From b898af1102ddc375b2925ec02a1a885e8c408478 Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 17 Oct 2023 13:58:32 -0600 Subject: [PATCH] feat: update bundle for admission controller --- ...c.authorization.k8s.io_v1_clusterrole.yaml | 32 + ...falcon-operator.clusterserviceversion.yaml | 363 +++++++++++- ...lcon.crowdstrike.com_falconadmissions.yaml | 548 ++++++++++++++++++ ...lcon.crowdstrike.com_falconcontainers.yaml | 2 +- bundle/metadata/annotations.yaml | 4 +- ...falcon-operator.clusterserviceversion.yaml | 3 +- 6 files changed, 944 insertions(+), 8 deletions(-) create mode 100644 bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml diff --git a/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000..00a760d7 --- /dev/null +++ b/bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + crowdstrike.com/component: rbac + crowdstrike.com/created-by: falcon-operator + crowdstrike.com/instance: admission-controller-role + crowdstrike.com/managed-by: kustomize + crowdstrike.com/name: clusterrole + crowdstrike.com/part-of: Falcon + crowdstrike.com/provider: crowdstrike + name: falcon-operator-admission-controller-role +rules: +- apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - get + - list + - watch diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml index 99a0babc..7d7ed190 100644 --- a/bundle/manifests/falcon-operator.clusterserviceversion.yaml +++ b/bundle/manifests/falcon-operator.clusterserviceversion.yaml @@ -4,10 +4,51 @@ metadata: annotations: alm-examples: |- [ + { + "apiVersion": "falcon.crowdstrike.com/v1alpha1", + "kind": "FalconAdmission", + "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-admission", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconadmission", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, + "name": "falcon-admission" + }, + "spec": { + "falcon": { + "tags": [ + "admission_controller" + ], + "trace": "none" + }, + "falcon_api": { + "client_id": "PLEASE_FILL_IN", + "client_secret": "PLEASE_FILL_IN", + "cloud_region": "autodiscover" + }, + "registry": { + "type": "crowdstrike" + } + } + }, { "apiVersion": "falcon.crowdstrike.com/v1alpha1", "kind": "FalconContainer", "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-sidecar-sensor", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconcontainer", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, "name": "falcon-sidecar-sensor" }, "spec": { @@ -31,6 +72,15 @@ metadata: "apiVersion": "falcon.crowdstrike.com/v1alpha1", "kind": "FalconNodeSensor", "metadata": { + "labels": { + "crowdstrike.com/component": "sample", + "crowdstrike.com/created-by": "falcon-operator", + "crowdstrike.com/instance": "falcon-node-sensor", + "crowdstrike.com/managed-by": "kustomize", + "crowdstrike.com/name": "falconnodesensor", + "crowdstrike.com/part-of": "Falcon", + "crowdstrike.com/provider": "crowdstrike" + }, "name": "falcon-node-sensor" }, "spec": { @@ -51,11 +101,11 @@ metadata: capabilities: Basic Install categories: Security,Monitoring containerImage: quay.io/crowdstrike/falcon-operator - createdAt: "2023-06-27T14:11:17Z" + createdAt: "2023-10-17T19:56:45Z" description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster operatorframework.io/suggested-namespace: falcon-operator - operators.operatorframework.io/builder: operator-sdk-v1.30.0 - operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io/builder: operator-sdk-v1.29.0 + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4-alpha repository: https://github.com/CrowdStrike/falcon-operator support: Community Only name: falcon-operator.v0.9.0 @@ -64,6 +114,211 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: + - description: FalconAdmission is the Schema for the falconadmissions API + displayName: Falcon Admission + kind: FalconAdmission + name: falconadmissions.falcon.crowdstrike.com + specDescriptors: + - description: Configure a list of namespaces to ignore admission control. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces.namespaces + - description: ImagePullSecrets is an optional list of references to secrets + to use for pulling image from the image location. + displayName: Falcon Admission Controller Image Pull Secrets + path: admissionConfig.imagePullSecrets + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Secret + - description: Define annotations that will be passed down to the Service Account. + This is useful for passing along AWS IAM Role or GCP Workload Identity. + displayName: Service Account Annotations + path: admissionConfig.serviceAccount.annotations + - description: Validity of the TLS certificate in days. Default is 3650 days. + displayName: Falcon Container Injector TLS Validity Length (days) + path: admissionConfig.tls.validity + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: RollingUpdate is used to specify the strategy used to roll out + a deployment + displayName: Falcon Admisison Controller deployment update configuration + path: admissionConfig.updateStrategy.rollingUpdate + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:updateStrategy + - description: Falcon Customer ID (CID) + displayName: Falcon Customer ID (CID) + path: falcon.cid + - description: Falcon OAuth2 API Client ID + displayName: Client ID + path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: Namespace where the Falcon Admission Controller should be