Merge pull request #405 from redhatrises/kac_boilerplate_fixes

fix: FalconAdmission boilerplate fixes

api/falcon/v1alpha1/conditions.go

@@ -3,6 +3,7 @@ package v1alpha1
 const (
 	// Following strings are condition types
 
+	ConditionUnknown         string = "Unknown"
 	ConditionSuccess         string = "Success"
 	ConditionFailed          string = "Failed"
 	ConditionPending         string = "Pending"

config/rbac/falconadmission_editor_role.yaml

@@ -3,16 +3,17 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: falconadmission-editor-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: falcon-operator
-    app.kubernetes.io/part-of: falcon-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: falconadmission-editor-role
+    crowdstrike.com/component: rbac
+    crowdstrike.com/created-by: falcon-operator
+    crowdstrike.com/instance: falconadmission-editor-role
+    crowdstrike.com/managed-by: kustomize
+    crowdstrike.com/name: clusterrole
+    crowdstrike.com/part-of: Falcon
+    crowdstrike.com/provider: crowdstrike
+  name: falconcontainer-editor-role
 rules:
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions
   verbs:
@@ -24,7 +25,7 @@ rules:
   - update
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/status
   verbs:

config/rbac/falconadmission_viewer_role.yaml

@@ -3,24 +3,25 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: falconadmission-viewer-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: falcon-operator
-    app.kubernetes.io/part-of: falcon-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: falconadmission-viewer-role
+    crowdstrike.com/component: rbac
+    crowdstrike.com/created-by: falcon-operator
+    crowdstrike.com/instance: falconadmission-viewer-role
+    crowdstrike.com/managed-by: kustomize
+    crowdstrike.com/name: clusterrole
+    crowdstrike.com/part-of: Falcon
+    crowdstrike.com/provider: crowdstrike
+  name: falconcontainer-viewer-role
 rules:
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions
   verbs:
   - get
   - list
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/status
   verbs:

config/rbac/role.yaml

@@ -136,7 +136,7 @@ rules:
   - update
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions
   verbs:
@@ -148,13 +148,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/finalizers
   verbs:
   - update
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/status
   verbs:

config/samples/falcon_v1alpha1_falconadmission.yaml

@@ -2,11 +2,13 @@ apiVersion: crowdstrike.com/v1alpha1
 kind: FalconAdmission
 metadata:
   labels:
-    app.kubernetes.io/name: falconadmission
-    app.kubernetes.io/instance: falconadmission-sample
-    app.kubernetes.io/part-of: falcon-operator
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/created-by: falcon-operator
+    crowdstrike.com/component: sample
+    crowdstrike.com/created-by: falcon-operator
+    crowdstrike.com/instance: falconadmission-sample
+    crowdstrike.com/managed-by: kustomize
+    crowdstrike.com/name: clusterrole
+    crowdstrike.com/part-of: Falcon
+    crowdstrike.com/provider: crowdstrike
   name: falconadmission-sample
 spec:
   # TODO(user): Add fields here

controllers/falconadmission_controller.go

@@ -17,9 +17,9 @@ type FalconAdmissionReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions/finalizers,verbs=update
+//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

deploy/falcon-operator.yaml

@@ -2884,7 +2884,7 @@ rules:
   - update
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions
   verbs:
@@ -2896,13 +2896,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/finalizers
   verbs:
   - update
 - apiGroups:
-  - crowdstrike.com
+  - falcon.crowdstrike.com
   resources:
   - falconadmissions/status
   verbs:

internal/controller/assets/resourcequota.go

@@ -8,7 +8,7 @@ import (
 )
 
 // ResourceQuota returns a ResourceQuota object for the admission controller
-func ResourceQuota(name string, namespace string, component string) *corev1.ResourceQuota {
+func ResourceQuota(name string, namespace string, component string, resourcePod string) *corev1.ResourceQuota {
 	labels := common.CRLabels("resourcequota", name, component)
 
 	return &corev1.ResourceQuota{
@@ -23,15 +23,15 @@ func ResourceQuota(name string, namespace string, component string) *corev1.Reso
 		},
 		Spec: corev1.ResourceQuotaSpec{
 			Hard: corev1.ResourceList{
-				corev1.ResourcePods: resource.MustParse("2"),
+				corev1.ResourcePods: resource.MustParse(resourcePod),
 			},
 			ScopeSelector: &corev1.ScopeSelector{
 				MatchExpressions: []corev1.ScopedResourceSelectorRequirement{
 					{
 						Operator:  corev1.ScopeSelectorOpIn,
 						ScopeName: corev1.ResourceQuotaScopePriorityClass,
 						Values: []string{
-							"system-cluster-critical",
+							common.FalconPriorityClassName,
 						},
 					},
 				},

internal/controller/assets/resourcequota_test.go

@@ -32,15 +32,15 @@ func TestResourceQuota(t *testing.T) {
 						Operator:  corev1.ScopeSelectorOpIn,
 						ScopeName: corev1.ResourceQuotaScopePriorityClass,
 						Values: []string{
-							"system-cluster-critical",
+							common.FalconPriorityClassName,
 						},
 					},
 				},
 			},
 		},
 	}
 
-	got := ResourceQuota("test", "test", "test")
+	got := ResourceQuota("test", "test", "test", "2")
 	if diff := cmp.Diff(&want, &got); diff != "" {
 		t.Errorf("ResourceQuota() mismatch (-want +got): %s", diff)
 	}

internal/controller/assets/validatingwebhook.go

@@ -7,22 +7,21 @@ import (
 )
 
 // ValidatingWebhook returns a ValidatingWebhookConfiguration object
-func ValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte) *arv1.ValidatingWebhookConfiguration {
+func ValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte, port int32, failPolicy arv1.FailurePolicyType, disabledNamespaces []string) *arv1.ValidatingWebhookConfiguration {
 	failurePolicy := arv1.Ignore
 	matchPolicy := arv1.Equivalent
 	sideEffects := arv1.SideEffectClassNone
 	timeoutSeconds := int32(5)
 	operatorSelector := metav1.LabelSelectorOpNotIn
 	path := "/validate"
-	port := int32(443)
 	scope := arv1.AllScopes
 	admissionOperatorValues := []string{"disabled"}
-	labels := common.CRLabels("mutatingwebhook", name, common.FalconAdmissionController)
+	labels := common.CRLabels("validatingwebhook", name, common.FalconAdmissionController)
 
 	return &arv1.ValidatingWebhookConfiguration{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: arv1.SchemeGroupVersion.String(),
-			Kind:       "MutatingWebhookConfiguration",
+			Kind:       "ValidatingWebhookConfiguration",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -34,9 +33,8 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund
 				Name:                    webhookName,
 				AdmissionReviewVersions: []string{"v1"},
 				SideEffects:             &sideEffects,
-				// TODO: add support for failurePolicy but only for this failurePolicy
-				FailurePolicy: &failurePolicy,
-				MatchPolicy:   &matchPolicy,
+				FailurePolicy:           &failPolicy,
+				MatchPolicy:             &matchPolicy,
 				ClientConfig: arv1.WebhookClientConfig{
 					CABundle: caBundle,
 					Service: &arv1.ServiceReference{
@@ -52,13 +50,7 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund
 						{
 							Key:      "kubernetes.io/metadata.name",
 							Operator: operatorSelector,
-							Values: []string{
-								namespace,
-								"kube-system",
-								"kube-public",
-								"falcon-system",
-							},
-							// TODO: Need to add a list of custom namespaces as well as openshift namespaces
+							Values:   disabledNamespaces,
 						},
 						{
 							Key:      common.FalconAdmissionReviewKey,
@@ -110,13 +102,7 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund
 						{
 							Key:      "kubernetes.io/metadata.name",
 							Operator: operatorSelector,
-							Values: []string{
-								namespace,
-								"kube-system",
-								"kube-public",
-								"falcon-system",
-							},
-							// TODO: Need to add a list of custom namespaces as well as openshift namespaces
+							Values:   disabledNamespaces,
 						},
 						{
 							Key:      common.FalconAdmissionReviewKey,

