From 5c3f48ff50a47d004059686041a1530751b2ba83 Mon Sep 17 00:00:00 2001 From: Milo Hyson Date: Thu, 29 Aug 2024 10:25:17 -0700 Subject: [PATCH] feat: advanced settings --- .../v1alpha1/{unsafe.go => advanced.go} | 28 +++--- api/falcon/v1alpha1/falconcontainer_types.go | 8 +- api/falcon/v1alpha1/falconnodesensor_types.go | 8 +- api/falcon/v1alpha1/zz_generated.deepcopy.go | 54 +++++----- ...lcon.crowdstrike.com_falconcontainers.yaml | 48 ++++----- ...con.crowdstrike.com_falconnodesensors.yaml | 50 +++++----- deploy/falcon-operator.yaml | 98 +++++++++---------- docs/{UNSAFE.md => ADVANCED.md} | 14 +-- .../openshift/resources/container/README.md | 11 ++- .../openshift/resources/node/README.md | 11 ++- docs/resources/container/README.md | 11 ++- docs/resources/node/README.md | 11 ++- docs/src/resources/container.md.tmpl | 11 ++- docs/src/resources/node.md.tmpl | 11 ++- .../falconcontainer_controller.go | 4 +- .../controller/falcon_container/image_push.go | 4 +- .../falcon_container/image_push_test.go | 10 +- .../falconnodesensor_controller.go | 4 +- pkg/node/config_cache.go | 4 +- pkg/node/config_cache_test.go | 10 +- 20 files changed, 214 insertions(+), 196 deletions(-) rename api/falcon/v1alpha1/{unsafe.go => advanced.go} (63%) rename docs/{UNSAFE.md => ADVANCED.md} (79%) diff --git a/api/falcon/v1alpha1/unsafe.go b/api/falcon/v1alpha1/advanced.go similarity index 63% rename from api/falcon/v1alpha1/unsafe.go rename to api/falcon/v1alpha1/advanced.go index 743924b4..a82dfcde 100644 --- a/api/falcon/v1alpha1/unsafe.go +++ b/api/falcon/v1alpha1/advanced.go @@ -8,10 +8,10 @@ const ( Off = "off" ) -// FalconUnsafe configures various options that go against industry practices or are otherwise not recommended for use. +// FalconAdvanced configures various options that go against industry practices or are otherwise not recommended for use. // Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk. -// For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. -type FalconUnsafe struct { +// For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. +type FalconAdvanced struct { // UpdatePolicy is the name of a sensor update policy configured and enabled in Falcon UI. It is ignored when Image and/or Version are set. // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Sensor Update Policy",order=1 UpdatePolicy *string `json:"updatePolicy,omitempty"` @@ -24,30 +24,30 @@ type FalconUnsafe struct { AutoUpdate *string `json:"autoUpdate,omitempty"` } -func (notSafe FalconUnsafe) GetUpdatePolicy() string { - if notSafe.UpdatePolicy == nil { +func (advanced FalconAdvanced) GetUpdatePolicy() string { + if advanced.UpdatePolicy == nil { return "" } - return strings.TrimSpace(*notSafe.UpdatePolicy) + return strings.TrimSpace(*advanced.UpdatePolicy) } -func (notSafe FalconUnsafe) HasUpdatePolicy() bool { - return notSafe.GetUpdatePolicy() != "" +func (advanced FalconAdvanced) HasUpdatePolicy() bool { + return advanced.GetUpdatePolicy() != "" } -func (notSafe FalconUnsafe) IsAutoUpdating() bool { - if notSafe.AutoUpdate == nil { +func (advanced FalconAdvanced) IsAutoUpdating() bool { + if advanced.AutoUpdate == nil { return false } - return *notSafe.AutoUpdate != "off" + return *advanced.AutoUpdate != "off" } -func (notSafe FalconUnsafe) IsAutoUpdatingForced() bool { - if notSafe.AutoUpdate == nil { +func (advanced FalconAdvanced) IsAutoUpdatingForced() bool { + if advanced.AutoUpdate == nil { return false } - return *notSafe.AutoUpdate == "force" + return *advanced.AutoUpdate == "force" } diff --git a/api/falcon/v1alpha1/falconcontainer_types.go b/api/falcon/v1alpha1/falconcontainer_types.go index f18c067d..c75f6a28 100644 --- a/api/falcon/v1alpha1/falconcontainer_types.go +++ b/api/falcon/v1alpha1/falconcontainer_types.go @@ -44,11 +44,11 @@ type FalconContainerSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Image Version",order=6 Version *string `json:"version,omitempty"` - // FalconUnsafe configures various options that go against industry practices or are otherwise not recommended for use. + // Advanced configures various options that go against industry practices or are otherwise not recommended for use. // Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk. - // For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Unsafe Settings" - Unsafe FalconUnsafe `json:"unsafe,omitempty"` + // For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Container Advanced Settings" + Advanced FalconAdvanced `json:"advanced,omitempty"` } type FalconContainerInjectorSpec struct { diff --git a/api/falcon/v1alpha1/falconnodesensor_types.go b/api/falcon/v1alpha1/falconnodesensor_types.go index 929cd4a3..a9902018 100644 --- a/api/falcon/v1alpha1/falconnodesensor_types.go +++ b/api/falcon/v1alpha1/falconnodesensor_types.go @@ -104,11 +104,11 @@ type FalconNodeSensorConfig struct { // Version of the sensor to be installed. The latest version will be selected when this version specifier is missing. Version *string `json:"version,omitempty"` - // FalconUnsafe configures various options that go against industry practices or are otherwise not recommended for use. + // Advanced configures various options that go against industry practices or are otherwise not recommended for use. // Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk. - // For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Unsafe Settings" - Unsafe FalconUnsafe `json:"unsafe,omitempty"` + // For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="DaemonSet Advanced Settings" + Advanced FalconAdvanced `json:"advanced,omitempty"` } type PriorityClassConfig struct { diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index 04a131d4..386a09a4 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -537,6 +537,31 @@ func (in *FalconAdmissionUpdateStrategy) DeepCopy() *FalconAdmissionUpdateStrate return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FalconAdvanced) DeepCopyInto(out *FalconAdvanced) { + *out = *in + if in.UpdatePolicy != nil { + in, out := &in.UpdatePolicy, &out.UpdatePolicy + *out = new(string) + **out = **in + } + if in.AutoUpdate != nil { + in, out := &in.AutoUpdate, &out.AutoUpdate + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdvanced. +func (in *FalconAdvanced) DeepCopy() *FalconAdvanced { + if in == nil { + return nil + } + out := new(FalconAdvanced) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FalconCRStatus) DeepCopyInto(out *FalconCRStatus) { *out = *in @@ -739,7 +764,7 @@ func (in *FalconContainerSpec) DeepCopyInto(out *FalconContainerSpec) { *out = new(string) **out = **in } - in.Unsafe.DeepCopyInto(&out.Unsafe) + in.Advanced.DeepCopyInto(&out.Advanced) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconContainerSpec. @@ -1033,7 +1058,7 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) { *out = new(string) **out = **in } - in.Unsafe.DeepCopyInto(&out.Unsafe) + in.Advanced.DeepCopyInto(&out.Advanced) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconNodeSensorConfig. @@ -1200,31 +1225,6 @@ func (in *FalconSensor) DeepCopy() *FalconSensor { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *FalconUnsafe) DeepCopyInto(out *FalconUnsafe) { - *out = *in - if in.UpdatePolicy != nil { - in, out := &in.UpdatePolicy, &out.UpdatePolicy - *out = new(string) - **out = **in - } - if in.AutoUpdate != nil { - in, out := &in.AutoUpdate, &out.AutoUpdate - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconUnsafe. -func (in *FalconUnsafe) DeepCopy() *FalconUnsafe { - if in == nil { - return nil - } - out := new(FalconUnsafe) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PriorityClassConfig) DeepCopyInto(out *PriorityClassConfig) { *out = *in diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml index d85f7ea9..83351ac9 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml @@ -43,6 +43,30 @@ spec: spec: description: FalconContainerSpec defines the desired state of FalconContainer properties: + advanced: + description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these + settings may result in incorrect or undesirable behavior. Proceed + at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new versions + of the sensor as they become available. Defaults to "off" and + is ignored if FalconAPI is not set. Setting this to "force" + causes the reconciler to run on every polling cycle, even if + a new sensor version is not available. Setting it to "normal" + only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when Image + and/or Version are set. + type: string + type: object