wip: enable gke autopilot support

CrowdStrike · Sep 25, 2023 · b06a723 · b06a723
1 parent aa59e91
commit b06a723
Show file tree

Hide file tree

Showing 15 changed files with 467 additions and 83 deletions.
diff --git a/api/falcon/v1alpha1/falconnodesensor_types.go b/api/falcon/v1alpha1/falconnodesensor_types.go
@@ -65,16 +65,53 @@ type FalconNodeSensorConfig struct {
 	// +kubebuilder:default=false
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=8
 	NodeCleanup *bool `json:"disableCleanup,omitempty"`
+
+	// Configure resource requests and limits for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon eBPF Sensor Resources",order=9
+	SensorResources Resources `json:"resources,omitempty"`
+
 	// Sets the backend to be used by the DaemonSet Sensor.
 	// +kubebuilder:default=kernel
 	// +kubebuilder:validation:Enum=kernel;bpf
-	// +operator-sdk-csv:customresourcedefinitions:type=spec,order=9
+	// +operator-sdk-csv:customresourcedefinitions:type=spec,order=10
 	Backend string `json:"backend,omitempty"`
 
+	// Enables the use of GKE Autopilot.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="GKE Autopilot Settings",order=11
+	GKE AutoPilot `json:"gke,omitempty"`
+
+	// Enable priority class for the DaemonSet. This is useful for GKE Autopilot clusters, but can be set for any cluster.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Priority Class",order=12
+	PriorityClassName string `json:"priorityClassName,omitempty"`
+
 	// Version of the sensor to be installed. The latest version will be selected when this version specifier is missing.
 	Version *string `json:"version,omitempty"`
 }
 
+type Resources struct {
+	// Sets the resource limits for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Limits ResourceList `json:"limits,omitempty"`
+	// Sets the resource requests for the DaemonSet Sensor. Only applies when using the eBPF backend.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Requests ResourceList `json:"requests,omitempty"`
+}
+
+type ResourceList struct {
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Pattern="^([0-9]{4,}m)|[0-9]*$"
+	CPU string `json:"cpu,omitempty"`
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Pattern="^([0-9.]+[iEGTP]+)|[0-9]{10,}$"
+	Memory string `json:"memory,omitempty"`
+}
+
+type AutoPilot struct {
+	// Enables the use of GKE Autopilot.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	Enabled *bool `json:"autopilot,omitempty"`
+}
+
 type FalconNodeUpdateStrategy struct {
 	// +kubebuilder:default=RollingUpdate
 	// +kubebuilder:validation:Enum=RollingUpdate;OnDelete

diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go
@@ -216,6 +216,26 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutoPilot) DeepCopyInto(out *AutoPilot) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoPilot.
+func (in *AutoPilot) DeepCopy() *AutoPilot {
+	if in == nil {
+		return nil
+	}
+	out := new(AutoPilot)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconAPI) DeepCopyInto(out *FalconAPI) {
 	*out = *in
@@ -589,6 +609,8 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	out.SensorResources = in.SensorResources
+	in.GKE.DeepCopyInto(&out.GKE)
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
@@ -795,3 +817,35 @@ func (in *RegistryTLSSpec) DeepCopy() *RegistryTLSSpec {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceList) DeepCopyInto(out *ResourceList) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceList.
+func (in *ResourceList) DeepCopy() *ResourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Resources) DeepCopyInto(out *Resources) {
+	*out = *in
+	out.Limits = in.Limits
+	out.Requests = in.Requests
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resources.
+func (in *Resources) DeepCopy() *Resources {
+	if in == nil {
+		return nil
+	}
+	out := new(Resources)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml
@@ -143,6 +143,13 @@ spec:
                       on the nodes. Disabling might have unintended consequences for
                       certain operations such as sensor downgrading.
                     type: boolean
+                  gke:
+                    description: Enables the use of GKE Autopilot.
+                    properties:
+                      autopilot:
+                        description: Enables the use of GKE Autopilot.
+                        type: boolean
+                    type: object
                   image:
                     description: Location of the Falcon Sensor image. Use only in
                       cases when you mirror the original image to your repository/name:tag
@@ -379,6 +386,37 @@ spec:
                         type: object
                         x-kubernetes-map-type: atomic
                     type: object
+                  priorityClassName:
+                    description: Enable priority class for the DaemonSet. This is
+                      useful for GKE Autopilot clusters, but can be set for any cluster.
+                    type: string
+                  resources:
+                    description: Configure resource requests and limits for the DaemonSet
+                      Sensor. Only applies when using the eBPF backend.
+                    properties:
+                      limits:
+                        description: Sets the resource limits for the DaemonSet Sensor.
+                          Only applies when using the eBPF backend.
+                        properties:
+                          cpu:
+                            pattern: ^([0-9]{4,}m)|[0-9]*$
+                            type: string
+                          memory:
+                            pattern: ^([0-9.]+[iEGTP]+)|[0-9]{10,}$
+                            type: string
+                        type: object
+                      requests:
+                        description: Sets the resource requests for the DaemonSet
+                          Sensor. Only applies when using the eBPF backend.
+                        properties:
+                          cpu:
+                            pattern: ^([0-9]{4,}m)|[0-9]*$
+                            type: string
+                          memory:
+                            pattern: ^([0-9.]+[iEGTP]+)|[0-9]{10,}$
+                            type: string
+                        type: object
+                    type: object
                   serviceAccount:
                     description: Add metadata to the DaemonSet Service Account for
                       IAM roles.

