Merge branch 'main' into maint-1.0

.github/workflows/docs.yml

@@ -33,7 +33,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: [1.20.x]
+        go-version: [1.21.x]
 
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/go.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: [1.20.x]
+        go-version: [1.21.x]
 
     runs-on: ${{ matrix.os }}
     steps:
@@ -51,7 +51,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: [1.20.x]
+        go-version: [1.21.x]
 
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/operator-deployment.yml

@@ -24,7 +24,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: [1.20.x]
+        go-version: [1.21.x]
     if: |
       github.event_name == 'push' ||
       (github.event_name == 'pull_request_target' &&

.github/workflows/operator-metadata.yml

@@ -23,7 +23,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go-version: [1.20.x]
+        go-version: [1.21.x]
 
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/release.yml

@@ -174,7 +174,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.20.x]
+        go-version: [1.21.x]
 
     steps:
       - name: Install qemu dependency

Makefile

@@ -178,7 +178,7 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform
 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross
 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder
 	$(CONTAINER_TOOL) buildx use project-v3-builder
-	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) $(CONTAINER_BUILD_ARGS) --tag ${IMG} -f Dockerfile.cross .
+	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) $(CONTAINER_BUILD_ARGS) --provenance=false --tag ${IMG} -f Dockerfile.cross .
 	- $(CONTAINER_TOOL) buildx rm project-v3-builder
 	rm Dockerfile.cross
 

api/falcon/v1alpha1/advanced.go

@@ -0,0 +1,53 @@
+package v1alpha1
+
+import "strings"
+
+const (
+	Force  = "force"
+	Normal = "normal"
+	Off    = "off"
+)
+
+// FalconAdvanced configures various options that go against industry practices or are otherwise not recommended for use.
+// Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk.
+// For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
+type FalconAdvanced struct {
+	// UpdatePolicy is the name of a sensor update policy configured and enabled in Falcon UI. It is ignored when Image and/or Version are set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Update Policy",order=1
+	UpdatePolicy *string `json:"updatePolicy,omitempty"`
+
+	// AutoUpdate determines whether to install new versions of the sensor as they become available. Defaults to "off" and is ignored if FalconAPI is not set.
+	// Setting this to "force" causes the reconciler to run on every polling cycle, even if a new sensor version is not available.
+	// Setting it to "normal" only reconciles when a new version is detected.
+	// +kubebuilder:validation:Enum=off;normal;force
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Automatic Updates",order=2
+	AutoUpdate *string `json:"autoUpdate,omitempty"`
+}
+
+func (advanced FalconAdvanced) GetUpdatePolicy() string {
+	if advanced.UpdatePolicy == nil {
+		return ""
+	}
+
+	return strings.TrimSpace(*advanced.UpdatePolicy)
+}
+
+func (advanced FalconAdvanced) HasUpdatePolicy() bool {
+	return advanced.GetUpdatePolicy() != ""
+}
+
+func (advanced FalconAdvanced) IsAutoUpdating() bool {
+	if advanced.AutoUpdate == nil {
+		return false
+	}
+
+	return *advanced.AutoUpdate != "off"
+}
+
+func (advanced FalconAdvanced) IsAutoUpdatingForced() bool {
+	if advanced.AutoUpdate == nil {
+		return false
+	}
+
+	return *advanced.AutoUpdate == "force"
+}

api/falcon/v1alpha1/falcon_api.go

@@ -28,6 +28,10 @@ type FalconAPI struct {
 	// +kubebuilder:validation:Pattern="^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$"
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Customer ID (CID)",order=4
 	CID *string `json:"cid,omitempty"`
+
+	// Specifies the hostname of the API endpoint to use. If blank, the public Falcon API endpoint is used.
+	// Intentionally not exported as a resource property.
+	HostOverride string `json:"-"`
 }
 
 // RegistryTLSSpec configures TLS for registry pushing
@@ -82,6 +86,7 @@ func (fa *FalconAPI) ApiConfig() *falcon.ApiConfig {
 		Cloud:             falcon.Cloud(fa.CloudRegion),
 		ClientId:          fa.ClientId,
 		ClientSecret:      fa.ClientSecret,
+		HostOverride:      fa.HostOverride,
 		UserAgentOverride: fmt.Sprintf("falcon-operator/%s", version.Version),
 	}
 }

api/falcon/v1alpha1/falconcontainer_types.go

@@ -43,6 +43,12 @@ type FalconContainerSpec struct {
 	// Falcon Container Version. The latest version will be selected when version specifier is missing; ignored when Image is set.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Image Version",order=6
 	Version *string `json:"version,omitempty"`
+
+	// Advanced configures various options that go against industry practices or are otherwise not recommended for use.
+	// Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk.
+	// For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Advanced Settings"
+	Advanced FalconAdvanced `json:"advanced,omitempty"`
 }
 
 type FalconContainerInjectorSpec struct {

api/falcon/v1alpha1/falconnodesensor_types.go

@@ -103,6 +103,12 @@ type FalconNodeSensorConfig struct {
 
 	// Version of the sensor to be installed. The latest version will be selected when this version specifier is missing.
 	Version *string `json:"version,omitempty"`
+
+	// Advanced configures various options that go against industry practices or are otherwise not recommended for use.
+	// Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk.
+	// For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Advanced Settings"
+	Advanced FalconAdvanced `json:"advanced,omitempty"`
 }
 
