bug: "invalid memory address" for FalconImageAnalyzer resource

[comptonad]

I created the following FalconImageAnalyzer resource:

apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconImageAnalyzer
metadata:
  name: falcon-image-analyzer
spec:
  installNamespace: falcon-image-analyzer
  image: <our-registry>/crowdstrike/falcon-imageanalyzer:1.0.13
  imageAnalyzerConfig:
    clusterName: <our-cluster-name>
    imagePullPolicy: IfNotPresent
    imagePullSecrets:
      - name: <our-secret-name>

And now the falcon-operator is in a CrashLoopBackOff with the following error:

2024-08-07T17:19:48Z	INFO	Observed a panic in reconciler: runtime error: invalid memory address or nil pointer dereference	{"controller": "falconimageanalyzer", "controllerGroup": "falcon.crowdstrike.com", "controllerKind": "FalconImageAnalyzer", "FalconImageAnalyzer": {"name":"falcon-image-analyzer"}, "namespace": "", "name": "falcon-image-analyzer", "reconcileID": "4708945a-7892-4e55-81b0-da27cb541104"}
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x26e11f5]

goroutine 346 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:115 +0x1e5
panic({0x2b2ce00?, 0x5427a10?})
	/usr/lib/golang/src/runtime/panic.go:914 +0x21f
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).newConfigMap(0xc00009ac00?, {0x3540aa8, 0xc000a00120}, {0xc00007d360, 0x1c}, 0xc00002f080)
	/workspace/internal/controller/falcon_image_analyzer/configmap.go:76 +0xd5
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).reconcileGenericConfigMap(0xc00012d380, {0xc00007d360, 0x1c}, 0x30bab7c?, {0x3540aa8, 0xc000a00120}, {{{0x0, 0x0}, {0xc000443548, 0x15}}}, ...)
	/workspace/internal/controller/falcon_image_analyzer/configmap.go:33 +0x87
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).reconcileConfigMap(0xc00012d380, {0x3540aa8, 0xc000a00120}, {{{0x0?, 0x426a88?}, {0xc000443548?, 0x7b36f3?}}}, {{0x3544fa8, 0xc000a00150}, 0x0}, ...)
	/workspace/internal/controller/falcon_image_analyzer/configmap.go:29 +0x125
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).Reconcile(0xc00012d380, {0x3540aa8?, 0xc000a00120}, {{{0x0?, 0x0?}, {0xc000443548?, 0x41edc5?}}})
	/workspace/internal/controller/falcon_image_analyzer/falconimage_controller.go:212 +0xddc
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x3540aa8?, {0x3540aa8?, 0xc000a00120?}, {{{0x0?, 0x2988c80?}, {0xc000443548?, 0x352e940?}}})
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118 +0xb7
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000514c80, {0x3540ae0, 0xc0000d43c0}, {0x2c37f60?, 0xc0005489a0?})
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314 +0x368
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000514c80, {0x3540ae0, 0xc0000d43c0})
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265 +0x1c9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226 +0x79
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 130
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222 +0x565

Looking at the line in the error above, the FalconImageAnalyzer controller is expecting the FalconAPI struct to exist which it does not on the resource I created.

There seems to be a gap in the logic around the config map handling here but I'm not confident enough in my understanding of what is supposed to happen here to create a PR with a fix.

[redhatrises]

Hello,

Currently, having FalconAPI configured and set is required for IAR functionality.

[comptonad]

I've attempted to add FalconAPI but I'm seeing 403s in the image analyzer pod logs. What permissions are needed in this case?

time="2024-08-07T20:33:23Z" level=error msg="error getting imageanalyzer config. will try again" mode=watcher error="received 403 from uri https://api.crowdstrike.com/image-assessment/runtime/entities/config/v1 - response = {\n \"meta\": {\n  \"query_time\": 1.28e-7,\n  \"powered_by\": \"crowdstrike-api-gateway\",\n  \"trace_id\": \"17b24113-f416-4eb3-99b8-1018bbc50fa5\"\n },\n \"errors\": [\n  {\n   \"code\": 403,\n   \"message\": \"access denied, authorization failed\"\n  }\n ]\n}"

I've followed the readme and like the CRD readmes it says I only need Falcon Images Download: Read and Sensor Download: Read, which to my understanding is just for pulling the docker images if an image is not specified. And to note, the credentials I've provided work for the falcon-container-sensor-pull.sh script so I know they are valid.

[comptonad]

Minor update with additional context, in the above example I had falcon_api.cloud_region set to us-1. When I try the value us-2 I get 401s

time="2024-08-08T14:27:37Z" level=error msg="error getting imageanalyzer config. will try again" mode=watcher error="received 401 from uri https://api.us-2.crowdstrike.com/image-assessment/runtime/entities/config/v1 - response = {\n \"meta\": {\n  \"query_time\": 1.61e-7,\n  \"powered_by\": \"crowdstrike-api-gateway\",\n  \"trace_id\": \"becccaf4-8c36-4890-a20e-cd1b814e3cdc\"\n },\n \"errors\": [\n  {\n   \"code\": 401,\n   \"message\": \"access denied, invalid bearer token\"\n  }\n ]\n}"

And just for kicks I tried autodiscover (noted in some of the other resources) and I got this

time="2024-08-08T14:25:58Z" level=error msg="error getting imageanalyzer config. will try again" error="unable to get JWT: unable to refresh JWT from crowdstrike: unable to complete request to crowdstrike Auth: Post \"/oauth2/token\": unsupported protocol scheme \"\"" mode=watcher

[ChristianCiach]

I don't get it. We've copied the IAR-image to a private registry. The README clearly states that in this case, only image and cid need to be configured:

All arguments are optional, but successful deployment requires either client_id and client_secret or the Falcon cid and image. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user.

The exact same quote can be found in the README for the admission controller.

So, are client_id and client_secret actually mandatory? If so, this is problematic as these cannot be configured by using a kubernetes secret. See

• [Feature Request] - Operator FalconNodeSensor API Secrets #471

Putting the secrets directly into the CR is a no-no for us, because only proper "Secret" resources are subject to encryption-at-rest.

We will probably revert to using the Helm charts for the time being, as the operator doesn't seem to be production ready.

Edit:

I am also confused about whether we should install Falcon by using the Helm Charts or the Operator. The README of the operator states this:

The CrowdStrike Falcon Operator is an open source project and not a CrowdStrike product. As such, it carries no formal support, expressed, or implied.

But we have been advised by a Crowdstrike representative to use this operator, and issues and PRs at https://github.com/crowdstrike/falcon-helm are sometimes closed with a comment that says that future development will happen at the Operator. So the helm charts are kinda deprecated, but the operator is unsupported at the same time?

[evanstoner]

Hey @ChristianCiach - thanks for this feedback and the other issues you submitted. I am on our cloud integrations team but am not the maintainer of the operator. I think it would be best to get your CrowdStrike account team involved to help out with this deployment and escalate any concerns if necessary. I'm working to find the right folks now.

Since the IAR Helm chart requires client ID and secret, they should also be required by the operator, so this looks like a docs bug to me. I submitted #602 to track that since this issue

Understood on the use of Secrets - for now this is not available as you saw in #471, but your CrowdStrike team can get roadmap status from product management. So stand by for that.

[evanstoner]

@comptonad Were you able to resolve your deployment issues? This may have been a scopes issue for the API client.