CrowdStrike · mhyson-cs · Jun 17, 2024 · Jul 3, 2024 · Jul 11, 2024
diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go
@@ -54,6 +54,14 @@ type FalconAdmissionSpec struct {
 	// Falcon Admission Controller Version. The latest version will be selected when version specifier is missing. Example: 6.31, 6.31.0, 6.31.0-1409, etc.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Version",order=8
 	Version *string `json:"version,omitempty"`
+
+	// UpdatePolicy is the name of an existing sensor update policy. It is ignored when Image and/or Version are set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Update Policy",order=9
+	UpdatePolicy *string `json:"updatePolicy,omitempty"`
+
+	// AutoUpdate determines whether to install new versions of the sensor as they become available. Defaults to no and is ignored if FalconAPI is not set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Automatic Updates",order=10
+	AutoUpdate *bool `json:"autoUpdate,omitempty"`
 }
 
 type FalconAdmissionRQSpec struct {

diff --git a/api/falcon/v1alpha1/falconcontainer_types.go b/api/falcon/v1alpha1/falconcontainer_types.go
@@ -43,6 +43,14 @@ type FalconContainerSpec struct {
 	// Falcon Container Version. The latest version will be selected when version specifier is missing; ignored when Image is set.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Image Version",order=6
 	Version *string `json:"version,omitempty"`
+
+	// UpdatePolicy is the name of an existing sensor update policy. It is ignored when Image and/or Version are set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Update Policy",order=7
+	UpdatePolicy *string `json:"updatePolicy,omitempty"`
+
+	// AutoUpdate determines whether to install new versions of the sensor as they become available. Defaults to no and is ignored if FalconAPI is not set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Automatic Updates",order=8
+	AutoUpdate *bool `json:"autoUpdate,omitempty"`
 }
 
 type FalconContainerInjectorSpec struct {

diff --git a/api/falcon/v1alpha1/falconnodesensor_types.go b/api/falcon/v1alpha1/falconnodesensor_types.go
@@ -103,6 +103,14 @@ type FalconNodeSensorConfig struct {
 
 	// Version of the sensor to be installed. The latest version will be selected when this version specifier is missing.
 	Version *string `json:"version,omitempty"`
+
+	// UpdatePolicy is the name of an existing sensor update policy. It is ignored when Image and/or Version are set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Node Sensor Update Policy",order=13
+	UpdatePolicy *string `json:"updatePolicy,omitempty"`
+
+	// AutoUpdate determines whether to install new versions of the sensor as they become available. Defaults to no and is ignored if FalconAPI is not set.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Node Sensor Automatic Updates",order=14
+	AutoUpdate *bool `json:"autoUpdate,omitempty"`
 }
 
 type PriorityClassConfig struct {

diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go
@@ -462,6 +462,16 @@ func (in *FalconAdmissionSpec) DeepCopyInto(out *FalconAdmissionSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UpdatePolicy != nil {
+		in, out := &in.UpdatePolicy, &out.UpdatePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoUpdate != nil {
+		in, out := &in.AutoUpdate, &out.AutoUpdate
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionSpec.
@@ -739,6 +749,16 @@ func (in *FalconContainerSpec) DeepCopyInto(out *FalconContainerSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UpdatePolicy != nil {
+		in, out := &in.UpdatePolicy, &out.UpdatePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoUpdate != nil {
+		in, out := &in.AutoUpdate, &out.AutoUpdate
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconContainerSpec.
@@ -1032,6 +1052,16 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UpdatePolicy != nil {
+		in, out := &in.UpdatePolicy, &out.UpdatePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoUpdate != nil {
+		in, out := &in.AutoUpdate, &out.AutoUpdate
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconNodeSensorConfig.

diff --git a/cmd/main.go b/cmd/main.go
@@ -40,6 +40,7 @@ import (
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
 	admissioncontroller "github.com/crowdstrike/falcon-operator/internal/controller/admission"
+	"github.com/crowdstrike/falcon-operator/internal/controller/common/sensorversion"
 	containercontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_container"
 	imageanalyzercontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer"
 	nodecontroller "github.com/crowdstrike/falcon-operator/internal/controller/falcon_node"
@@ -48,6 +49,8 @@ import (
 	// +kubebuilder:scaffold:imports
 )
 
+const sensorVersionTrackingPollingInterval = time.Hour * 24
+
 var (
 	scheme      = runtime.NewScheme()
 	setupLog    = ctrl.Log.WithName("setup")
@@ -182,26 +185,29 @@ func main() {
 		setupLog.Info("cert-manager installation not found")
 	}
 
+	ctx := ctrl.SetupSignalHandler()
+	tracker := sensorversion.NewTracker(ctx, sensorVersionTrackingPollingInterval)
+
 	if err = (&containercontroller.FalconContainerReconciler{
 		Client:     mgr.GetClient(),
 		Scheme:     mgr.GetScheme(),
 		RestConfig: mgr.GetConfig(),
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, tracker); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FalconContainer")
 		os.Exit(1)
 	}
 	if err = (&nodecontroller.FalconNodeSensorReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, tracker); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FalconNodeSensor")
 		os.Exit(1)
 	}
 	if err = (&admissioncontroller.FalconAdmissionReconciler{
 		Client:    mgr.GetClient(),
 		Scheme:    mgr.GetScheme(),
 		OpenShift: openShift,
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, tracker); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "FalconAdmission")
 		os.Exit(1)
 	}
@@ -240,8 +246,10 @@ func main() {
 		}()
 	}
 