falcon: description: CrowdStrike Falcon Sensor configuration settings. properties: @@ -1924,30 +1948,6 @@ spec: required: - type type: object - unsafe: - description: FalconUnsafe configures various options that go against - industry practices or are otherwise not recommended for use. Adjusting - these settings may result in incorrect or undesirable behavior. - Proceed at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - properties: - autoUpdate: - description: AutoUpdate determines whether to install new versions - of the sensor as they become available. Defaults to "off" and - is ignored if FalconAPI is not set. Setting this to "force" - causes the reconciler to run on every polling cycle, even if - a new sensor version is not available. Setting it to "normal" - only reconciles when a new version is detected. - enum: - - "off" - - normal - - force - type: string - updatePolicy: - description: UpdatePolicy is the name of a sensor update policy - configured and enabled in Falcon UI. It is ignored when Image - and/or Version are set. - type: string - type: object version: description: Falcon Container Version. The latest version will be selected when version specifier is missing; ignored when Image is diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml index b59687f4..5f3371f7 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml @@ -138,6 +138,31 @@ spec: node: description: Various configuration for DaemonSet Deployment properties: + advanced: + description: Advanced configures various options that go against + industry practices or are otherwise not recommended for use. + Adjusting these settings may result in incorrect or undesirable + behavior. Proceed at your own risk. For more information, please + see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new + versions of the sensor as they become available. Defaults + to "off" and is ignored if FalconAPI is not set. Setting + this to "force" causes the reconciler to run on every polling + cycle, even if a new sensor version is not available. Setting + it to "normal" only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when + Image and/or Version are set. + type: string + type: object backend: default: bpf description: Sets the backend to be used by the DaemonSet Sensor. @@ -516,31 +541,6 @@ spec: type: string type: object type: array - unsafe: - description: FalconUnsafe configures various options that go against - industry practices or are otherwise not recommended for use. - Adjusting these settings may result in incorrect or undesirable - behavior. Proceed at your own risk. For more information, please - see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - properties: - autoUpdate: - description: AutoUpdate determines whether to install new - versions of the sensor as they become available. Defaults - to "off" and is ignored if FalconAPI is not set. Setting - this to "force" causes the reconciler to run on every polling - cycle, even if a new sensor version is not available. Setting - it to "normal" only reconciles when a new version is detected. - enum: - - "off" - - normal - - force - type: string - updatePolicy: - description: UpdatePolicy is the name of a sensor update policy - configured and enabled in Falcon UI. It is ignored when - Image and/or Version are set. - type: string - type: object updateStrategy: description: Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index c6ad2841..d4686d19 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -598,6 +598,30 @@ spec: spec: description: FalconContainerSpec defines the desired state of FalconContainer properties: + advanced: + description: Advanced configures various options that go against industry + practices or are otherwise not recommended for use. Adjusting these + settings may result in incorrect or undesirable behavior. Proceed + at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new versions + of the sensor as they become available. Defaults to "off" and + is ignored if FalconAPI is not set. Setting this to "force" + causes the reconciler to run on every polling cycle, even if + a new sensor version is not available. Setting it to "normal" + only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when Image + and/or Version are set. + type: string + type: object falcon: description: CrowdStrike Falcon Sensor configuration settings. properties: @@ -2479,30 +2503,6 @@ spec: required: - type type: object - unsafe: - description: FalconUnsafe configures various options that go against - industry practices or are otherwise not recommended for use. Adjusting - these settings may result in incorrect or undesirable behavior. - Proceed at your own risk. For more information, please see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - properties: - autoUpdate: - description: AutoUpdate determines whether to install new versions - of the sensor as they become available. Defaults to "off" and - is ignored if FalconAPI is not set. Setting this to "force" - causes the reconciler to run on every polling cycle, even if - a new sensor version is not available. Setting it to "normal" - only reconciles when a new version is detected. - enum: - - "off" - - normal - - force - type: string - updatePolicy: - description: UpdatePolicy is the name of a sensor update policy - configured and enabled in Falcon UI. It is ignored when Image - and/or Version are set. - type: string - type: object version: description: Falcon Container Version. The latest version will be selected when version specifier is missing; ignored when Image is @@ -3149,6 +3149,31 @@ spec: node: description: Various configuration for DaemonSet Deployment properties: + advanced: + description: Advanced configures various options that go against + industry practices or are otherwise not recommended for use. + Adjusting these settings may result in incorrect or undesirable + behavior. Proceed at your own risk. For more information, please + see https://github.com/CrowdStrike/falcon-operator/blob/main/docs/ADVANCED.md. + properties: + autoUpdate: + description: AutoUpdate determines whether to install new + versions of the sensor as they become available. Defaults + to "off" and is ignored if FalconAPI is not set. Setting + this to "force" causes the reconciler to run on every polling + cycle, even if a new sensor version is not available. Setting + it to "normal" only reconciles when a new version is detected. + enum: + - "off" + - normal + - force + type: string + updatePolicy: + description: UpdatePolicy is the name of a sensor update policy + configured and enabled in Falcon UI. It is ignored when + Image and/or Version are set. + type: string + type: object backend: default: bpf description: Sets the backend to be used by the DaemonSet Sensor. @@ -3527,31 +3552,6 @@ spec: type: string type: object type: array - unsafe: - description: FalconUnsafe configures various options that go against - industry practices or are otherwise not recommended for use. - Adjusting these settings may result in incorrect or undesirable - behavior. Proceed at your own risk. For more information, please - see https://github.com/CrowdStrike/falcon-operator/blob/main/UNSAFE.md. - properties: - autoUpdate: - description: AutoUpdate determines whether to install new - versions of the sensor as they become available. Defaults - to "off" and is ignored if FalconAPI is not set. Setting - this to "force" causes the reconciler to run on every polling - cycle, even if a new sensor version is not available. Setting - it to "normal" only reconciles when a new version is detected. - enum: - - "off" - - normal - - force - type: string - updatePolicy: - description: UpdatePolicy is the name of a sensor update policy - configured and enabled in Falcon UI. It is ignored when - Image and/or Version are set. - type: string - type: object updateStrategy: description: Type of DaemonSet update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. diff --git a/docs/UNSAFE.md b/docs/ADVANCED.md similarity index 79% rename from docs/UNSAFE.md rename to docs/ADVANCED.md index a051341a..6c9e7e33 100644 --- a/docs/UNSAFE.md +++ b/docs/ADVANCED.md @@ -1,6 +1,6 @@ -# Unsafe Settings +# Advanced Settings - Some of the operator's configurable settings involve features that conflict with established industry norms. These options are disabled by default as they carry a certain amount of risk, but they can be enabled in the `unsafe` section of each resource spec. What follows is a brief overview of the issues surrounding their use. + Some