diff --git a/Makefile b/Makefile index c66f16c8..223ae62e 100644 --- a/Makefile +++ b/Makefile @@ -48,12 +48,12 @@ endif # Set the Operator SDK version to use. By default, what is installed on the system is used. # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. -OPERATOR_SDK_VERSION ?= v1.33.0 +OPERATOR_SDK_VERSION ?= v1.34.1 # Image URL to use all building/pushing image targets IMG ?= controller:latest # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION = 1.27.1 +ENVTEST_K8S_VERSION = 1.28.3 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -123,9 +123,11 @@ vet: ## Run go vet against code. test: manifests generate fmt vet envtest ## Run tests. KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /test/) -coverprofile cover.out -.PHONY: test-e2e # You will need to have a Kind cluster up in running to run this target +# Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors. +.PHONY: test-e2e # Run the e2e tests against a Kind k8s instance that is spun up. test-e2e: go test ./test/e2e/ -v -ginkgo.v + GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint GOLANGCI_LINT_VERSION ?= v1.54.2 golangci-lint: @@ -217,8 +219,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest ## Tool Versions -KUSTOMIZE_VERSION ?= v5.0.1 -CONTROLLER_TOOLS_VERSION ?= v0.12.0 +KUSTOMIZE_VERSION ?= v5.2.1 +CONTROLLER_TOOLS_VERSION ?= v0.13.0 .PHONY: kustomize kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. @@ -259,7 +261,7 @@ endif .PHONY: bundle bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files. - $(OPERATOR_SDK) generate kustomize manifests -q --apis-dir api + $(OPERATOR_SDK) generate kustomize manifests -q cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG) $(KUSTOMIZE) build config/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) $(OPERATOR_SDK) bundle validate ./bundle @@ -281,7 +283,7 @@ ifeq (,$(shell which opm 2>/dev/null)) set -e ;\ mkdir -p $(dir $(OPM)) ;\ OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ - curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.29.0/$${OS}-$${ARCH}-opm ;\ + curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ chmod +x $(OPM) ;\ } else diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index bfa7f1a2..8308c098 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index f3ac24a1..c9a91832 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconadmissions.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml index 3fceccb0..3f6c3f89 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconcontainers.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com diff --git a/config/crd/bases/falcon.crowdstrike.com_falconimages.yaml b/config/crd/bases/falcon.crowdstrike.com_falconimages.yaml index 394d003a..e23986a1 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconimages.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconimages.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconimages.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml index ea9da505..66229d26 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconnodesensors.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index e1a4752e..d79dd3d8 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -25,6 +25,8 @@ patches: #- path: patches/cainjection_in_falconimages.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch +# [WEBHOOK] To enable webhook, uncomment the following section # the following config is for teaching kustomize how to do kustomization for CRDs. -configurations: -- kustomizeconfig.yaml + +#configurations: +#- kustomizeconfig.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 47499b4d..9fd225e7 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -26,20 +26,20 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +- path: manager_auth_proxy_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- manager_webhook_patch.yaml +#- path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +#- path: webhookcainjection_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # Uncomment the following replacements to add the cert-manager CA injection annotations diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 98814f4a..d8cc449b 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -30,8 +30,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1 + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" @@ -48,3 +48,8 @@ spec: requests: cpu: 5m memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index ae3af789..ef2c5f42 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -56,9 +56,8 @@ spec: - linux securityContext: runAsNonRoot: true - # Uncomment the following code when OpenShift < 4.11 is no longer supported. - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault containers: - command: - /manager diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml index 9e370fba..7e02aa66 100644 --- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml @@ -590,7 +590,7 @@ spec: - email: integrations@crowdstrike.com name: CrowdStrike Solutions Architecture maturity: alpha - minKubeVersion: 1.17.0 + minKubeVersion: 1.22.0 provider: name: CrowdStrike url: https://crowdStrike.com diff --git a/config/non-olm/kustomization.yaml b/config/non-olm/kustomization.yaml index a9793190..7cdb14ca 100644 --- a/config/non-olm/kustomization.yaml +++ b/config/non-olm/kustomization.yaml @@ -9,13 +9,15 @@ namespace: falcon-operator namePrefix: falcon-operator- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: - - ../crd - - ../rbac - - ../manager +resources: +- ../crd +- ../rbac +- ../manager # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook @@ -24,24 +26,11 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: - - patches/auth_proxy_client_clusterrole.yaml - - patches/auth_proxy_role.yaml - - patches/auth_proxy_role_binding.yaml - - patches/auth_proxy_service.yaml - - patches/manager_patch.yaml - - patches/namespace_patch.yaml - - patches/falconnodesensor_role.yaml - -# Since the WATCH_NAMESPACE value needs to be null for terraform, we need to use a JSON Patch -# to add a null value, because kustomize will strip it. When kustomize version 5 or greater is used -# this patch can be revisited and probably removed. -patchesJson6902: - - target: - version: v1 - kind: Deployment - name: controller-manager - patch: |- - - op: add - path: /spec/template/spec/containers/0/env/0/value - value: null +patches: +- path: patches/auth_proxy_client_clusterrole.yaml +- path: patches/auth_proxy_role.yaml +- path: patches/auth_proxy_role_binding.yaml +- path: patches/auth_proxy_service.yaml +- path: patches/manager_patch.yaml +- path: patches/namespace_patch.yaml +- path: patches/falconnodesensor_role.yaml diff --git a/config/scorecard/patches/basic.config.yaml b/config/scorecard/patches/basic.config.yaml index a2f15894..78ad61a4 100644 --- a/config/scorecard/patches/basic.config.yaml +++ b/config/scorecard/patches/basic.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: basic test: basic-check-spec-test diff --git a/config/scorecard/patches/olm.config.yaml b/config/scorecard/patches/olm.config.yaml index 9b7ca41b..69dda63f 100644 --- a/config/scorecard/patches/olm.config.yaml +++ b/config/scorecard/patches/olm.config.yaml @@ -4,7 +4,7 @@ entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-bundle-validation-test @@ -14,7 +14,7 @@ entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-crds-have-validation-test @@ -24,7 +24,7 @@ entrypoint: - scorecard-test - olm-crds-have-resources - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-crds-have-resources-test @@ -34,7 +34,7 @@ entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-spec-descriptors-test @@ -44,7 +44,7 @@ entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.33.0 + image: quay.io/operator-framework/scorecard-test:v1.34.1 labels: suite: olm test: olm-status-descriptors-test diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index 693a82ad..9f19b911 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -17,7 +17,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconadmissions.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com @@ -563,7 +563,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconcontainers.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com @@ -2570,7 +2570,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconimages.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com @@ -2619,7 +2619,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.13.0 name: falconnodesensors.falcon.crowdstrike.com spec: group: falcon.crowdstrike.com @@ -3828,7 +3828,6 @@ spec: - /manager env: - name: WATCH_NAMESPACE - value: null - name: OPERATOR_NAME value: falcon-operator image: quay.io/crowdstrike/falcon-operator:0.9.1 @@ -3861,5 +3860,7 @@ spec: securityContext: fsGroup: 65534 runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: falcon-operator-controller-manager terminationGracePeriodSeconds: 10 diff --git a/docs/developer_guide.md b/docs/developer_guide.md index 171fbdc3..5e6f1611 100644 --- a/docs/developer_guide.md +++ b/docs/developer_guide.md @@ -6,7 +6,7 @@ The following tools are required to develop the Falcon Operator: - [git][git-tool] - [go][go-tool] version 1.20 -- [operator-sdk][operator-sdk] version 1.33.0 +- [operator-sdk][operator-sdk] version 1.34.1 - [docker][docker] (required for multi-arch builds) or [podman][podman] (if desired for single arch builds) Running `make` at any point will install additional tooling and go dependencies as required by the various `Makefile` targets. For example: