fix: sensor resource handling

- only apply resources if GKE autopilot or enabled explicitly
- change ephemeral storage to 100Mi

CHANGELOG.md

@@ -67,89 +67,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: add proxy support
 - bump version to 0.9.0
 - fix: update changelog with 0.8.1 changes
-- build(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.2.0
-- build(deps): bump github.com/docker/docker
-- maint: go mod tidy
-- maint: update changelog
-- feat: standardize labels across controllers
-- fix: update docs for new release
-- fix: delay CS registry API check for falconcontainer
-- build(deps): bump helm/kind-action from 1.5.0 to 1.7.0
-- fix: sidecar deployment should have a service account specified
-- docs: update redhat deployment doc and images
-- fix: update CSV description
-- docs: doc updates
-- fix: various fixes in prep for future changes
-- cleanup: create a common label function
-- fix: various fixes and certification prep
-- fix: sensor version was not working correctly
-- fix: ensure custom non-API Falcon CID can be used
-- fix: update runc go.mod indirect dependency
-- Update README.md
-- cmm edits to clean up verbiage and look/feel
-- feat: Add Krew instructions and update OCP instructions
-- feat: create generic kubernetes install
-- fix: update indirect runc dependency to version 1.1.5
-- fix: Makefile kustomize target
-- docs: resource docs updates
-- Add operatorgroup and some troubleshooting steps
-- GKE, EKS, Azure updates
-- OCP image updates and node doc updates
-- Documentation updates
-- fix: fix Makefile help output for 2 targets
-- feat: make developer guide more robust
-- fix: update metadata to use release version
-- fix: disable seccompProfile until broadly supported and enable multi-arch affinity for controller-manager
-- fix: update tags for release automation
-- fix: reconciliation loop should not run forever
-- fix: fix failing deployment tests
-- feat: automate releases
-- fix: use released manifests for non-olm deployments
-- fix: update CSV contact info
-- build(deps): bump github.com/docker/docker
-- build(deps): bump actions/setup-go from 3 to 4
-- feat: add support for nodeAffinity in node sensor
-- fix: cluster role and SCC should not be reconciled
-- fix: update DS labels
-- Adding release note
-- fix: update deployment on replica count change
-- feat: add docker release build
-- fix: provide more test coverage in node assets
-- clean up ds updates
-- fix test cleanup args
-- update tests
-- clean up updates
-- fix: re-organize go workflows
-- fix: Update falcon-operator.yaml
-- fix: Update labels in assets
-- feat: add labels, security, and arch affinity to kustomize components
-- fix: Dockerfile cross compile updates and Makefile updates
-- fix: ensure non-olm deployment uses kustomize serviceaccount
-- Update falcon-operator.yaml using kustomize
-- feat: Use kustomize to generate non-olm package manifest
-- fix: kustomize format operator non-olm deploy yaml
-- node: updating init containers for node daemonset and node cleanup daemonset
-- Update README.md
-- Update README.md
-- Log the falcon node sensor image uri selected to be used
-- feat: Enable multi-arch operator build
-- build(deps): bump golang.org/x/net from 0.1.0 to 0.7.0
-- update bundle
-- update pod topology and replica count
-- fix: exclude gosec rule G307 as it has been removed in the upstream branch
-- build(deps): bump helm/kind-action from 1.4.0 to 1.5.0
-- Explicitly excluding kube-system from secret creation
-- Adding documentation for node.backend
-- bump CSV version
-- Bumping version to 0.7.1
-- Adding backend support in Node/DaemonSet
-- Do not deploy status: subresources outside OLM
-- remove falconctlOpts to use default properties
-- update bundle manifests
-- update properties in the readme for Node and Container
-- Update FalconContainer All options with default falcon values
-- adding default trace value in the yaml
-- fixing values and typo
+
 
 ## [0.8.1] - 2023-06-07
 

api/falcon/v1alpha1/falconnodesensor_types.go

@@ -18,8 +18,10 @@ type FalconNodeSensorSpec struct {
 	// Various configuration for DaemonSet Deployment
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Configuration",order=3
 	Node FalconNodeSensorConfig `json:"node,omitempty"`
+
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Configuration",order=2
 	Falcon FalconSensor `json:"falcon,omitempty"`
+
 	// FalconAPI configures connection from your local Falcon operator to CrowdStrike Falcon platform.
 	//
 	// When configured, it will pull the sensor from registry.crowdstrike.com and deploy the appropriate sensor to the cluster.
@@ -36,30 +38,38 @@ type FalconNodeSensorConfig struct {
 	// +kubebuilder:default:={{key: "node-role.kubernetes.io/master", operator: "Exists", effect: "NoSchedule"}, {key: "node-role.kubernetes.io/control-plane", operator: "Exists", effect: "NoSchedule"}}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
 	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+
 	// Specifies node affinity for scheduling the DaemonSet. Defaults to allowing scheduling on all nodes.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=5
 	NodeAffinity corev1.NodeAffinity `json:"nodeAffinity,omitempty"`
+
 	// +kubebuilder:default=Always
 	// +kubebuilder:validation:Enum=Always;IfNotPresent;Never
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
 	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
+
 	// Location of the Falcon Sensor image. Use only in cases when you mirror the original image to your repository/name:tag
 	// +kubebuilder:validation:Pattern="^.*:.*$"
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=2
 	Image string `json:"image,omitempty"`
+
 	// ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+
 	// Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Update Strategy",order=6
 	DSUpdateStrategy FalconNodeUpdateStrategy `json:"updateStrategy,omitempty"`
+
 	// Kills pod after a specificed amount of time (in seconds). Default is 30 seconds.
 	// +kubebuilder:default:=30
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=7
 	TerminationGracePeriod int64 `json:"terminationGracePeriod,omitempty"`
+
 	// Add metadata to the DaemonSet Service Account for IAM roles.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	ServiceAccount FalconNodeServiceAccount `json:"serviceAccount,omitempty"`
+
 	// Disables the cleanup of the sensor through DaemonSet on the nodes.
 	// Disabling might have unintended consequences for certain operations such as sensor downgrading.
 	// +kubebuilder:default=false
@@ -106,6 +116,7 @@ type Resources struct {
 	// Sets the resource limits for the DaemonSet Sensor. Only applies when using the eBPF backend.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Limits ResourceList `json:"limits,omitempty"`
+
 	// Sets the resource requests for the DaemonSet Sensor. Only applies when using the eBPF backend.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Requests ResourceList `json:"requests,omitempty"`
@@ -116,10 +127,14 @@ type ResourceList struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// +kubebuilder:validation:Pattern="^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$"
 	CPU string `json:"cpu,omitempty"`
+
 	// Minimum allowed is 500Mi.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// +kubebuilder:validation:Pattern="^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$"
 	Memory string `json:"memory,omitempty"`
+
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	EphemeralStorage string `json:"ephemeral-storage,omitempty"`
 }
 
 type AutoPilot struct {

bundle/manifests/falcon-operator.clusterserviceversion.yaml

@@ -101,7 +101,7 @@ metadata:
     capabilities: Basic Install
     categories: Security,Monitoring
     containerImage: quay.io/crowdstrike/falcon-operator
-    createdAt: "2023-11-01T20:08:53Z"
+    createdAt: "2023-11-02T22:37:36Z"
     description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
     operatorframework.io/suggested-namespace: falcon-operator
     operators.operatorframework.io/builder: operator-sdk-v1.30.0
@@ -582,6 +582,8 @@ spec:
       - description: Minimum allowed is 250m.
         displayName: CPU
         path: node.resources.limits.cpu
+      - displayName: Ephemeral Storage
+        path: node.resources.limits.ephemeral-storage
       - description: Minimum allowed is 500Mi.
         displayName: Memory
         path: node.resources.limits.memory
@@ -592,6 +594,8 @@ spec:
       - description: Minimum allowed is 250m.
         displayName: CPU
         path: node.resources.requests.cpu
+      - displayName: Ephemeral Storage
+        path: node.resources.requests.ephemeral-storage
       - description: Minimum allowed is 500Mi.
         displayName: Memory
         path: node.resources.requests.memory

bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml

@@ -415,6 +415,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$
@@ -428,6 +430,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$

config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml

@@ -415,6 +415,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$
@@ -428,6 +430,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$

config/manifests/bases/falcon-operator.clusterserviceversion.yaml

@@ -485,6 +485,8 @@ spec:
       - description: Minimum allowed is 250m.
         displayName: CPU
         path: node.resources.limits.cpu
+      - displayName: Ephemeral Storage
+        path: node.resources.limits.ephemeral-storage
       - description: Minimum allowed is 500Mi.
         displayName: Memory
         path: node.resources.limits.memory
@@ -495,6 +497,8 @@ spec:
       - description: Minimum allowed is 250m.
         displayName: CPU
         path: node.resources.requests.cpu
+      - displayName: Ephemeral Storage
+        path: node.resources.requests.ephemeral-storage
       - description: Minimum allowed is 500Mi.
         displayName: Memory
         path: node.resources.requests.memory

controllers/falcon_node/falconnodesensor_controller.go

@@ -250,13 +250,14 @@ func (r *FalconNodeSensorReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		containerVolUpdate := updateDaemonSetContainerVolumes(dsUpdate, dsTarget, logger)
 		volumeUpdates := updateDaemonSetVolumes(dsUpdate, dsTarget, logger)
 		resources := updateDaemonSetResources(dsUpdate, dsTarget, logger)
+		initResources := updateDaemonSetInitContainerResources(dsUpdate, dsTarget, logger)
 		pc := updateDaemonSetPriorityClass(dsUpdate, dsTarget, logger)
 		capabilities := updateDaemonSetCapabilities(dsUpdate, dsTarget, logger)
 		initArgs := updateDaemonSetInitArgs(dsUpdate, dsTarget, logger)
 		updated = updateDaemonSetContainerProxy(dsUpdate, nodesensor, logger)
 
 		// Update the daemonset and re-spin pods with changes
-		if imgUpdate || tolsUpdate || affUpdate || containerVolUpdate || volumeUpdates || resources || pc || capabilities || initArgs || updated {
+		if imgUpdate || tolsUpdate || affUpdate || containerVolUpdate || volumeUpdates || resources || pc || capabilities || initArgs || initResources || updated {
 			err = r.Update(ctx, dsUpdate)
 			if err != nil {
 				err = r.conditionsUpdate(falconv1alpha1.ConditionDaemonSetReady,
@@ -664,8 +665,20 @@ func updateDaemonSetResources(ds, origDS *appsv1.DaemonSet, logger logr.Logger)
 	resources := &ds.Spec.Template.Spec.Containers[0].Resources
 	resourcesUpdates := !equality.Semantic.DeepEqual(*resources, origDS.Spec.Template.Spec.Containers[0].Resources)
 	if resourcesUpdates {
-		logger.Info("Updating FalconNodeSensor DaemonSet resources")
+		logger.Info("Updating FalconNodeSensor DaemonSet resources", "Original Resources", origDS.Spec.Template.Spec.Containers[0].Resources, "Current Resources", *resources)
 		*resources = origDS.Spec.Template.Spec.Containers[0].Resources
+
+	}
+
+	return resourcesUpdates
+}
+
+func updateDaemonSetInitContainerResources(ds, origDS *appsv1.DaemonSet, logger logr.Logger) bool {
+	resources := &ds.Spec.Template.Spec.InitContainers[0].Resources
+	resourcesUpdates := !equality.Semantic.DeepEqual(*resources, origDS.Spec.Template.Spec.InitContainers[0].Resources)
+	if resourcesUpdates {
+		logger.Info("Updating FalconNodeSensor DaemonSet InitContainer resources")
+		*resources = origDS.Spec.Template.Spec.InitContainers[0].Resources
 	}
 
 	return resourcesUpdates

deploy/falcon-operator.yaml

@@ -2972,6 +2972,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$
@@ -2985,6 +2987,8 @@ spec:
                             description: Minimum allowed is 250m.
                             pattern: ^(([0-9]{4,}|[2-9][5-9][0-9])m$)|[0-9]+$
                             type: string
+                          ephemeral-storage:
+                            type: string
                           memory:
                             description: Minimum allowed is 500Mi.
                             pattern: ^(([5-9][0-9]{2}[Mi]+)|([0-9.]+[iEGTP]+))|(([5-9][0-9]{8})|([0-9]{10,}))$