of the operator's configurable settings involve features that conflict with established industry norms. These options are disabled by default as they introduce various amounts of risk. While their use is not recommended they can be enabled in the `advanced` section of each resource spec. What follows is a brief overview of the issues surrounding these settings. ## The Golden Rule of Kubernetes @@ -12,18 +12,18 @@ Consider a container spec that uses `nginx:latest`. What exactly will this deplo It is for these reasons and others that such practices are discouraged. A better approach given the above scenario is to use explicit image hashes. Instead of `nginx:latest`, one could use `nginx@sha256:447a8665...`. This uniquely identifies a particular version and package of nginx. It will never be anything else. All of the questions raised above become irrelevant. It is known what version will be deployed. It is known it will be the expected version. It is known new containers won't use anything else. It is safe. -## Falcon's Unsafe Options +## Falcon's Advanced Options -Only some of the resources provided by the operator have unsafe properties. Each keeps them in slightly different places: +Only some of the resources provided by the operator have advanced properties. Each keeps them in slightly different places: -* `spec.unsafe` for FalconContainer -* `spec.node.unsafe` for FalconNodeSensor +* `spec.advanced` for FalconContainer +* `spec.node.advanced` for FalconNodeSensor Any options that go against recommended practices can be found here. Presently, that includes settings that affect the selection of Falcon sensor versions, which brings all of the issues of image tags described above. Details on these settings can be found in the respective resource documents. ## More Information -The issues around unsafe settings can be quite involved. The following are other resources that go into greater depth: +The issues around these advanced settings can be quite involved. The following are other resources that go into greater depth: * [Attack of the Mutant Tags! Or Why Tag Mutability is a Real Security Threat](https://sysdig.com/blog/toctou-tag-mutability/) * [How to Ensure Consistent Kubernetes Container Versions](https://www.gremlin.com/blog/kubernetes-container-image-version-uniformity) diff --git a/docs/deployment/openshift/resources/container/README.md b/docs/deployment/openshift/resources/container/README.md index 3e9c65ff..f6a9846e 100644 --- a/docs/deployment/openshift/resources/container/README.md +++ b/docs/deployment/openshift/resources/container/README.md @@ -87,15 +87,18 @@ spec: | falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited | | falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. #### Status Conditions | Status | Description | diff --git a/docs/deployment/openshift/resources/node/README.md b/docs/deployment/openshift/resources/node/README.md index 22694621..cb482f7f 100644 --- a/docs/deployment/openshift/resources/node/README.md +++ b/docs/deployment/openshift/resources/node/README.md @@ -81,15 +81,18 @@ spec: | falcon.tags | (optional) Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. | | falcon.trace | (optional) Set sensor trace level. | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `node.image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| node.unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| node.unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| node.advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| node.advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. > [!IMPORTANT] > All arguments are optional, but successful deployment requires either **client_id and falcon_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user. diff --git a/docs/resources/container/README.md b/docs/resources/container/README.md index afc9e5e7..41565bbb 100644 --- a/docs/resources/container/README.md +++ b/docs/resources/container/README.md @@ -87,15 +87,18 @@ spec: | falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited | | falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. #### Status Conditions | Status | Description | diff --git a/docs/resources/node/README.md b/docs/resources/node/README.md index 6d007aa4..ffc824c1 100644 --- a/docs/resources/node/README.md +++ b/docs/resources/node/README.md @@ -81,15 +81,18 @@ spec: | falcon.tags | (optional) Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. | | falcon.trace | (optional) Set sensor trace level. | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `node.image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| node.unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| node.unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| node.advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| node.advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. > [!IMPORTANT] > All arguments are optional, but successful deployment requires either **client_id and falcon_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user. diff --git a/docs/src/resources/container.md.tmpl b/docs/src/resources/container.md.tmpl index 3c09bd4d..d6ce7eec 100644 --- a/docs/src/resources/container.md.tmpl +++ b/docs/src/resources/container.md.tmpl @@ -87,15 +87,18 @@ spec: | falcon.tags | (optional) Configure Falcon Sensor Grouping Tags; comma-delimited | | falcon.trace | (optional) Configure Falcon Sensor Trace Logging Level (none, err, warn, info, debug) | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. #### Status Conditions | Status | Description | diff --git a/docs/src/resources/node.md.tmpl b/docs/src/resources/node.md.tmpl index ebe37506..a79b284a 100644 --- a/docs/src/resources/node.md.tmpl +++ b/docs/src/resources/node.md.tmpl @@ -81,15 +81,18 @@ spec: | falcon.tags | (optional) Sensor grouping tags are optional, user-defined identifiers that can used to group and filter hosts. Allowed characters: all alphanumerics, '/', '-', and '_'. | | falcon.trace | (optional) Set sensor trace level. | -#### Unsafe Settings +#### Advanced Settings The following settings provide an alternative means to select which version of Falcon sensor is deployed. Their use is not recommended. Instead, an explicit SHA256 hash should be configured using the `node.image` property above. -See `docs/UNSAFE.md` for more details. +See `docs/ADVANCED.md` for more details. | Spec | Default Value | Description | | :- | :- | :- | -| node.unsafe.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: -| node.unsafe.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | +| node.advanced.autoUpdate | `off` | Automatically updates a deployed Falcon sensor as new versions are released. This has no effect if a specific image or version has been requested. Valid settings are: +| node.advanced.updatePolicy | _none_ | If set, applies the named Linux sensor update policy, configured in Falcon UI, to select which version of Falcon sensor to install. The policy must be enabled and must match the CPU architecture of the cluster (AMD64 or ARM64). | + +##### Automatic Update Frequency +The operator checks for new releases of Falcon sensor once every 24 hours by default. This can be adjusted by setting the `--sensor-auto-update-interval` command-line flag to any value acceptable by [Golang's ParseDuration](https://pkg.go.dev/time#ParseDuration) function. However, it is strongly recommended that this be left at the default, as each cycle involves queries to the Falcon API and too many could result in throttling. > [!IMPORTANT] > All arguments are optional, but successful deployment requires either **client_id and falcon_secret or the Falcon cid and image**. When deploying using the CrowdStrike Falcon API, the container image and CID will be fetched from CrowdStrike Falcon API. While in the latter case, the CID and image location is explicitly specified by the user. diff --git a/internal/controller/falcon_container/falconcontainer_controller.go b/internal/controller/falcon_container/falconcontainer_controller.go index 6cc4db9b..6cd89590 100644 --- a/internal/controller/falcon_container/falconcontainer_controller.go +++ b/internal/controller/falcon_container/falconcontainer_controller.go @@ -154,7 +154,7 @@ func (r *FalconContainerReconciler) Reconcile(ctx context.Context, req ctrl.Requ if shouldTrackSensorVersions(falconContainer) { getSensorVersion := sensorversion.NewFalconCloudQuery(falcon.SidecarSensor, r.falconApiConfig(ctx, falconContainer)) - r.tracker.Track(req.NamespacedName, getSensorVersion, r.reconcileObjectWithName, falconContainer.Spec.Unsafe.IsAutoUpdatingForced()) + r.tracker.Track(req.NamespacedName, getSensorVersion, r.reconcileObjectWithName, falconContainer.Spec.Advanced.IsAutoUpdatingForced()) } else { r.tracker.StopTracking(req.NamespacedName) } @@ -359,5 +359,5 @@ func (r *FalconContainerReconciler) reconcileObjectWithName(ctx context.Context, } func shouldTrackSensorVersions(obj *falconv1alpha1.FalconContainer) bool { - return obj.Spec.FalconAPI != nil && obj.Spec.Unsafe.IsAutoUpdating() + return obj.Spec.FalconAPI != nil && obj.Spec.Advanced.IsAutoUpdating() } diff --git a/internal/controller/falcon_container/image_push.go b/internal/controller/falcon_container/image_push.go index bf07a409..839584bb 100644 --- a/internal/controller/falcon_container/image_push.go +++ b/internal/controller/falcon_container/image_push.go @@ -208,7 +208,7 @@ func (r *FalconContainerReconciler) setImageTag(ctx context.Context, falconConta return "", err } - tag, err := imageRepo.GetPreferredImage(ctx, falcon.SidecarSensor, falconContainer.Spec.Version, falconContainer.Spec.Unsafe.UpdatePolicy) + tag, err := imageRepo.GetPreferredImage(ctx, falcon.SidecarSensor, falconContainer.Spec.Version, falconContainer.Spec.Advanced.UpdatePolicy) if err == nil { falconContainer.Status.Sensor = common.ImageVersion(tag) } @@ -246,7 +246,7 @@ func (r *FalconContainerReconciler) imageMirroringEnabled(falconContainer *falco } func (r *FalconContainerReconciler) versionLock(falconContainer *falconv1alpha1.FalconContainer) bool { - if falconContainer.Status.Sensor == nil || falconContainer.Spec.Unsafe.HasUpdatePolicy() || falconContainer.Spec.Unsafe.IsAutoUpdating() { + if falconContainer.Status.Sensor == nil || falconContainer.Spec.Advanced.HasUpdatePolicy() || falconContainer.Spec.Advanced.IsAutoUpdating() { return false } diff --git a/internal/controller/falcon_container/image_push_test.go b/internal/controller/falcon_container/image_push_test.go index d1487971..84ee5833 100644 --- a/internal/controller/falcon_container/image_push_test.go +++ b/internal/controller/falcon_container/image_push_test.go @@ -11,7 +11,7 @@ func TestVersionLock_WithAutoUpdateDisabled(t *testing.T) { reconciler := &FalconContainerReconciler{} container := &falconv1alpha1.FalconContainer{} container.Status.Sensor = stringPointer("some sensor") - container.Spec.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Off) + container.Spec.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Off) assert.True(t, reconciler.versionLock(container)) } @@ -19,7 +19,7 @@ func TestVersionLock_WithForcedAutoUpdate(t *testing.T) { reconciler := &FalconContainerReconciler{} container := &falconv1alpha1.FalconContainer{} container.Status.Sensor = stringPointer("some sensor") - container.Spec.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Force) + container.Spec.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Force) assert.False(t, reconciler.versionLock(container)) } @@ -27,7 +27,7 @@ func TestVersionLock_WithNormalAutoUpdate(t *testing.T) { reconciler := &FalconContainerReconciler{} container := &falconv1alpha1.FalconContainer{} container.Status.Sensor = stringPointer("some sensor") - container.Spec.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Normal) + container.Spec.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Normal) assert.False(t, reconciler.versionLock(container)) } @@ -35,7 +35,7 @@ func TestVersionLock_WithBlankUpdatePolicy(t *testing.T) { reconciler := &FalconContainerReconciler{} container := &falconv1alpha1.FalconContainer{} container.Status.Sensor = stringPointer("some sensor") - container.Spec.Unsafe.UpdatePolicy = stringPointer("") + container.Spec.Advanced.UpdatePolicy = stringPointer("") assert.True(t, reconciler.versionLock(container)) } @@ -72,7 +72,7 @@ func TestVersionLock_WithUpdatePolicy(t *testing.T) { reconciler := &FalconContainerReconciler{} container := &falconv1alpha1.FalconContainer{} container.Status.Sensor = stringPointer("some sensor") - container.Spec.Unsafe.UpdatePolicy = stringPointer("some policy") + container.Spec.Advanced.UpdatePolicy = stringPointer("some policy") assert.False(t, reconciler.versionLock(container)) } diff --git a/internal/controller/falcon_node/falconnodesensor_controller.go