Merge pull request #454 from redhatrises/node_lock

feat: update docs and add node version locking

docs/deployment/openshift/resources/admission/README.md

@@ -76,7 +76,8 @@ spec:
 | falcon.tags                               | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited                                                                                                                                                       |
 | falcon.trace                              | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug)                                                                                                                                   |
 
-All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and client_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
 
 ### Auto Proxy Configuration
 
@@ -101,7 +102,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Image Registry considerations
@@ -150,6 +157,10 @@ To uninstall Falcon Admission Controller simply remove the FalconAdmission resou
 oc delete falconadmission --all
 ``` 
 
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconAdmission resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconAdmission resource and apply the change. The operator will detect the change and perform the upgrade.
+
 ### Troubleshooting
 
 - Falcon Operator modifies the FalconAdmission CR based on what is happening in the cluster. You can get list the CR, Operator Version, and Sensor version by running the following:

docs/deployment/openshift/resources/container/README.md

@@ -98,6 +98,9 @@ spec:
 | conditions.["ServiceReady"]                      | Displays the most recent successful reconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted)                           |
 | conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent successful reconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted)    |
 
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and client_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+
 ### Enabling and Disabling Falcon Container injection
 
 By default, all pods in all namespaces outside of `kube-system` and `kube-public` will be subject to Falcon Container injection.
@@ -145,7 +148,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Image Registry considerations
@@ -200,8 +209,15 @@ The following namespaces will be used by Falcon Operator.
 
 | Namespace               | Description                                                      |
 |:------------------------|:-----------------------------------------------------------------|
-| falcon-system           | Used by Falcon Container product, runs the injector and webhoook |
-| falcon-operator         | Runs falcon-operator manager                                     |
+| falcon-system           | Used by Falcon Container product, runs the injector, and webhoook |
+| falcon-operator         | Runs falcon-operator manager                                      |
+
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconContainer resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconContainer resource and apply the change. The operator will detect the change and perform the upgrade.
+
+> [!IMPORTANT]
+> The operator will only upgrade the injector service. You will need to restart or roll your workload deployments to upgrade the sidecar version.
 
 ### Troubleshooting
 

docs/deployment/openshift/resources/node/README.md

@@ -80,7 +80,8 @@ spec:
 |	falcon.tags                         | (optional)  Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. |
 |	falcon.trace                        | (optional)  Set sensor trace level.                                                                                                                                        |
 
-All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and falcon_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
 
 ### Auto Proxy Configuration
 
@@ -105,7 +106,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Install Steps
@@ -122,6 +129,10 @@ To uninstall the FalconNodeSensor CR, simply remove the FalconNodeSensor resourc
 oc delete falconnodesensors --all
 ```
 
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconNodeSensor resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconNodeSensor resource and apply the change. The operator will detect the change and perform the upgrade by restarting the daemonset pods one by one.
+
 ### Troubleshooting
 
 - To see the FalconNodeSensor resource on the cluster which includes the operator and sensor versions:

docs/resources/admission/README.md

@@ -76,7 +76,8 @@ spec:
 | falcon.tags                               | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited                                                                                                                                                       |
 | falcon.trace                              | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug)                                                                                                                                   |
 
-All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and client_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
 
 ### Auto Proxy Configuration
 
@@ -101,7 +102,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Image Registry considerations
@@ -154,6 +161,10 @@ To uninstall Falcon Admission Controller simply remove the FalconAdmission resou
 kubectl delete falconadmission --all
 ``` 
 
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconAdmission resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconAdmission resource and apply the change. The operator will detect the change and perform the upgrade.
+
 ### Troubleshooting
 
 - Falcon Operator modifies the FalconAdmission CR based on what is happening in the cluster. You can get list the CR, Operator Version, and Sensor version by running the following:

docs/resources/container/README.md

@@ -98,6 +98,9 @@ spec:
 | conditions.["ServiceReady"]                      | Displays the most recent successful reconciliation operation for the service used by the falcon container sensor injector (created, updated, deleted)                           |
 | conditions.["MutatingWebhookConfigurationReady"] | Displays the most recent successful reconciliation operation for the mutating webhook configuration used by the falcon container sensor injector (created, updated, deleted)    |
 
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and client_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+
 ### Enabling and Disabling Falcon Container injection
 
 By default, all pods in all namespaces outside of `kube-system` and `kube-public` will be subject to Falcon Container injection.
@@ -145,7 +148,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Image Registry considerations
@@ -204,8 +213,15 @@ The following namespaces will be used by Falcon Operator.
 
 | Namespace               | Description                                                      |
 |:------------------------|:-----------------------------------------------------------------|
-| falcon-system           | Used by Falcon Container product, runs the injector and webhoook |
-| falcon-operator         | Runs falcon-operator manager                                     |
+| falcon-system           | Used by Falcon Container product, runs the injector, and webhoook |
+| falcon-operator         | Runs falcon-operator manager                                      |
+
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconContainer resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconContainer resource and apply the change. The operator will detect the change and perform the upgrade.
+
+> [!IMPORTANT]
+> The operator will only upgrade the injector service. You will need to restart or roll your workload deployments to upgrade the sidecar version.
 
 ### Troubleshooting
 

docs/resources/node/README.md

@@ -80,7 +80,8 @@ spec:
 |	falcon.tags                         | (optional)  Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. |
 |	falcon.trace                        | (optional)  Set sensor trace level.                                                                                                                                        |
 
-All arguments are optional, but successful deployment requires either falcon_id and falcon_secret **or** cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
+> [!IMPORTANT]
+> All arguments are optional, but successful deployment requires either **client_id and falcon_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.
 
 ### Auto Proxy Configuration
 
@@ -105,7 +106,13 @@ When not running on OpenShift, adding the proxy configuration via environment va
     value: http://proxy.example.com:8080
   image: quay.io/crowdstrike/falcon-operator:latest
 ```
-These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings)
+These settings can be overridden by configuring the [sensor's proxy settings](#falcon-sensor-settings) which will only change the sensor's proxy settings **not** the operator's proxy settings.
+
+>[!IMPORTANT]
+> 1. If using the CrowdStrike API with the **client_id and client_secret** authentication method, the operator must be able to reach the CrowdStrike API through the proxy via the Kubernetes cluster networking configuration.
+>    If the proxy is not configured correctly, the operator will not be able to authenticate with the CrowdStrike API and will not be able to create the sensor.
+> 2. If the CrowdStrike API is not used, configure the [sensor's proxy settings](#falcon-sensor-settings).
+> 3. Ensure that the host node can reach the CrowdStrike Falcon Cloud through the proxy.
 
 
 ### Install Steps
@@ -122,6 +129,10 @@ To uninstall the FalconNodeSensor CR, simply remove the FalconNodeSensor resourc
 kubectl delete falconnodesensors --all
 ```
 
+### Sensor upgrades
+
+To upgrade the sensor version, simply add and/or update the `version` field in the FalconNodeSensor resource and apply the change. Alternatively if the `image` field was used instead of using the Falcon API credentials, add and/or update the `image` field in the FalconNodeSensor resource and apply the change. The operator will detect the change and perform the upgrade by restarting the daemonset pods one by one.
+
 ### Troubleshooting
 
 - To see the FalconNodeSensor resource on the cluster which includes the operator and sensor versions: