Skip to content

Commit

Permalink
Add ability to configure daemonset update strategy
Browse files Browse the repository at this point in the history
  • Loading branch information
@redhatrises
redhatrises committed Jun 17, 2022
1 parent 5c74821 commit 60ff6e5
Show file tree
Hide file tree
Showing 9 changed files with 274 additions and 16 deletions.
15 changes: 13 additions & 2 deletions apis/falcon/v1alpha1/falconnodesensor_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package v1alpha1

import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -102,17 +103,27 @@ type FalconNodeSensorConfig struct {
// ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
// Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Update Strategy",order=5
DSUpdateStrategy FalconNodeUpdateStrategy `json:"updateStrategy,omitempty"`
// Kills pod after a specificed amount of time (in seconds). Default is 30 seconds.
// +kubebuilder:default:=30
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=5
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=6
TerminationGracePeriod int64 `json:"terminationGracePeriod,omitempty"`
// Disables the cleanup of the sensor through DaemonSet on the nodes.
// Disabling might have unintended consequences for certain operations such as sensor downgrading.
// +kubebuilder:default=false
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=6
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=7
NodeCleanup *bool `json:"disableCleanup,omitempty"`
}

type FalconNodeUpdateStrategy struct {
// +kubebuilder:default=RollingUpdate
// +kubebuilder:validation:Enum=RollingUpdate;OnDelete
Type appsv1.DaemonSetUpdateStrategyType `json:"type,omitempty"`
RollingUpdate appsv1.RollingUpdateDaemonSet `json:"rollingUpdate,omitempty"`
}

// FalconNodeSensorStatus defines the observed state of FalconNodeSensor
// +k8s:openapi-gen=true
type FalconNodeSensorStatus struct {
Expand Down
17 changes: 17 additions & 0 deletions apis/falcon/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 11 additions & 7 deletions bundle/manifests/falcon-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,23 +139,27 @@ spec:
- description: The application proxy port to use for Falcon sensor proxy configuration.
displayName: Falcon Proxy Port
path: falcon.app
- description: Kills pod after a specificed amount of time (in seconds). Default
is 30 seconds.
displayName: Termination Grace Period
path: node.terminationGracePeriod
- description: Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete".
Default is RollingUpdate.
displayName: DaemonSet Update Strategy
path: node.updateStrategy
- description: 'Sensor grouping tags are optional, user-defined identifiers
that can used to group and filter hosts. Allowed characters: all alphanumerics,
''/'', ''-'', and ''_''.'
displayName: Sensor Grouping Tags
path: falcon.tags
- description: Kills pod after a specificed amount of time (in seconds). Default
is 30 seconds.
displayName: Termination Grace Period
path: node.terminationGracePeriod
- description: Set sensor trace level.
displayName: Trace Level
path: falcon.trace
- description: Disables the cleanup of the sensor through DaemonSet on the nodes.
Disabling might have unintended consequences for certain operations such
as sensor downgrading.
displayName: Node Cleanup
path: node.disableCleanup
- description: Set sensor trace level.
displayName: Trace Level
path: falcon.trace
- description: Utilize default or Pay-As-You-Go billing.
displayName: Billing
path: falcon.billing
Expand Down
66 changes: 66 additions & 0 deletions bundle/manifests/falcon.crowdstrike.com_falconnodesensors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,72 @@ spec:
type: string
type: object
type: array
updateStrategy:
description: Type of DaemonSet update. Can be "RollingUpdate"
or "OnDelete". Default is RollingUpdate.
properties:
rollingUpdate:
description: Spec to control the desired behavior of daemon
set rolling update.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
description: 'The maximum number of nodes with an existing
available DaemonSet pod that can have an updated DaemonSet
pod during during an update. Value can be an absolute
number (ex: 5) or a percentage of desired pods (ex:
10%). This can not be 0 if MaxUnavailable is 0. Absolute
number is calculated from percentage by rounding up
to a minimum of 1. Default value is 0. Example: when
this is set to 30%, at most 30% of the total number
of nodes that should be running the daemon pod (i.e.
status.desiredNumberScheduled) can have their a new
pod created before the old pod is marked as deleted.
The update starts by launching new pods on 30% of nodes.
Once an updated pod is available (Ready for at least
minReadySeconds) the old DaemonSet pod on that node
is marked deleted. If the old pod becomes unavailable
for any reason (Ready transitions to false, is evicted,
or is drained) an updated pod is immediatedly created
on that node without considering surge limits. Allowing
surge implies the possibility that the resources consumed
by the daemonset on any given node can double if the
readiness check fails, and so resource intensive daemonsets
should take into account that they may cause evictions
during disruption. This is beta field and enabled/disabled
by DaemonSetUpdateSurge feature gate.'
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: 'The maximum number of DaemonSet pods that
can be unavailable during the update. Value can be an
absolute number (ex: 5) or a percentage of total number
of DaemonSet pods at the start of the update (ex: 10%).
Absolute number is calculated from percentage by rounding
up. This cannot be 0 if MaxSurge is 0 Default value
is 1. Example: when this is set to 30%, at most 30%
of the total number of nodes that should be running
the daemon pod (i.e. status.desiredNumberScheduled)
can have their pods stopped for an update at any given
time. The update starts by stopping at most 30% of those
DaemonSet pods and then brings up new DaemonSet pods
in their place. Once the new pods are available, it
then proceeds onto other DaemonSet pods, thus ensuring
that at least 70% of original number of DaemonSet pods
are available at all times during the update.'
x-kubernetes-int-or-string: true
type: object
type:
default: RollingUpdate
enum:
- RollingUpdate
- OnDelete
type: string
type: object
type: object
required:
- falcon
Expand Down
66 changes: 66 additions & 0 deletions config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,72 @@ spec:
type: string
type: object
type: array
updateStrategy:
description: Type of DaemonSet update. Can be "RollingUpdate"
or "OnDelete". Default is RollingUpdate.
properties:
rollingUpdate:
description: Spec to control the desired behavior of daemon
set rolling update.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
description: 'The maximum number of nodes with an existing
available DaemonSet pod that can have an updated DaemonSet
pod during during an update. Value can be an absolute
number (ex: 5) or a percentage of desired pods (ex:
10%). This can not be 0 if MaxUnavailable is 0. Absolute
number is calculated from percentage by rounding up
to a minimum of 1. Default value is 0. Example: when
this is set to 30%, at most 30% of the total number
of nodes that should be running the daemon pod (i.e.
status.desiredNumberScheduled) can have their a new
pod created before the old pod is marked as deleted.
The update starts by launching new pods on 30% of nodes.
Once an updated pod is available (Ready for at least
minReadySeconds) the old DaemonSet pod on that node
is marked deleted. If the old pod becomes unavailable
for any reason (Ready transitions to false, is evicted,
or is drained) an updated pod is immediatedly created
on that node without considering surge limits. Allowing
surge implies the possibility that the resources consumed
by the daemonset on any given node can double if the
readiness check fails, and so resource intensive daemonsets
should take into account that they may cause evictions
during disruption. This is beta field and enabled/disabled
by DaemonSetUpdateSurge feature gate.'
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
description: 'The maximum number of DaemonSet pods that
can be unavailable during the update. Value can be an
absolute number (ex: 5) or a percentage of total number
of DaemonSet pods at the start of the update (ex: 10%).
Absolute number is calculated from percentage by rounding
up. This cannot be 0 if MaxSurge is 0 Default value
is 1. Example: when this is set to 30%, at most 30%
of the total number of nodes that should be running
the daemon pod (i.e. status.desiredNumberScheduled)
can have their pods stopped for an update at any given
time. The update starts by stopping at most 30% of those
DaemonSet pods and then brings up new DaemonSet pods
in their place. Once the new pods are available, it
then proceeds onto other DaemonSet pods, thus ensuring
that at least 70% of original number of DaemonSet pods
are available at all times during the update.'
x-kubernetes-int-or-string: true
type: object
type:
default: RollingUpdate
enum:
- RollingUpdate
- OnDelete
type: string
type: object
type: object
required:
- falcon
Expand Down
18 changes: 11 additions & 7 deletions config/manifests/bases/falcon-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,23 +98,27 @@ spec:
- description: The application proxy port to use for Falcon sensor proxy configuration.
displayName: Falcon Proxy Port
path: falcon.app
- description: Kills pod after a specificed amount of time (in seconds). Default
is 30 seconds.
displayName: Termination Grace Period
path: node.terminationGracePeriod
- description: Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete".
Default is RollingUpdate.
displayName: DaemonSet Update Strategy
path: node.updateStrategy
- description: 'Sensor grouping tags are optional, user-defined identifiers
that can used to group and filter hosts. Allowed characters: all alphanumerics,
''/'', ''-'', and ''_''.'
displayName: Sensor Grouping Tags
path: falcon.tags
- description: Kills pod after a specificed amount of time (in seconds). Default
is 30 seconds.
displayName: Termination Grace Period
path: node.terminationGracePeriod
- description: Set sensor trace level.
displayName: Trace Level
path: falcon.trace
- description: Disables the cleanup of the sensor through DaemonSet on the nodes.
Disabling might have unintended consequences for certain operations such
as sensor downgrading.
displayName: Node Cleanup
path: node.disableCleanup
- description: Set sensor trace level.
displayName: Trace Level
path: falcon.trace
- description: Utilize default or Pay-As-You-Go billing.
displayName: Billing
path: falcon.billing
Expand Down
Loading

0 comments on commit 60ff6e5

Please sign in to comment.