b/internal/controller/falcon_node/falconnodesensor_controller.go index 5fb0fefd..33eac247 100644 --- a/internal/controller/falcon_node/falconnodesensor_controller.go +++ b/internal/controller/falcon_node/falconnodesensor_controller.go @@ -188,7 +188,7 @@ func (r *FalconNodeSensorReconciler) Reconcile(ctx context.Context, req ctrl.Req if shouldTrackSensorVersions(nodesensor) { getSensorVersion := sensorversion.NewFalconCloudQuery(falcon.NodeSensor, nodesensor.Spec.FalconAPI.ApiConfig()) - r.tracker.Track(req.NamespacedName, getSensorVersion, r.reconcileObjectWithName, nodesensor.Spec.Node.Unsafe.IsAutoUpdatingForced()) + r.tracker.Track(req.NamespacedName, getSensorVersion, r.reconcileObjectWithName, nodesensor.Spec.Node.Advanced.IsAutoUpdatingForced()) } else { r.tracker.StopTracking(req.NamespacedName) } @@ -1054,5 +1054,5 @@ func (r *FalconNodeSensorReconciler) reconcileObjectWithName(ctx context.Context } func shouldTrackSensorVersions(obj *falconv1alpha1.FalconNodeSensor) bool { - return obj.Spec.FalconAPI != nil && obj.Spec.Node.Unsafe.IsAutoUpdating() + return obj.Spec.FalconAPI != nil && obj.Spec.Node.Advanced.IsAutoUpdating() } diff --git a/pkg/node/config_cache.go b/pkg/node/config_cache.go index 17be4c17..8014e446 100644 --- a/pkg/node/config_cache.go +++ b/pkg/node/config_cache.go @@ -121,7 +121,7 @@ func getFalconImage(ctx context.Context, nodesensor *falconv1alpha1.FalconNodeSe return "", err } - imageTag, err := imageRepo.GetPreferredImage(ctx, falcon.NodeSensor, nodesensor.Spec.Node.Version, nodesensor.Spec.Node.Unsafe.UpdatePolicy) + imageTag, err := imageRepo.GetPreferredImage(ctx, falcon.NodeSensor, nodesensor.Spec.Node.Version, nodesensor.Spec.Node.Advanced.UpdatePolicy) if err != nil { return "", err } @@ -130,7 +130,7 @@ func getFalconImage(ctx context.Context, nodesensor *falconv1alpha1.FalconNodeSe } func versionLock(nodesensor *falconv1alpha1.FalconNodeSensor) bool { - if nodesensor.Status.Sensor == nil || nodesensor.Spec.Node.Unsafe.HasUpdatePolicy() || nodesensor.Spec.Node.Unsafe.IsAutoUpdating() { + if nodesensor.Status.Sensor == nil || nodesensor.Spec.Node.Advanced.HasUpdatePolicy() || nodesensor.Spec.Node.Advanced.IsAutoUpdating() { return false } diff --git a/pkg/node/config_cache_test.go b/pkg/node/config_cache_test.go index 90f23e62..c0ce7c6f 100644 --- a/pkg/node/config_cache_test.go +++ b/pkg/node/config_cache_test.go @@ -203,28 +203,28 @@ func TestGetFalconImage(t *testing.T) { func TestVersionLock_WithAutoUpdateDisabled(t *testing.T) { admission := &falconv1alpha1.FalconNodeSensor{} admission.Status.Sensor = stringPointer("some sensor") - admission.Spec.Node.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Off) + admission.Spec.Node.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Off) assert.True(t, versionLock(admission)) } func TestVersionLock_WithForcedAutoUpdate(t *testing.T) { admission := &falconv1alpha1.FalconNodeSensor{} admission.Status.Sensor = stringPointer("some sensor") - admission.Spec.Node.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Force) + admission.Spec.Node.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Force) assert.False(t, versionLock(admission)) } func TestVersionLock_WithNormalAutoUpdate(t *testing.T) { admission := &falconv1alpha1.FalconNodeSensor{} admission.Status.Sensor = stringPointer("some sensor") - admission.Spec.Node.Unsafe.AutoUpdate = stringPointer(falconv1alpha1.Normal) + admission.Spec.Node.Advanced.AutoUpdate = stringPointer(falconv1alpha1.Normal) assert.False(t, versionLock(admission)) } func TestVersionLock_WithBlankUpdatePolicy(t *testing.T) { sensor := &falconv1alpha1.FalconNodeSensor{} sensor.Status.Sensor = stringPointer("some sensor") - sensor.Spec.Node.Unsafe.UpdatePolicy = stringPointer("") + sensor.Spec.Node.Advanced.UpdatePolicy = stringPointer("") assert.True(t, versionLock(sensor)) } @@ -256,7 +256,7 @@ func TestVersionLock_WithSameVersion(t *testing.T) { func TestVersionLock_WithUpdatePolicy(t *testing.T) { sensor := &falconv1alpha1.FalconNodeSensor{} sensor.Status.Sensor = stringPointer("some sensor") - sensor.Spec.Node.Unsafe.UpdatePolicy = stringPointer("some policy") + sensor.Spec.Node.Advanced.UpdatePolicy = stringPointer("some policy") assert.False(t, versionLock(sensor)) }