cdp: added resources and verbs for the cluster role #614
Conversation
JonBruchim
force-pushed
the
main
branch
2 times, most recently
from
daf792b to
b8443fc
Compare
| Resources: []string{"pods", "services", "nodes", "daemonsets", "replicasets", "deployments", "jobs", "ingresses", "cronjobs", "persistentvolumes"}, | ||
| } | ||
| ) | ||
|
|
There was a problem hiding this comment.
These permissions need to be added to https://github.com/CrowdStrike/falcon-operator/blob/main/config/rbac/falconnodesensor_role.yaml and https://github.com/CrowdStrike/falcon-operator/blob/main/config/non-olm/patches/falconnodesensor_role.yaml and are autogenerated through kustomize. Use make manifest && make generate && make non-olm
| @@ -790,6 +802,11 @@ func (r *FalconNodeSensorReconciler) handlePermissions(ctx context.Context, node | |||
| return created, err | |||
| } | |||
|
|
|||
| created, err = r.handleClusterRole(ctx, nodesensor, logger) | |||
There was a problem hiding this comment.
Clusterroles for operators should not reconcile permissions. The cluster roles are required to be auditable BEFORE install by cluster admins, security architects, and auditors. For operator security design and best practices, these permissions need to be added to https://github.com/CrowdStrike/falcon-operator/blob/main/config/rbac/falconnodesensor_role.yaml and https://github.com/CrowdStrike/falcon-operator/blob/main/config/non-olm/patches/falconnodesensor_role.yaml and are autogenerated through kustomize. Use make manifest && make generate && make non-olm
| // Enable cluster roles for Cloud Data Protection module | ||
| // +kubebuilder:default=true | ||
| // +operator-sdk:csv:customresourcedefinitions:type=spec,order=13 | ||
| CdpRolesEnabled *bool `json:"cdpRolesEnabled,omitempty"` |
There was a problem hiding this comment.
This shouldn't be added because clusterroles should NOT be reconciled because of the auditablity and permission visibility requirement and best practices of operator permissions that many review before install.
| @@ -68,6 +68,10 @@ spec: | |||
| | node.backend | (optional) Configure the backend mode for Falcon Sensor (allowed values: kernel, bpf) | | |||
| | node.disableCleanup | (optional) Cleans up `/opt/CrowdStrike` on the nodes by deleting the files and directory. | | |||
| | node.version | (optional) Enforce particular Falcon Sensor version to be installed (example: "6.35", "6.35.0-13207") | | |||
| | node.cdpRolesEnabled | (optional) Enable cluster roles for Cloud Data Protection module | | |||
|
|
|||
| > [!IMPORTANT] | |||
No description provided.