installed. + For best security practices, this should be a dedicated namespace that is + not used for any other purpose. It also should not be the same namespace + where the Falcon Operator or the Falcon Sensor is installed. + displayName: Install Namespace + path: installNamespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Allow pushing to docker registries over HTTPS with failed TLS + verification. Note that this does not affect other TLS connections. + displayName: Skip Registry TLS Verification + path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type + - description: Limits the number of admission controller pods that can be created + in the namespace. + displayName: Resource Quota Pod Limit + path: resourcequota.pods + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:podCount + - description: For OpenShift clusters, ignore openshift-specific namespaces + for admission control. + displayName: Ignore OpenShift Namespaces + path: admissionConfig.disabledNamespaces.ignoreOpenShiftNamespaces + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - displayName: Falcon Admission Controller Image Pull Policy + path: admissionConfig.imagePullPolicy + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy + - description: Installation token that prevents unauthorized hosts from being + accidentally or maliciously added to your customer ID (CID). + displayName: Provisioning Token + path: falcon.provisioning_token + - description: "FalconAPI configures connection from your local Falcon operator + to CrowdStrike Falcon platform. \n When configured, it will pull the sensor + from registry.crowdstrike.com and deploy the appropriate sensor to the cluster. + \n If using the API is not desired, the sensor can be manually configured + by setting the Image and Version fields." + displayName: Falcon Platform API Configuration + path: falcon_api + - description: Falcon OAuth2 API Client Secret + displayName: Client Secret + path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls + - description: Allow for users to provide a CA Cert Bundle, as either a string + or base64 encoded string + displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded + path: registry.tls.caCertificate + - description: Port on which the Falcon Admission Controller service will listen + for requests from the cluster. + displayName: Falcon Admission Controller Service Port + path: admissionConfig.servicePort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: CrowdStrike Falcon sensor configuration + displayName: Falcon Sensor Configuration + path: falcon + - description: Disable the Falcon Sensor's use of a proxy. + displayName: Disable Falcon Proxy + path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which + the operator will connect and register. + displayName: CrowdStrike Falcon Cloud Region + path: falcon_api.cloud_region + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name + - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle + under a key ending in .crt + displayName: ConfigMap containing Registry CA Certificate Bundle + path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap + - description: Port on which the Falcon Admission Controller container will + listen for requests. + displayName: Falcon Admission Controller Container Port + path: admissionConfig.containerPort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy host to use for Falcon sensor proxy configuration. + displayName: Disable Falcon Proxy Host + path: falcon.aph + - description: Falcon Customer ID (CID) Override (optional, default is derived + from the API Key pair) + displayName: Falcon Customer ID (CID) + path: falcon_api.cid + - description: ResourceQuota configures the ResourceQuota for the Falcon Admission + Controller. This is useful for limiting the number of pods that can be created + in the namespace. + displayName: Falcon Admission Controller Resource Quota + path: resourcequota + - description: Additional configuration for Falcon Admission Controller deployment. + displayName: Falcon Admission Controller Configuration + path: admissionConfig + - description: Number of replicas for the Falcon Admission Controller deployment. + displayName: Admission Controller Replica Count + path: admissionConfig.replicas + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy port to use for Falcon sensor proxy configuration. + displayName: Falcon Proxy Port + path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: Configure the failure policy for the Falcon Admission Controller. + displayName: Falcon Admission Controller Failure Policy + path: admissionConfig.failurePolicy + - description: 'Sensor grouping tags are optional, user-defined identifiers + that can used to group and filter hosts. Allowed characters: all alphanumerics, + ''/'', ''-'', and ''_''.' + displayName: Sensor Grouping Tags + path: falcon.tags + - description: Registry configures container image registry to which the Admission + Controller image will be pushed. + displayName: Falcon Admission Controller Registry Configuration + path: registry + - description: Define annotations that will be passed down to admision controller + service account. This is useful for passing along AWS IAM Role or GCP Workload + Identity. + displayName: Service Account Configuration + path: admissionConfig.serviceAccount + - description: Set sensor trace level. + displayName: Trace Level + path: falcon.trace + - description: Location of the Falcon Sensor image. Use only in cases when you + mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 + API is not used. + displayName: Falcon Admission Controller Image URI + path: image + - description: Configure TLS setings for the Falcon Admission Controller + displayName: Falcon Admission Controller TLS Configuration + path: admissionConfig.tls + - description: Utilize default or Pay-As-You-Go billing. + displayName: Billing + path: falcon.billing + - description: 'Falcon Admission Controller Version. The latest version will + be selected when version specifier is missing. Example: 6.31, 6.31.0, 6.31.0-1409, + etc.' + displayName: Falcon Admission Controller Version + path: version + - displayName: Falcon Admission Controller Client Resources + path: admissionConfig.resourcesClient + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Falcon Admission Controller Resources + path: admissionConfig.resources + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - description: Type of Deployment update. Can be "RollingUpdate" or "OnDelete". + Default is RollingUpdate. + displayName: Deployment Update Strategy + path: admissionConfig.updateStrategy + - description: Ignore admission control for a specific set of namespaces. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces + version: v1alpha1 - description: FalconContainer is the Schema for the falconcontainers API displayName: Falcon Container kind: FalconContainer @@ -77,6 +332,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Define annotations that will be passed down to injector service account. This is useful for passing along AWS IAM Role or GCP Workload Identity. displayName: Service Account Configuration @@ -87,6 +344,11 @@ spec: verification. Note that this does not affect other TLS connections. displayName: Skip Registry TLS Verification path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type - description: Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). displayName: Provisioning Token @@ -98,8 +360,14 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - displayName: Falcon Container Injector Listen Port path: injector.listenPort + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls - description: Allow for users to provide a CA Cert Bundle, as either a string or base64 encoded string displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded @@ -107,6 +375,8 @@ spec: - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -117,10 +387,16 @@ spec: Container image will be pushed displayName: Falcon Container Image Registry Configuration path: registry + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle under a key ending in .crt displayName: ConfigMap containing Registry CA Certificate Bundle path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap - description: The application proxy host to use for Falcon sensor proxy configuration. displayName: Disable Falcon Proxy Host path: falcon.aph @@ -137,6 +413,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - displayName: Falcon Container Image Pull Secret Name path: injector.imagePullSecret - description: 'Sensor grouping tags are optional, user-defined identifiers @@ -192,6 +470,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. @@ -206,6 +486,8 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Location of the Falcon Sensor image. Use only in cases when you mirror the original image to your repository/name:tag displayName: Image @@ -213,6 +495,8 @@ spec: - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -236,6 +520,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - description: Specifies node affinity for scheduling the DaemonSet. Defaults to allowing scheduling on all nodes. displayName: Node Affinity @@ -352,6 +638,14 @@ spec: - list - update - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -361,6 +655,18 @@ spec: - deletecollection - get - list + - update + - watch + - apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - update - watch - apiGroups: - "" @@ -406,6 +712,17 @@ spec: - list - update - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - apps resources: @@ -435,9 +752,11 @@ spec: - leases verbs: - create + - delete - get - list - update + - watch - apiGroups: - "" resources: @@ -450,6 +769,32 @@ spec: - patch - update - watch + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions/finalizers + verbs: + - update + - apiGroups: + - falcon.crowdstrike.com + resources: + - falconadmissions/status + verbs: + - get + - patch + - update - apiGroups: - falcon.crowdstrike.com resources: @@ -526,6 +871,18 @@ spec: - list - update - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - security.openshift.io resourceNames: diff --git a/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml new file mode 100644 index 00000000..64540a4d --- /dev/null +++ b/bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml @@ -0,0 +1,548 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + creationTimestamp: null + name: falconadmissions.falcon.crowdstrike.com +spec: + group: falcon.crowdstrike.com + names: + kind: FalconAdmission + listKind: FalconAdmissionList + plural: falconadmissions + singular: falconadmission + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Version of the Operator + jsonPath: .status.version + name: Operator Version + type: string + - description: Version of the Falcon Admission Controller + jsonPath: .status.sensor + name: Falcon Sensor + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: FalconAdmission is the Schema for the falconadmissions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FalconAdmissionSpec defines the desired state of FalconAdmission + properties: + admissionConfig: + description: Additional configuration for Falcon Admission Controller + deployment. + properties: + containerPort: + default: 4443 + description: Port on which the Falcon Admission Controller container + will listen for requests. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + disabledNamespaces: + description: Ignore admission control for a specific set of namespaces. + properties: + ignoreOpenShiftNamespaces: + description: For OpenShift clusters, ignore openshift-specific + namespaces for admission control. + type: boolean + namespaces: + description: Configure a list of namespaces to ignore admission + control. + items: + type: string + type: array + type: object + failurePolicy: + default: Ignore + description: Configure the failure policy for the Falcon Admission + Controller. + enum: + - Ignore + - Fail + type: string + imagePullPolicy: + default: Always + description: PullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - IfNotPresent + - Never + type: string + imagePullSecrets: + description: ImagePullSecrets is an optional list of references + to secrets to use for pulling image from the image location. + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + replicas: + default: 2 + description: Number of replicas for the Falcon Admission Controller + deployment. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + resources: + default: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 300m + memory: 512Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + resourcesClient: + default: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + serviceAccount: + description: Define annotations that will be passed down to admision + controller service account. This is useful for passing along + AWS IAM Role or GCP Workload Identity. + properties: + annotations: + additionalProperties: + type: string + description: Define annotations that will be passed down to + the Service Account. This is useful for passing along AWS + IAM Role or GCP Workload Identity. + type: object + type: object + servicePort: + default: 443 + description: Port on which the Falcon Admission Controller service + will listen for requests from the cluster. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + tls: + description: Configure TLS setings for the Falcon Admission Controller + properties: + validity: + description: Validity of the TLS certificate in days. Default + is 3650 days. + pattern: ^[0-9]{1-4}$ + type: integer + x-kubernetes-int-or-string: true + type: object + updateStrategy: + default: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + description: Type of Deployment update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + properties: + rollingUpdate: + description: RollingUpdate is used to specify the strategy + used to roll out a deployment + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be scheduled + above the desired number of pods. Value can be an absolute + number (ex: 5) or a percentage of desired pods (ex: + 10%). This can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding up. + Defaults to 25%. Example: when this is set to 30%, the + new ReplicaSet can be scaled up immediately when the + rolling update starts, such that the total number of + old and new pods do not exceed 130% of desired pods. + Once old pods have been killed, new ReplicaSet can be + scaled up further, ensuring that total number of pods + running at any time during the update is at most 130% + of desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be unavailable + during the update. Value can be an absolute number (ex: + 5) or a percentage of desired pods (ex: 10%). Absolute + number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet + can be scaled down to 70% of desired pods immediately + when the rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that the + total number of pods available at all times during the + update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object + type: object + falcon: + description: CrowdStrike Falcon sensor configuration + properties: + apd: + default: false + description: Disable the Falcon Sensor's use of a proxy. + type: boolean + aph: + description: The application proxy host to use for Falcon sensor + proxy configuration. + type: string + app: + description: The application proxy port to use for Falcon sensor + proxy configuration. + maximum: 65535 + minimum: 0 + type: integer + billing: + description: Utilize default or Pay-As-You-Go billing. + enum: + - default + - metered + type: string + cid: + description: Falcon Customer ID (CID) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + provisioning_token: + description: Installation token that prevents unauthorized hosts + from being accidentally or maliciously added to your customer + ID (CID). + pattern: ^[0-9a-fA-F]{8}$ + type: string + tags: + description: 'Sensor grouping tags are optional, user-defined + identifiers