cdp: added resources and verbs for the cluster role

config/non-olm/patches/falconnodesensor_role.yaml

@@ -2,4 +2,22 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: node-sensor-role
-rules: []
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - cronjobs
+      - daemonsets
+      - deployments
+      - ingresses
+      - jobs
+      - nodes
+      - persistentvolumes
+      - pods
+      - replicasets
+      - services
+    verbs:
+      - get
+      - list
+      - watch

config/rbac/falconcontainer_role.yaml

@@ -15,17 +15,5 @@ rules:
   - ""
   resources:
   - secrets
-  - cronjobs
-  - daemonsets
-  - deployments
-  - ingresses
-  - jobs
-  - nodes
-  - persistentvolumes
-  - pods
-  - replicasets
-  - services
   verbs:
   - get
-  - list
-  - watch

config/rbac/falconnodesensor_role.yaml

@@ -19,3 +19,21 @@ rules:
   - securitycontextconstraints
   verbs:
   - use
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+    - cronjobs
+    - daemonsets
+    - deployments
+    - ingresses
+    - jobs
+    - nodes
+    - persistentvolumes
+    - pods
+    - replicasets
+    - services
+  verbs:
+    - get
+    - list
+    - watch

deploy/falcon-operator.yaml

@@ -3918,20 +3918,8 @@ rules:
   - ""
   resources:
   - secrets
-  - cronjobs
-  - daemonsets
-  - deployments
-  - ingresses
-  - jobs
-  - nodes
-  - persistentvolumes
-  - pods
-  - replicasets
-  - services
   verbs:
   - get
-  - list
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -4359,7 +4347,25 @@ metadata:
     crowdstrike.com/part-of: Falcon
     crowdstrike.com/provider: crowdstrike
   name: falcon-operator-node-sensor-role
-rules: []
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - cronjobs
+  - daemonsets
+  - deployments
+  - ingresses
+  - jobs
+  - nodes
+  - persistentvolumes
+  - pods
+  - replicasets
+  - services
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

internal/controller/falcon_node/falconnodesensor_controller.go

@@ -2,7 +2,6 @@ package falcon
 
 import (
 	"context"
-	goerr "errors"
 	"reflect"
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
@@ -16,7 +15,6 @@ import (
 	"github.com/crowdstrike/gofalcon/falcon"
 	"github.com/go-logr/logr"
 	"github.com/operator-framework/operator-lib/proxy"
-	"golang.org/x/exp/slices"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -793,11 +791,6 @@ func (r *FalconNodeSensorReconciler) handlePermissions(ctx context.Context, node
 		return created, err
 	}
 
-	created, err = r.handleClusterRole(ctx, nodesensor, logger)
-	if created || err != nil {
-		return created, err
-	}
-
 	return r.handleClusterRoleBinding(ctx, nodesensor, logger)
 }
 
@@ -818,7 +811,7 @@ func (r *FalconNodeSensorReconciler) handleClusterRoleBinding(ctx context.Contex
 			RoleRef: rbacv1.RoleRef{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "ClusterRole",
-				Name:     common.NodeClusterRoleName,
+				Name:     "falcon-operator-node-sensor-role",
 			},
 			Subjects: []rbacv1.Subject{
 				{
@@ -837,7 +830,7 @@ func (r *FalconNodeSensorReconciler) handleClusterRoleBinding(ctx context.Contex
 		logger.Info("Creating FalconNodeSensor ClusterRoleBinding")
 		err = r.Create(ctx, &binding)
 		if err != nil && !errors.IsAlreadyExists(err) {
-			logger.Error(err, "Failed to create new ClusterRoleBinding", "ClusterRoleBinding.Name", common.NodeClusterRoleBindingName)
+			logger.Error(err, "Failed to create new ClusterRoleBinding", "ClusteRoleBinding.Name", common.NodeClusterRoleBindingName)
 			return false, err
 		}
 
@@ -1038,11 +1031,6 @@ func (r *FalconNodeSensorReconciler) finalizeDaemonset(ctx context.Context, imag
 			return err
 		}
 
