Skip to content

Commit

Permalink
Update KAC reconcile to accommodate default values
Browse files Browse the repository at this point in the history
  • Loading branch information
Greg Pontejos authored and Greg Pontejos committed Dec 16, 2024
1 parent 84ae3ee commit 25241c5
Show file tree
Hide file tree
Showing 11 changed files with 290 additions and 136 deletions.
167 changes: 155 additions & 12 deletions api/falcon/v1alpha1/falconadmission_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,39 @@ import (
arv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
)

const (
DeployWatcherDefault = true
SnapshotsEnabledDefault = true
SnapshotsIntervalDefault = 22
WatcherEnabledDefault = true
var (
DeployWatcherDefault bool = true
SnapshotsEnabledDefault bool = true
SnapshotsIntervalDefault time.Duration = 22 * time.Hour
WatcherEnabledDefault bool = true
APDDefault bool = false
APDDefaultTrace string = "none"
KACNamespaceDefault string = "falcon-kac"
KACResQuotaPodLimitDefault string = "2"
KACPortDefault int32 = 443
KACContainerPortDefault int32 = 4443
KACFailurePolicyDefault arv1.FailurePolicyType = "Ignore"
KACReplicasDefault int32 = 1
KACImagePullPolicyDefault corev1.PullPolicy = "Always"
KACResourcesClientLimitCpuDefault string = "750m"
KACResourcesClientLimitMemDefault string = "384Mi"
KACResourcesClientReqCpuDefault string = "500m"
KACResourcesClientReqMemDefault string = "384Mi"
KACResourcesAcLimitCpuDefault string = "750m"
KACResourcesAcLimitMemDefault string = "384Mi"
KACResourcesAcReqCpuDefault string = "500m"
KACResourcesAcReqMemDefault string = "384Mi"
KACResourcesWatcherLimitCpuDefault string = "300m"
KACResourcesWatcherLimitMemDefault string = "256Mi"
KACResourcesWatcherReqCpuDefault string = "300m"
KACResourcesWatcherReqMemDefault string = "256Mi"
KACDepUpdateStrategyMaxUnavailable int32 = 0
KACDepUpdateStrategyMaxSurge int32 = 1
)

// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
Expand All @@ -29,7 +54,7 @@ type FalconAdmissionSpec struct {
// It also should not be the same namespace where the Falcon Operator or the Falcon Sensor is installed.
// +kubebuilder:default:=falcon-kac
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
InstallNamespace string `json:"installNamespace,omitempty"`
InstallNamespace *string `json:"installNamespace,omitempty"`

// CrowdStrike Falcon sensor configuration
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Configuration",order=3
Expand Down Expand Up @@ -70,7 +95,7 @@ type FalconAdmissionRQSpec struct {
// +kubebuilder:default:="2"
// +kubebuilder:validation:String
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Resource Quota Pod Limit",order=1,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:podCount"}
PodLimit string `json:"pods,omitempty"`
PodLimit *string `json:"pods,omitempty"`
}

type FalconAdmissionConfigSpec struct {
Expand Down Expand Up @@ -102,7 +127,7 @@ type FalconAdmissionConfigSpec struct {
// +kubebuilder:default:=Ignore
// +kubebuilder:validation:Enum=Ignore;Fail
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Failure Policy",order=6
FailurePolicy arv1.FailurePolicyType `json:"failurePolicy,omitempty"`
FailurePolicy *arv1.FailurePolicyType `json:"failurePolicy,omitempty"`

// Ignore admission control for a specific set of namespaces.
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ignore Namespace List",order=12
Expand Down Expand Up @@ -131,7 +156,7 @@ type FalconAdmissionConfigSpec struct {
WatcherEnabled *bool `json:"watcherEnabled,omitempty"`

// Currently ignored and internally set to 1
// +kubebuilder:default:=2
// +kubebuilder:default:=1
// +kubebuilder:validation:XIntOrString
// +kubebuilder:validation:Minimum:=0
// +kubebuilder:validation:Maximum:=65535
Expand All @@ -141,7 +166,7 @@ type FalconAdmissionConfigSpec struct {
// +kubebuilder:default:=Always
// +kubebuilder:validation:Enum=Always;IfNotPresent;Never
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller Image Pull Policy",order=2,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:imagePullPolicy"}
ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
ImagePullPolicy *corev1.PullPolicy `json:"imagePullPolicy,omitempty"`

// ImagePullSecrets is an optional list of references to secrets to use for pulling image from the image location.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Falcon Admission Controller Image Pull Secrets",xDescriptors={"urn:alm:descriptor:io.kubernetes:Secret"}
Expand All @@ -162,7 +187,7 @@ type FalconAdmissionConfigSpec struct {
// Type of Deployment update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
// +kubebuilder:default:={"rollingUpdate":{"maxUnavailable":0,"maxSurge":1}}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deployment Update Strategy",order=11
DepUpdateStrategy FalconAdmissionUpdateStrategy `json:"updateStrategy,omitempty"`
DepUpdateStrategy *FalconAdmissionUpdateStrategy `json:"updateStrategy,omitempty"`
}

type FalconAdmissionServiceAccount struct {
Expand Down Expand Up @@ -255,7 +280,7 @@ func (watcher FalconAdmissionConfigSpec) GetSnapshotsEnabled() bool {

func (watcher FalconAdmissionConfigSpec) GetSnapshotsInterval() time.Duration {
if watcher.SnapshotsInterval == nil {
return SnapshotsIntervalDefault * time.Hour
return time.Duration(SnapshotsIntervalDefault)
}

return watcher.SnapshotsInterval.Duration
Expand All @@ -268,3 +293,121 @@ func (watcher FalconAdmissionConfigSpec) GetWatcherEnabled() bool {

return *watcher.WatcherEnabled
}

func (admission FalconAdmission) GetResourcesClient() *corev1.ResourceRequirements {
if admission.Spec.AdmissionConfig.ResourcesClient == nil {
return &corev1.ResourceRequirements{
Limits: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesClientLimitCpuDefault),
"memory": resource.MustParse(KACResourcesClientLimitMemDefault),
},
Requests: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesClientReqCpuDefault),
"memory": resource.MustParse(KACResourcesClientLimitMemDefault),
},
}
}

return admission.Spec.AdmissionConfig.ResourcesClient
}

func (admission FalconAdmission) GetResourcesWatcher() *corev1.ResourceRequirements {
if admission.Spec.AdmissionConfig.ResourcesWatcher == nil {
return &corev1.ResourceRequirements{
Limits: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesWatcherLimitCpuDefault),
"memory": resource.MustParse(KACResourcesWatcherLimitMemDefault),
},
Requests: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesWatcherReqCpuDefault),
"memory": resource.MustParse(KACResourcesWatcherReqMemDefault),
},
}
}

return admission.Spec.AdmissionConfig.ResourcesWatcher
}

func (admission FalconAdmission) GetResourcesAC() *corev1.ResourceRequirements {
if admission.Spec.AdmissionConfig.ResourcesAC == nil {
return &corev1.ResourceRequirements{
Limits: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesAcLimitCpuDefault),
"memory": resource.MustParse(KACResourcesAcLimitMemDefault),
},
Requests: corev1.ResourceList{
"cpu": resource.MustParse(KACResourcesAcReqCpuDefault),
"memory": resource.MustParse(KACResourcesAcReqMemDefault),
},
}
}

return admission.Spec.AdmissionConfig.ResourcesAC
}

func (admission FalconAdmission) GetDepUpdateStrategy() *FalconAdmissionUpdateStrategy {
if admission.Spec.AdmissionConfig.DepUpdateStrategy == nil {
return &FalconAdmissionUpdateStrategy{
RollingUpdate: appsv1.RollingUpdateDeployment{
MaxUnavailable: &intstr.IntOrString{IntVal: KACDepUpdateStrategyMaxUnavailable},
MaxSurge: &intstr.IntOrString{IntVal: KACDepUpdateStrategyMaxSurge},
},
}
}

return admission.Spec.AdmissionConfig.DepUpdateStrategy
}

func (admission FalconAdmission) GetImagePullPolicy() *corev1.PullPolicy {
if admission.Spec.AdmissionConfig.ImagePullPolicy == nil {
return &KACImagePullPolicyDefault
}
return admission.Spec.AdmissionConfig.ImagePullPolicy
}

func (admission FalconAdmission) GetRegistryCAConfigMapName(name string) string {
registryCAConfigMapName := ""
registryCABundleConfigMapName := name + "-registry-certs"

if admission.Spec.Registry.TLS.CACertificateConfigMap != "" {
registryCAConfigMapName = admission.Spec.Registry.TLS.CACertificateConfigMap
}

if admission.Spec.Registry.TLS.CACertificate != "" {
registryCAConfigMapName = registryCABundleConfigMapName
}

return registryCAConfigMapName
}

func (admission FalconAdmission) GetKACPort() *int32 {
if admission.Spec.AdmissionConfig.Port == nil {
return &KACPortDefault
}

return admission.Spec.AdmissionConfig.Port
}

func (admission FalconAdmission) GetFailurePolicy() *arv1.FailurePolicyType {
if admission.Spec.AdmissionConfig.FailurePolicy == nil {
return &KACFailurePolicyDefault
}

return admission.Spec.AdmissionConfig.FailurePolicy
}

func (admission FalconAdmission) GetContainerPort() *int32 {
if admission.Spec.AdmissionConfig.ContainerPort == nil {
return &KACContainerPortDefault
}

return admission.Spec.AdmissionConfig.ContainerPort
}

func (admission FalconAdmission) GetResQuotaPodLimit() *string {
if admission.Spec.ResQuota.PodLimit == nil {
return &KACResQuotaPodLimitDefault
}

return admission.Spec.ResQuota.PodLimit
}
29 changes: 27 additions & 2 deletions api/falcon/v1alpha1/zz_generated.deepcopy.go
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@
package v1alpha1

