,12 @@ func (r *FalconContainerReconciler) reconcileRegistrySecrets(ctx context.Context if disableDefaultNSInjection { // if default namespace injection is disabled, require that the injection label be set to enabled // in both cases below, ensure that we're not blocking pull secret creation within the injector namespace - if (ns.Labels == nil || ns.Labels[common.FalconContainerInjection] != injectionEnabledValue) && ns.Name != r.Namespace() { + if (ns.Labels == nil || ns.Labels[common.FalconContainerInjection] != injectionEnabledValue) && ns.Name != falconContainer.Spec.InstallNamespace { continue } } else { // otherwise, just ensure the injection label is not set to disabled - if ns.Labels != nil && ns.Labels[common.FalconContainerInjection] == injectionDisabledValue && ns.Name != r.Namespace() { + if ns.Labels != nil && ns.Labels[common.FalconContainerInjection] == injectionDisabledValue && ns.Name != falconContainer.Spec.InstallNamespace { continue } } diff --git a/internal/controller/falcon_container/service.go b/internal/controller/falcon_container/service.go index 2286f0bd..4ecbc93b 100644 --- a/internal/controller/falcon_container/service.go +++ b/internal/controller/falcon_container/service.go @@ -17,11 +17,11 @@ import ( func (r *FalconContainerReconciler) reconcileService(ctx context.Context, log logr.Logger, falconContainer *falconv1alpha1.FalconContainer) (*corev1.Service, error) { selector := map[string]string{common.FalconComponentKey: common.FalconSidecarSensor} - service := assets.Service(injectorName, r.Namespace(), common.FalconSidecarSensor, selector, common.FalconServiceHTTPSName, *falconContainer.Spec.Injector.ListenPort) + service := assets.Service(injectorName, falconContainer.Spec.InstallNamespace, common.FalconSidecarSensor, selector, common.FalconServiceHTTPSName, *falconContainer.Spec.Injector.ListenPort) updated := false existingService := &corev1.Service{} - err := r.Client.Get(ctx, types.NamespacedName{Name: injectorName, Namespace: r.Namespace()}, existingService) + err := r.Client.Get(ctx, types.NamespacedName{Name: injectorName, Namespace: falconContainer.Spec.InstallNamespace}, existingService) if err != nil { if errors.IsNotFound(err) { if err = ctrl.SetControllerReference(falconContainer, service, r.Scheme); err != nil { diff --git a/internal/controller/falcon_container/webhook.go b/internal/controller/falcon_container/webhook.go index c8c041cf..7ef60132 100644 --- a/internal/controller/falcon_container/webhook.go +++ b/internal/controller/falcon_container/webhook.go @@ -25,7 +25,7 @@ func (r *FalconContainerReconciler) reconcileWebhook(ctx context.Context, log lo disableDefaultNSInjection = falconContainer.Spec.Injector.DisableDefaultNSInjection } - webhook := assets.MutatingWebhook(injectorName, r.Namespace(), webhookName, caBundle, disableDefaultNSInjection, falconContainer) + webhook := assets.MutatingWebhook(injectorName, falconContainer.Spec.InstallNamespace, webhookName, caBundle, disableDefaultNSInjection, falconContainer) existingWebhook := &arv1.MutatingWebhookConfiguration{} err := r.Client.Get(ctx, types.NamespacedName{Name: webhookName}, existingWebhook)