diff --git a/config/non-olm/patches/falconnodesensor_role.yaml b/config/non-olm/patches/falconnodesensor_role.yaml index d14f2ce6..0efced75 100644 --- a/config/non-olm/patches/falconnodesensor_role.yaml +++ b/config/non-olm/patches/falconnodesensor_role.yaml @@ -2,4 +2,22 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: node-sensor-role -rules: [] +rules: + - apiGroups: + - "" + resources: + - secrets + - cronjobs + - daemonsets + - deployments + - ingresses + - jobs + - nodes + - persistentvolumes + - pods + - replicasets + - services + verbs: + - get + - list + - watch diff --git a/config/rbac/falconcontainer_role.yaml b/config/rbac/falconcontainer_role.yaml index 24bc1369..df1af763 100644 --- a/config/rbac/falconcontainer_role.yaml +++ b/config/rbac/falconcontainer_role.yaml @@ -15,17 +15,5 @@ rules: - "" resources: - secrets - - cronjobs - - daemonsets - - deployments - - ingresses - - jobs - - nodes - - persistentvolumes - - pods - - replicasets - - services verbs: - get - - list - - watch diff --git a/config/rbac/falconnodesensor_role.yaml b/config/rbac/falconnodesensor_role.yaml index 29909b54..e1cce6d9 100644 --- a/config/rbac/falconnodesensor_role.yaml +++ b/config/rbac/falconnodesensor_role.yaml @@ -19,3 +19,21 @@ rules: - securitycontextconstraints verbs: - use +- apiGroups: + - "" + resources: + - secrets + - cronjobs + - daemonsets + - deployments + - ingresses + - jobs + - nodes + - persistentvolumes + - pods + - replicasets + - services + verbs: + - get + - list + - watch diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index f772d78d..3a272ffc 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -3918,20 +3918,8 @@ rules: - "" resources: - secrets - - cronjobs - - daemonsets - - deployments - - ingresses - - jobs - - nodes - - persistentvolumes - - pods - - replicasets - - services verbs: - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -4359,7 +4347,25 @@ metadata: crowdstrike.com/part-of: Falcon crowdstrike.com/provider: crowdstrike name: falcon-operator-node-sensor-role -rules: [] +rules: +- apiGroups: + - "" + resources: + - secrets + - cronjobs + - daemonsets + - deployments + - ingresses + - jobs + - nodes + - persistentvolumes + - pods + - replicasets + - services + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/internal/controller/falcon_node/falconnodesensor_controller.go b/internal/controller/falcon_node/falconnodesensor_controller.go index 474b8239..9daeb520 100644 --- a/internal/controller/falcon_node/falconnodesensor_controller.go +++ b/internal/controller/falcon_node/falconnodesensor_controller.go @@ -2,7 +2,6 @@ package falcon import ( "context" - goerr "errors" "reflect" falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" @@ -16,7 +15,6 @@ import ( "github.com/crowdstrike/gofalcon/falcon" "github.com/go-logr/logr" "github.com/operator-framework/operator-lib/proxy" - "golang.org/x/exp/slices" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -793,11 +791,6 @@ func (r *FalconNodeSensorReconciler) handlePermissions(ctx context.Context, node return created, err } - created, err = r.handleClusterRole(ctx, nodesensor, logger) - if created || err != nil { - return created, err - } - return r.handleClusterRoleBinding(ctx, nodesensor, logger) } @@ -818,7 +811,7 @@ func (r *FalconNodeSensorReconciler) handleClusterRoleBinding(ctx context.Contex RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: common.NodeClusterRoleName, + Name: "falcon-operator-node-sensor-role", }, Subjects: []rbacv1.Subject{ { @@ -837,7 +830,7 @@ func (r *FalconNodeSensorReconciler) handleClusterRoleBinding(ctx context.Contex logger.Info("Creating FalconNodeSensor ClusterRoleBinding") err = r.Create(ctx, &binding) if err != nil && !errors.IsAlreadyExists(err) { - logger.Error(err, "Failed to create new ClusterRoleBinding", "ClusterRoleBinding.Name", common.NodeClusterRoleBindingName) + logger.Error(err, "Failed to create new