import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
Expand Down Expand Up @@ -322,6 +323,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
**out = **in
}
in.TLS.DeepCopyInto(&out.TLS)
if in.FailurePolicy != nil {
in, out := &in.FailurePolicy, &out.FailurePolicy
*out = new(admissionregistrationv1.FailurePolicyType)
**out = **in
}
in.DisabledNamespaces.DeepCopyInto(&out.DisabledNamespaces)
if in.DeployWatcher != nil {
in, out := &in.DeployWatcher, &out.DeployWatcher
Expand All @@ -348,6 +354,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
*out = new(int32)
**out = **in
}
if in.ImagePullPolicy != nil {
in, out := &in.ImagePullPolicy, &out.ImagePullPolicy
*out = new(corev1.PullPolicy)
**out = **in
}
if in.ImagePullSecrets != nil {
in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
*out = make([]corev1.LocalObjectReference, len(*in))
Expand All @@ -368,7 +379,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
*out = new(corev1.ResourceRequirements)
(*in).DeepCopyInto(*out)
}
in.DepUpdateStrategy.DeepCopyInto(&out.DepUpdateStrategy)
if in.DepUpdateStrategy != nil {
in, out := &in.DepUpdateStrategy, &out.DepUpdateStrategy
*out = new(FalconAdmissionUpdateStrategy)
(*in).DeepCopyInto(*out)
}
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionConfigSpec.
Expand Down Expand Up @@ -436,6 +451,11 @@ func (in *FalconAdmissionNamespace) DeepCopy() *FalconAdmissionNamespace {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FalconAdmissionRQSpec) DeepCopyInto(out *FalconAdmissionRQSpec) {
*out = *in
if in.PodLimit != nil {
in, out := &in.PodLimit, &out.PodLimit
*out = new(string)
**out = **in
}
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionRQSpec.
Expand Down Expand Up @@ -473,13 +493,18 @@ func (in *FalconAdmissionServiceAccount) DeepCopy() *FalconAdmissionServiceAccou
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FalconAdmissionSpec) DeepCopyInto(out *FalconAdmissionSpec) {
*out = *in
if in.InstallNamespace != nil {
in, out := &in.InstallNamespace, &out.InstallNamespace
*out = new(string)
**out = **in
}
in.Falcon.DeepCopyInto(&out.Falcon)
if in.FalconAPI != nil {
in, out := &in.FalconAPI, &out.FalconAPI
*out = new(FalconAPI)
(*in).DeepCopyInto(*out)
}
out.ResQuota = in.ResQuota
in.ResQuota.DeepCopyInto(&out.ResQuota)
in.Registry.DeepCopyInto(&out.Registry)
in.AdmissionConfig.DeepCopyInto(&out.AdmissionConfig)
if in.Version != nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ spec:
x-kubernetes-map-type: atomic
type: array
replicas:
default: 2
default: 1
description: Currently ignored and internally set to 1
format: int32
maximum: 65535
Expand Down
5 changes: 3 additions & 2 deletions deploy/falcon-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ spec:
x-kubernetes-map-type: atomic
type: array
replicas:
default: 2
default: 1
description: Currently ignored and internally set to 1
format: int32
maximum: 65535
Expand Down Expand Up @@ -4426,7 +4426,8 @@ spec:
- name: WATCH_NAMESPACE
- name: OPERATOR_NAME
value: falcon-operator
image: quay.io/crowdstrike/falcon-operator:1.0.0
imagePullPolicy: Never
image: controller:latest
livenessProbe:
httpGet:
path: /healthz
Expand Down
6 changes: 3 additions & 3 deletions internal/controller/admission/configmap.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func (r *FalconAdmissionReconciler) reconcileGenericConfigMap(name string, genFu
}

existingCM := &corev1.ConfigMap{}
err = r.Get(ctx, types.NamespacedName{Name: name, Namespace: falconAdmission.Spec.InstallNamespace}, existingCM)
err = r.Get(ctx, types.NamespacedName{Name: name, Namespace: *falconAdmission.Spec.InstallNamespace}, existingCM)
if err != nil && apierrors.IsNotFound(err) {
err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, cm)
if err != nil {
Expand Down Expand Up @@ -62,7 +62,7 @@ func (r *FalconAdmissionReconciler) newCABundleConfigMap(ctx context.Context, na
if falconAdmission.Spec.Registry.TLS.CACertificate != "" {
data["tls.crt"] = string(common.DecodeBase64Interface(falconAdmission.Spec.Registry.TLS.CACertificate))

return assets.SensorConfigMap(name, falconAdmission.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil
return assets.SensorConfigMap(name, *falconAdmission.Spec.InstallNamespace, common.FalconSidecarSensor, data), nil
}
return &corev1.ConfigMap{}, fmt.Errorf("unable to determine contents of Registry TLS CACertificate attribute")
}
Expand All @@ -84,5 +84,5 @@ func (r *FalconAdmissionReconciler) newConfigMap(ctx context.Context, name strin
}
data["FALCONCTL_OPT_CID"] = cid

return assets.SensorConfigMap(name, falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, data), nil
return assets.SensorConfigMap(name, *falconAdmission.Spec.InstallNamespace, common.FalconAdmissionController, data), nil
}
Loading

0 comments on commit 25241c5

Please sign in to comment.