 type PriorityClassConfig struct {

api/falcon/v1alpha1/zz_generated.deepcopy.go

@@ -537,6 +537,31 @@ func (in *FalconAdmissionUpdateStrategy) DeepCopy() *FalconAdmissionUpdateStrate
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FalconAdvanced) DeepCopyInto(out *FalconAdvanced) {
+	*out = *in
+	if in.UpdatePolicy != nil {
+		in, out := &in.UpdatePolicy, &out.UpdatePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoUpdate != nil {
+		in, out := &in.AutoUpdate, &out.AutoUpdate
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdvanced.
+func (in *FalconAdvanced) DeepCopy() *FalconAdvanced {
+	if in == nil {
+		return nil
+	}
+	out := new(FalconAdvanced)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconCRStatus) DeepCopyInto(out *FalconCRStatus) {
 	*out = *in
@@ -739,6 +764,7 @@ func (in *FalconContainerSpec) DeepCopyInto(out *FalconContainerSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	in.Advanced.DeepCopyInto(&out.Advanced)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconContainerSpec.
@@ -1032,6 +1058,7 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	in.Advanced.DeepCopyInto(&out.Advanced)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconNodeSensorConfig.

cmd/main.go

@@ -40,6 +40,7 @@ import (
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
 	admissioncontroller "github.com/crowdstrike/falcon-operator/internal/controller/admission"
+	"github.com/crowdstrike/falcon-operator/internal/controller/common/sensorversion"
 	containercontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_container"
 	imageanalyzercontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer"
 	nodecontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_node"
@@ -48,6 +49,8 @@ import (
 	// +kubebuilder:scaffold:imports
 )
 
+const defaultSensorAutoUpdateInterval = time.Hour * 24
+
 var (
 	scheme      = runtime.NewScheme()
 	setupLog    = ctrl.Log.WithName("setup")
@@ -70,6 +73,7 @@ func main() {
 	var enableProfiling bool
 	var ver bool
 	var err error
+	var sensorAutoUpdateInterval time.Duration
 
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -79,6 +83,7 @@ func main() {
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&ver, "version", false, "Print version")
+	flag.DurationVar(&sensorAutoUpdateInterval, "sensor-auto-update-interval", defaultSensorAutoUpdateInterval, "The rate at which the Falcon API is queried for new sensor versions")
 
 	if env := os.Getenv("ARGS"); env != "" {
 		os.Args = append(os.Args, strings.Split(env, " ")...)
@@ -182,18 +187,21 @@ func main() {
 		setupLog.Info("cert-manager installation not found")
 	}
 
+	ctx := ctrl.SetupSignalHandler()
+	tracker := sensorversion.NewTracker(ctx, sensorAutoUpdateInterval)
+
 	if err = (&containercontroller.FalconContainerReconciler{
 		Client:     mgr.GetClient(),
 		Scheme:     mgr.GetScheme(),
 		RestConfig: mgr.GetConfig(),
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, tracker); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FalconContainer")
 		os.Exit(1)
 	}
 	if err = (&nodecontroller.FalconNodeSensorReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, tracker); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FalconNodeSensor")
 		os.Exit(1)
 	}
@@ -240,8 +248,10 @@ func main() {
 		}()
 	}
 
+	go tracker.StartTracking()
+
 	setupLog.Info("starting manager", "version", version.Get(), "go version", version.GoVersion)
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml

@@ -43,6 +43,30 @@ spec:
           spec:
             description: FalconContainerSpec defines the desired state of FalconContainer
             properties:
+              advanced:
+                description: Advanced configures various options that go against industry
+                  practices or are otherwise not recommended for use. Adjusting these
+                  settings may result in incorrect or undesirable behavior. Proceed
+                  at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
+                properties:
+                  autoUpdate:
+                    description: AutoUpdate determines whether to install new versions
+                      of the sensor as they become available. Defaults to "off" and
+                      is ignored if FalconAPI is not set. Setting this to "force"
+                      causes the reconciler to run on every polling cycle, even if
+                      a new sensor version is not available. Setting it to "normal"
+                      only reconciles when a new version is detected.
+                    enum:
+                    - "off"
+                    - normal
+                    - force
+                    type: string
+                  updatePolicy:
+                    description: UpdatePolicy is the name of a sensor update policy
+                      configured and enabled in Falcon UI. It is ignored when Image
+                      and/or Version are set.
+                    type: string
+                type: object
               falcon:
                 description: CrowdStrike Falcon Sensor configuration settings.
                 properties:

config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml

@@ -138,6 +138,31 @@ spec:
               node:
                 description: Various configuration for DaemonSet Deployment
                 properties:
+                  advanced:
+                    description: Advanced configures various options that go against
+                      industry practices or are otherwise not recommended for use.
+                      Adjusting these settings may result in incorrect or undesirable
+                      behavior. Proceed at your own risk. For more information, please
+                      see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md.
+                    properties:
+                      autoUpdate:
+                        description: AutoUpdate determines whether to install new
+                          versions of the sensor as they become available. Defaults
+                          to "off" and is ignored if FalconAPI is not set. Setting
+                          this to "force" causes the reconciler to run on every polling
+                          cycle, even if a new sensor version is not available. Setting
+                          it to "normal" only reconciles when a new version is detected.
+                        enum:
+                        - "off"
+                        - normal
+                        - force
+                        type: string
+                      updatePolicy:
+                        description: UpdatePolicy is the name of a sensor update policy
+                          configured and enabled in Falcon UI. It is ignored when
+                          Image and/or Version are set.
+                        type: string
+                    type: object
                   backend:
                     default: bpf
                     description: Sets the backend to be used by the DaemonSet Sensor.