that can used to group and filter hosts. Allowed + characters: all alphanumerics, ''/'', ''-'', and ''_''.' + items: + type: string + type: array + trace: + default: none + description: Set sensor trace level. + enum: + - none + - err + - warn + - info + - debug + type: string + type: object + falcon_api: + description: "FalconAPI configures connection from your local Falcon + operator to CrowdStrike Falcon platform. \n When configured, it + will pull the sensor from registry.crowdstrike.com and deploy the + appropriate sensor to the cluster. \n If using the API is not desired, + the sensor can be manually configured by setting the Image and Version + fields." + properties: + cid: + description: Falcon Customer ID (CID) Override (optional, default + is derived from the API Key pair) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + client_id: + description: Falcon OAuth2 API Client ID + type: string + client_secret: + description: Falcon OAuth2 API Client Secret + type: string + cloud_region: + description: Cloud Region defines CrowdStrike Falcon Cloud Region + to which the operator will connect and register. + enum: + - autodiscover + - us-1 + - us-2 + - eu-1 + - us-gov-1 + type: string + required: + - client_id + - client_secret + - cloud_region + type: object + image: + description: Location of the Falcon Sensor image. Use only in cases + when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. + pattern: ^.*:.*$ + type: string + installNamespace: + default: falcon-kac + description: Namespace where the Falcon Admission Controller should + be installed. For best security practices, this should be a dedicated + namespace that is not used for any other purpose. It also should + not be the same namespace where the Falcon Operator or the Falcon + Sensor is installed. + type: string + registry: + description: Registry configures container image registry to which + the Admission Controller image will be pushed. + properties: + acr_name: + description: Azure Container Registry Name represents the name + of the ACR for the Falcon Container push. Only applicable to + Azure cloud. + type: string + tls: + description: TLS configures TLS connection for push of Falcon + Container image to the registry + properties: + caCertificate: + description: Allow for users to provide a CA Cert Bundle, + as either a string or base64 encoded string + type: string + caCertificateConfigMap: + description: Allow for users to provide a ConfigMap containing + a CA Cert Bundle under a key ending in .crt + type: string + insecure_skip_verify: + description: Allow pushing to docker registries over HTTPS + with failed TLS verification. Note that this does not affect + other TLS connections. + type: boolean + type: object + type: + description: Type of container registry to be used + enum: + - acr + - ecr + - gcr + - crowdstrike + - openshift + type: string + required: + - type + type: object + resourcequota: + description: ResourceQuota configures the ResourceQuota for the Falcon + Admission Controller. This is useful for limiting the number of + pods that can be created in the namespace. + properties: + pods: + default: "2" + description: Limits the number of admission controller pods that + can be created in the namespace. + type: string + type: object + version: + description: 'Falcon Admission Controller Version. The latest version + will be selected when version specifier is missing. Example: 6.31, + 6.31.0, 6.31.0-1409, etc.' + type: string + type: object + status: + description: FalconAdmissionStatus defines the observed state of FalconAdmission + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + sensor: + description: Version of the CrowdStrike Falcon Sensor + type: string + version: + description: Version of the CrowdStrike Falcon Operator + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml index dc366d96..557da71e 100644 --- a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml +++ b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml @@ -1899,7 +1899,7 @@ spec: type: boolean type: object type: - description: Type of the registry to be used + description: Type of container registry to be used enum: - acr - ecr diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 1b51dd9b..2896dca8 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -5,9 +5,9 @@ annotations: operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: falcon-operator operators.operatorframework.io.bundle.channels.v1: alpha - operators.operatorframework.io.metrics.builder: operator-sdk-v1.30.0 + operators.operatorframework.io.metrics.builder: operator-sdk-v1.29.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 - operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4-alpha # Annotations for testing. operators.operatorframework.io.test.mediatype.v1: scorecard+v1 diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml index 4ec3f4cb..91557f61 100644 --- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml @@ -392,8 +392,7 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:password - description: Location of the Falcon Sensor image. Use only in cases when you - mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 - API is not used. + mirror the original image to your repository/name:tag displayName: Image path: node.image - description: Disable the Falcon Sensor's use of a proxy.