+	go tracker.KeepTrackingChanges()
+
 	setupLog.Info("starting manager", "version", version.Get(), "go version", version.GoVersion)
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml
@@ -302,6 +302,11 @@ spec:
                         type: object
                     type: object
                 type: object
+              autoUpdate:
+                description: AutoUpdate determines whether to install new versions
+                  of the sensor as they become available. Defaults to no and is ignored
+                  if FalconAPI is not set.
+                type: boolean
               falcon:
                 description: CrowdStrike Falcon sensor configuration
                 properties:
@@ -451,6 +456,10 @@ spec:
                       can be created in the namespace.
                     type: string
                 type: object
+              updatePolicy:
+                description: UpdatePolicy is the name of an existing sensor update
+                  policy. It is ignored when Image and/or Version are set.
+                type: string
               version:
                 description: 'Falcon Admission Controller Version. The latest version
                   will be selected when version specifier is missing. Example: 6.31,

diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml
@@ -43,6 +43,11 @@ spec:
           spec:
             description: FalconContainerSpec defines the desired state of FalconContainer
             properties:
+              autoUpdate:
+                description: AutoUpdate determines whether to install new versions
+                  of the sensor as they become available. Defaults to no and is ignored
+                  if FalconAPI is not set.
+                type: boolean
               falcon:
                 description: CrowdStrike Falcon Sensor configuration settings.
                 properties:
@@ -1924,6 +1929,10 @@ spec:
                 required:
                 - type
                 type: object
+              updatePolicy:
+                description: UpdatePolicy is the name of an existing sensor update
+                  policy. It is ignored when Image and/or Version are set.
+                type: string
               version:
                 description: Falcon Container Version. The latest version will be
                   selected when version specifier is missing; ignored when Image is

diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml
@@ -138,6 +138,11 @@ spec:
               node:
                 description: Various configuration for DaemonSet Deployment
                 properties:
+                  autoUpdate:
+                    description: AutoUpdate determines whether to install new versions
+                      of the sensor as they become available. Defaults to no and is
+                      ignored if FalconAPI is not set.
+                    type: boolean
                   backend:
                     default: kernel
                     description: Sets the backend to be used by the DaemonSet Sensor.
@@ -516,6 +521,10 @@ spec:
                           type: string
                       type: object
                     type: array
+                  updatePolicy:
+                    description: UpdatePolicy is the name of an existing sensor update
+                      policy. It is ignored when Image and/or Version are set.
+                    type: string
                   updateStrategy:
                     description: Type of DaemonSet update. Can be "RollingUpdate"
                       or "OnDelete". Default is RollingUpdate.

diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml
@@ -316,6 +316,11 @@ spec:
                         type: object
                     type: object
                 type: object
+              autoUpdate:
+                description: AutoUpdate determines whether to install new versions
+                  of the sensor as they become available. Defaults to no and is ignored
+                  if FalconAPI is not set.
+                type: boolean
               falcon:
                 description: CrowdStrike Falcon sensor configuration
                 properties:
@@ -465,6 +470,10 @@ spec:
                       can be created in the namespace.
                     type: string
                 type: object
+              updatePolicy:
+                description: UpdatePolicy is the name of an existing sensor update
+                  policy. It is ignored when Image and/or Version are set.
+                type: string
               version:
                 description: 'Falcon Admission Controller Version. The latest version
                   will be selected when version specifier is missing. Example: 6.31,
@@ -599,6 +608,11 @@ spec:
           spec:
             description: FalconContainerSpec defines the desired state of FalconContainer
             properties:
+              autoUpdate:
+                description: AutoUpdate determines whether to install new versions
+                  of the sensor as they become available. Defaults to no and is ignored
+                  if FalconAPI is not set.
+                type: boolean
               falcon:
                 description: CrowdStrike Falcon Sensor configuration settings.
                 properties:
@@ -2480,6 +2494,10 @@ spec:
                 required:
                 - type
                 type: object
+              updatePolicy:
+                description: UpdatePolicy is the name of an existing sensor update
+                  policy. It is ignored when Image and/or Version are set.
+                type: string
               version:
                 description: Falcon Container Version. The latest version will be
                   selected when version specifier is missing; ignored when Image is
@@ -3126,6 +3144,11 @@ spec:
               node:
                 description: Various configuration for DaemonSet Deployment
                 properties:
+                  autoUpdate:
+                    description: AutoUpdate determines whether to install new versions
+                      of the sensor as they become available. Defaults to no and is
+                      ignored if FalconAPI is not set.
+                    type: boolean
                   backend:
                     default: kernel
                     description: Sets the backend to be used by the DaemonSet Sensor.
@@ -3504,6 +3527,10 @@ spec:
                           type: string
                       type: object
                     type: array
+                  updatePolicy:
+                    description: UpdatePolicy is the name of an existing sensor update
+                      policy. It is ignored when Image and/or Version are set.
+                    type: string
                   updateStrategy:
                     description: Type of DaemonSet update. Can be "RollingUpdate"
                       or "OnDelete". Default is RollingUpdate.

diff --git a/go.mod b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/onsi/gomega v1.27.7
 	github.com/openshift/api v0.0.0-20220630121623-32f1d77b9f50
 	github.com/operator-framework/operator-lib v0.11.0
+	github.com/stretchr/testify v1.9.0
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
 	k8s.io/api v0.27.2
 	k8s.io/apimachinery v0.27.2
@@ -123,6 +124,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/proglottis/gpgme v0.1.3 // indirect
 	github.com/prometheus/client_golang v1.17.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect

diff --git a/go.sum b/go.sum
@@ -426,6 +426,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/sylabs/sif/v2 v2.15.1 h1:75BcunPOY11fVhe02/WHuNLTfDd3OHH0ex0MuuNMYX0=
 github.com/sylabs/sif/v2 v2.15.1/go.mod h1:YiwCUdZOhiohnPbyxuxvCZa+03HwAaiC+vfAKZPR8nQ=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=