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -16,6 +16,8 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
+- ../resources
+
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -13,4 +13,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/crowdstrike/falcon-operator
-  newTag: latest
+  newTag: autopilot
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -65,6 +65,7 @@ spec:
         args:
         - --leader-elect
         image: controller:latest
+        imagePullPolicy: Always
         name: manager
         env:
         - name: WATCH_NAMESPACE

diff --git a/config/non-olm/kustomization.yaml b/config/non-olm/kustomization.yaml
@@ -25,6 +25,7 @@ bases:
 #- ../prometheus
 
 patchesStrategicMerge:
+  - patches/manager_config_patch.yaml
   - patches/auth_proxy_client_clusterrole.yaml
   - patches/auth_proxy_role.yaml
   - patches/auth_proxy_role_binding.yaml

diff --git a/config/non-olm/patches/manager_config_patch.yaml b/config/non-olm/patches/manager_config_patch.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        args:
+        - "--config=controller_manager_config.yaml"
+        volumeMounts:
+        - name: manager-config
+          mountPath: /controller_manager_config.yaml
+          subPath: controller_manager_config.yaml
+      volumes:
+      - name: manager-config
+        configMap:
+          name: manager-config
diff --git a/controllers/falcon_node/falconnodesensor_controller.go b/controllers/falcon_node/falconnodesensor_controller.go
@@ -245,6 +245,11 @@ func (r *FalconNodeSensorReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		volumeUpdates := updateDaemonSetVolumes(dsUpdate, dsTarget, logger)
 		updated = updateDaemonSetContainerProxy(dsUpdate, nodesensor, logger)
 
+		if !reflect.DeepEqual(dsUpdate.Spec.Template.Spec.PriorityClassName, dsTarget.Spec.Template.Spec.PriorityClassName) {
+			dsUpdate.Spec.Template.Spec.PriorityClassName = dsTarget.Spec.Template.Spec.PriorityClassName
+			updated = true
+		}
+
 		// Update the daemonset and re-spin pods with changes
 		if imgUpdate || tolsUpdate || affUpdate || containerVolUpdate || volumeUpdates || updated {
 			err = r.Update(ctx, dsUpdate)

diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml
@@ -2207,6 +2207,13 @@ spec:
                       on the nodes. Disabling might have unintended consequences for
                       certain operations such as sensor downgrading.
                     type: boolean
+                  gke:
+                    description: Enables the use of GKE Autopilot.
+                    properties:
+                      autopilot:
+                        default: false
+                        type: boolean
+                    type: object
                   image:
                     description: Location of the Falcon Sensor image. Use only in
                       cases when you mirror the original image to your repository/name:tag
@@ -3124,7 +3131,7 @@ spec:
                 - linux
       containers:
       - args:
-        - --leader-elect
+        - --config=controller_manager_config.yaml
         command:
         - /manager
         env:
@@ -3160,8 +3167,16 @@ spec:
             drop:
             - ALL
           privileged: false
+        volumeMounts:
+        - mountPath: /controller_manager_config.yaml
+          name: manager-config
+          subPath: controller_manager_config.yaml
       securityContext:
         fsGroup: 65534
         runAsNonRoot: true
       serviceAccountName: falcon-operator-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - configMap:
+          name: falcon-operator-manager-config
+        name: manager-config