-		if err := r.cleanupClusterRole(ctx, nodesensor, logger); err != nil {
-			logger.Error(err, "Failed to cleanup Falcon sensor cluster role")
-			return err
-		}
-
 		// If we have gotten here, the cleanup should be successful
 		logger.Info("Successfully deleted node directory", "Path", common.FalconDataDir)
 	} else if err != nil {

internal/controller/falcon_node/falconnodesensor_controller_test.go

@@ -7,13 +7,10 @@ import (
 
 	falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1"
 	"github.com/crowdstrike/falcon-operator/internal/controller/common/sensorversion"
-	"github.com/crowdstrike/falcon-operator/pkg/common"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"golang.org/x/exp/slices"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -37,30 +34,18 @@ var _ = Describe("FalconNodeSensor controller", func() {
 		}
 
 		typeNamespaceName := types.NamespacedName{Name: NodeSensorName, Namespace: NodeSensorName}
-		clusterRole := rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Namespace: NodeSensorName,
-				Name:      common.NodeClusterRoleName,
-				Labels:    common.CRLabels("serviceaccount", common.NodeServiceAccountName, common.FalconKernelSensor),
-			}, Rules: []rbacv1.PolicyRule{}}
 
 		BeforeEach(func() {
 			By("Creating the Namespace to perform the tests")
 			err := k8sClient.Create(ctx, namespace)
 			Expect(err).To(Not(HaveOccurred()))
-
-			By("Creating the Namespace to perform the tests")
-			err = k8sClient.Create(ctx, &clusterRole)
-			Expect(err).To(Not(HaveOccurred()))
 		})
 
 		AfterEach(func() {
 			// TODO(user): Attention if you improve this code by adding other context test you MUST
 			// be aware of the current delete namespace limitations. More info: https://book.kubebuilder.io/reference/envtest.html#testing-considerations
 			By("Deleting the Namespace to perform the tests")
 			_ = k8sClient.Delete(ctx, namespace)
-
-			_ = k8sClient.Delete(ctx, &clusterRole)
 		})
 
 		It("should successfully reconcile a custom resource for FalconNodeSensor", func() {
@@ -121,31 +106,6 @@ var _ = Describe("FalconNodeSensor controller", func() {
 			})
 			Expect(err).To(Not(HaveOccurred()))
 
-			// ClusterRole reconcile
-			_, err = falconNodeReconciler.Reconcile(ctx, reconcile.Request{
-				NamespacedName: typeNamespaceName,
-			})
-			Expect(err).To(Not(HaveOccurred()))
-
-			By("Checking if the cluster role permissions were set")
-			Eventually(func() error {
-				clusterRole := rbacv1.ClusterRole{}
-				err := falconNodeReconciler.Get(ctx, types.NamespacedName{Name: common.NodeClusterRoleName}, &clusterRole)
-				if err != nil {
-					return fmt.Errorf("clusterrole doesn't exist")
-				}
-
-				// check if CDP cluster role was correctly set
-				for _, rule := range clusterRole.Rules {
-					if slices.Equal(rule.Resources, cdpRoles.Resources) &&
-						slices.Equal(rule.Verbs, cdpRoles.Verbs) &&
-						slices.Equal(rule.APIGroups, cdpRoles.APIGroups) {
-						return nil
-					}
-				}
-				return fmt.Errorf("clusterrole doesn't have the correct permissions")
-			}, time.Minute, time.Second).Should(Succeed())
-
 			// TODO: clusterRoleBinding reconciliation might be removed in the future
 			_, err = falconNodeReconciler.Reconcile(ctx, reconcile.Request{
 				NamespacedName: typeNamespaceName,

pkg/common/constants.go

@@ -46,5 +46,4 @@ const (
 	AdmissionServiceAccountName = "falcon-operator-admission-controller"
 	NodeClusterRoleBindingName  = "falcon-operator-node-sensor-rolebinding"
 	ImageServiceAccountName     = "falcon-operator-image-analyzer"
-	NodeClusterRoleName         = "falcon-operator-node-sensor-role"
 )