Falcon IAR Function, Types and Constants

api/falcon/v1alpha1/falconimage_types.go

@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -9,29 +10,70 @@ import (
 
 // FalconImageSpec defines the desired state of FalconImage
 type FalconImageSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// Namespace where the Falcon Image Controller should be installed.
+	// For best security practices, this should be a dedicated namespace that is not used for any other purpose.
+	// It also should not be the same namespace where the Falcon Operator or the Falcon Sensor is installed.
+	// +kubebuilder:default:=falcon-imageanalyzer
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
+	InstallNamespace string `json:"installNamespace,omitempty"`
+
+	// Additional configuration for Falcon Image Controller deployment.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Image Controller Configuration",order=5
+	ImageConfig FalconImageConfigSpec `json:"ImageConfig,omitempty"`
+}
+
+type FalconImageConfigSpec struct {
+	// Define annotations that will be passed down to admision controller service account. This is useful for passing along AWS IAM Role or GCP Workload Identity.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Service Account Configuration",order=7
+	ServiceAccount FalconImageServiceAccount `json:"serviceAccount,omitempty"`
+
+	// +kubebuilder:default:=Always
+	// +kubebuilder:validation:Enum=Always;IfNotPresent;Never
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Image Pull Policy",order=4
+	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
 
-	// Foo is an example field of FalconImage. Edit falconimage_types.go to remove/update
-	Foo string `json:"foo,omitempty"`
+	// ImagePullSecrets is an optional list of references to secrets to use for pulling image from the image location.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Falcon Image Controller Image Pull Secrets",xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+}
+
+type FalconImageServiceAccount struct {
+	// Define annotations that will be passed down to the Service Account. This is useful for passing along AWS IAM Role or GCP Workload Identity.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Service Account Annotations",order=1
+	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
 // FalconImageStatus defines the observed state of FalconImage
 type FalconImageStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
+
+	// Version of the CrowdStrike Falcon Sensor
+	// +operator-sdk:csv:customresourcedefinitions:type=status,displayName="Falcon Sensor Version",xDescriptors={"urn:alm:descriptor:text"}
+	Sensor *string `json:"sensor,omitempty"`
+
+	// Version of the CrowdStrike Falcon Operator
+	// +operator-sdk:csv:customresourcedefinitions:type=status,displayName="Falcon Operator Version",xDescriptors={"urn:alm:descriptor:text"}
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// +operator-sdk:csv:customresourcedefinitions:type=status,displayName="Falcon Image Conditions",xDescriptors={"urn:alm:descriptor:io.kubernetes.conditions"}
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+//+kubebuilder:printcolumn:name="Operator Version",type="string",JSONPath=".status.version",description="Version of the Operator"
+//+kubebuilder:printcolumn:name="Falcon Sensor",type="string",JSONPath=".status.sensor",description="Version of the Falcon Image Analyzer"
 
 // FalconImage is the Schema for the falconimages API
 type FalconImage struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   FalconImageSpec   `json:"spec,omitempty"`
-	Status FalconImageStatus `json:"status,omitempty"`
+	Spec   FalconImageSpec `json:"spec,omitempty"`
+	Status FalconCRStatus  `json:"status,omitempty"`
 }
 
 //+kubebuilder:object:root=true

api/falcon/v1alpha1/zz_generated.deepcopy.go

@@ -759,8 +759,8 @@ func (in *FalconImage) DeepCopyInto(out *FalconImage) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	out.Spec = in.Spec
-	out.Status = in.Status
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImage.
@@ -781,6 +781,27 @@ func (in *FalconImage) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FalconImageConfigSpec) DeepCopyInto(out *FalconImageConfigSpec) {
+	*out = *in
+	in.ServiceAccount.DeepCopyInto(&out.ServiceAccount)
+	if in.ImagePullSecrets != nil {
+		in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
+		*out = make([]corev1.LocalObjectReference, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImageConfigSpec.
+func (in *FalconImageConfigSpec) DeepCopy() *FalconImageConfigSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(FalconImageConfigSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconImageList) DeepCopyInto(out *FalconImageList) {
 	*out = *in
@@ -813,9 +834,32 @@ func (in *FalconImageList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FalconImageServiceAccount) DeepCopyInto(out *FalconImageServiceAccount) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImageServiceAccount.
+func (in *FalconImageServiceAccount) DeepCopy() *FalconImageServiceAccount {
+	if in == nil {
+		return nil
+	}
+	out := new(FalconImageServiceAccount)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconImageSpec) DeepCopyInto(out *FalconImageSpec) {
 	*out = *in
+	in.ImageConfig.DeepCopyInto(&out.ImageConfig)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImageSpec.
@@ -831,6 +875,18 @@ func (in *FalconImageSpec) DeepCopy() *FalconImageSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FalconImageStatus) DeepCopyInto(out *FalconImageStatus) {
 	*out = *in
+	if in.Sensor != nil {
+		in, out := &in.Sensor, &out.Sensor
+		*out = new(string)
+		**out = **in
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImageStatus.

config/crd/bases/falcon.crowdstrike.com_falconimages.yaml

@@ -12,9 +12,18 @@ spec:
     listKind: FalconImageList
     plural: falconimages
     singular: falconimage
-  scope: Namespaced
+  scope: Cluster
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - description: Version of the Operator
+      jsonPath: .status.version
+      name: Operator Version
+      type: string
+    - description: Version of the Falcon Image Analyzer
+      jsonPath: .status.sensor
+      name: Falcon Sensor
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: FalconImage is the Schema for the falconimages API
@@ -34,13 +43,133 @@ spec:
           spec:
             description: FalconImageSpec defines the desired state of FalconImage
             properties:
-              foo:
-                description: Foo is an example field of FalconImage. Edit falconimage_types.go
-                  to remove/update
+              ImageConfig:
+                description: Additional configuration for Falcon Image Controller
+                  deployment.
+                properties:
+                  imagePullPolicy:
+                    default: Always
+                    description: PullPolicy describes a policy for if/when to pull
+                      a container image
+                    enum:
+                    - Always
+                    - IfNotPresent
+                    - Never
+                    type: string
+                  imagePullSecrets:
+                    description: ImagePullSecrets is an optional list of references
+                      to secrets to use for pulling image from the image location.
+                    items:
+                      description: LocalObjectReference contains enough information
+                        to let you locate the referenced object inside the same namespace.
+                      properties:
+                        name:
+                          description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            TODO: Add other useful fields. apiVersion, kind, uid?'
+                          type: string
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    type: array
+                  serviceAccount:
+                    description: Define annotations that will be passed down to admision
+                      controller service account. This is useful for passing along
+                      AWS IAM Role or GCP Workload Identity.
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        description: Define annotations that will be passed down to
+                          the Service Account. This is useful for passing along AWS
+                          IAM Role or GCP Workload Identity.
+                        type: object
+                    type: object
+                type: object
+              installNamespace:
+                default: falcon-imageanalyzer
+                description: Namespace where the Falcon Image Controller should be
+                  installed. For best security practices, this should be a dedicated
+                  namespace that is not used for any other purpose. It also should
+                  not be the same namespace where the Falcon Operator or the Falcon
+                  Sensor is installed.
                 type: string
             type: object
           status:
-            description: FalconImageStatus defines the observed state of FalconImage
+            description: FalconAdmissionStatus defines the observed state of FalconAdmission
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              sensor:
+                description: Version of the CrowdStrike Falcon Sensor
+                type: string
+              version:
+                description: Version of the CrowdStrike Falcon Operator
+                type: string
             type: object
         type: object
     served: true