ClusterRoleBinding", "ClusteRoleBinding.Name", common.NodeClusterRoleBindingName) return false, err } @@ -1038,11 +1031,6 @@ func (r *FalconNodeSensorReconciler) finalizeDaemonset(ctx context.Context, imag return err } - if err := r.cleanupClusterRole(ctx, nodesensor, logger); err != nil { - logger.Error(err, "Failed to cleanup Falcon sensor cluster role") - return err - } - // If we have gotten here, the cleanup should be successful logger.Info("Successfully deleted node directory", "Path", common.FalconDataDir) } else if err != nil { diff --git a/internal/controller/falcon_node/falconnodesensor_controller_test.go b/internal/controller/falcon_node/falconnodesensor_controller_test.go index b77f1cde..5f5c062d 100644 --- a/internal/controller/falcon_node/falconnodesensor_controller_test.go +++ b/internal/controller/falcon_node/falconnodesensor_controller_test.go @@ -7,13 +7,10 @@ import ( falconv1alpha1 "github.com/crowdstrike/falcon-operator/api/falcon/v1alpha1" "github.com/crowdstrike/falcon-operator/internal/controller/common/sensorversion" - "github.com/crowdstrike/falcon-operator/pkg/common" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "golang.org/x/exp/slices" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -37,21 +34,11 @@ var _ = Describe("FalconNodeSensor controller", func() { } typeNamespaceName := types.NamespacedName{Name: NodeSensorName, Namespace: NodeSensorName} - clusterRole := rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: NodeSensorName, - Name: common.NodeClusterRoleName, - Labels: common.CRLabels("serviceaccount", common.NodeServiceAccountName, common.FalconKernelSensor), - }, Rules: []rbacv1.PolicyRule{}} BeforeEach(func() { By("Creating the Namespace to perform the tests") err := k8sClient.Create(ctx, namespace) Expect(err).To(Not(HaveOccurred())) - - By("Creating the Namespace to perform the tests") - err = k8sClient.Create(ctx, &clusterRole) - Expect(err).To(Not(HaveOccurred())) }) AfterEach(func() { @@ -59,8 +46,6 @@ var _ = Describe("FalconNodeSensor controller", func() { // be aware of the current delete namespace limitations. More info: https://book.kubebuilder.io/reference/envtest.html#testing-considerations By("Deleting the Namespace to perform the tests") _ = k8sClient.Delete(ctx, namespace) - - _ = k8sClient.Delete(ctx, &clusterRole) }) It("should successfully reconcile a custom resource for FalconNodeSensor", func() { @@ -121,31 +106,6 @@ var _ = Describe("FalconNodeSensor controller", func() { }) Expect(err).To(Not(HaveOccurred())) - // ClusterRole reconcile - _, err = falconNodeReconciler.Reconcile(ctx, reconcile.Request{ - NamespacedName: typeNamespaceName, - }) - Expect(err).To(Not(HaveOccurred())) - - By("Checking if the cluster role permissions were set") - Eventually(func() error { - clusterRole := rbacv1.ClusterRole{} - err := falconNodeReconciler.Get(ctx, types.NamespacedName{Name: common.NodeClusterRoleName}, &clusterRole) - if err != nil { - return fmt.Errorf("clusterrole doesn't exist") - } - - // check if CDP cluster role was correctly set - for _, rule := range clusterRole.Rules { - if slices.Equal(rule.Resources, cdpRoles.Resources) && - slices.Equal(rule.Verbs, cdpRoles.Verbs) && - slices.Equal(rule.APIGroups, cdpRoles.APIGroups) { - return nil - } - } - return fmt.Errorf("clusterrole doesn't have the correct permissions") - }, time.Minute, time.Second).Should(Succeed()) - // TODO: clusterRoleBinding reconciliation might be removed in the future _, err = falconNodeReconciler.Reconcile(ctx, reconcile.Request{ NamespacedName: typeNamespaceName, diff --git a/pkg/common/constants.go b/pkg/common/constants.go index bda56fe9..7926df89 100644 --- a/pkg/common/constants.go +++ b/pkg/common/constants.go @@ -46,5 +46,4 @@ const ( AdmissionServiceAccountName = "falcon-operator-admission-controller" NodeClusterRoleBindingName = "falcon-operator-node-sensor-rolebinding" ImageServiceAccountName = "falcon-operator-image-analyzer" - NodeClusterRoleName = "falcon-operator-node-sensor-role" )