internal/controller/assets/validatingwebhook_test.go

@@ -11,31 +11,30 @@ import (
 
 // TestValidatingWebhook tests the ValidatingWebhook function
 func TestValidatingWebhook(t *testing.T) {
-	want := testValidatingWebhook("test", "test", "test", []byte("test"))
+	want := testValidatingWebhook("test", "test", "test", []byte("test"), 123, arv1.Ignore, []string{"ns1", "ns2"})
 
-	got := ValidatingWebhook("test", "test", "test", []byte("test"))
+	got := ValidatingWebhook("test", "test", "test", []byte("test"), 123, arv1.Ignore, []string{"ns1", "ns2"})
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("ValidatingWebhook() mismatch (-want +got): %s", diff)
 	}
 }
 
 // testValidatingWebhook is a helper function to create a ValidatingWebhookConfiguration
-func testValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte) *arv1.ValidatingWebhookConfiguration {
+func testValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte, port int32, failPolicy arv1.FailurePolicyType, disabledNamespaces []string) *arv1.ValidatingWebhookConfiguration {
 	failurePolicy := arv1.Ignore
 	matchPolicy := arv1.Equivalent
 	sideEffects := arv1.SideEffectClassNone
 	timeoutSeconds := int32(5)
 	operatorSelector := metav1.LabelSelectorOpNotIn
 	path := "/validate"
-	port := int32(443)
 	scope := arv1.AllScopes
 	admissionOperatorValues := []string{"disabled"}
-	labels := common.CRLabels("mutatingwebhook", name, common.FalconAdmissionController)
+	labels := common.CRLabels("validatingwebhook", name, common.FalconAdmissionController)
 
 	return &arv1.ValidatingWebhookConfiguration{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: arv1.SchemeGroupVersion.String(),
-			Kind:       "MutatingWebhookConfiguration",
+			Kind:       "ValidatingWebhookConfiguration",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -47,9 +46,8 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca
 				Name:                    webhookName,
 				AdmissionReviewVersions: []string{"v1"},
 				SideEffects:             &sideEffects,
-				// TODO: add support for failurePolicy but only for this failurePolicy
-				FailurePolicy: &failurePolicy,
-				MatchPolicy:   &matchPolicy,
+				FailurePolicy:           &failPolicy,
+				MatchPolicy:             &matchPolicy,
 				ClientConfig: arv1.WebhookClientConfig{
 					CABundle: caBundle,
 					Service: &arv1.ServiceReference{
@@ -65,13 +63,7 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca
 						{
 							Key:      "kubernetes.io/metadata.name",
 							Operator: operatorSelector,
-							Values: []string{
-								namespace,
-								"kube-system",
-								"kube-public",
-								"falcon-system",
-							},
-							// TODO: Need to add a list of custom namespaces as well as openshift namespaces
+							Values:   []string{"ns1", "ns2"},
 						},
 						{
 							Key:      common.FalconAdmissionReviewKey,
@@ -123,13 +115,7 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca
 						{
 							Key:      "kubernetes.io/metadata.name",
 							Operator: operatorSelector,
-							Values: []string{
-								namespace,
-								"kube-system",
-								"kube-public",
-								"falcon-system",
-							},
-							// TODO: Need to add a list of custom namespaces as well as openshift namespaces
+							Values:   []string{"ns1", "ns2"},
 						},
 						{
 							Key:      common.FalconAdmissionReviewKey,

pkg/common/constants.go

@@ -13,6 +13,11 @@ const (
 	FalconDaemonsetInitBinaryInvocation    = "falcon-daemonset-init -i"
 	FalconDaemonsetCleanupBinaryInvocation = "falcon-daemonset-init -u"
 	FalconContainerProbePath               = "/live"
+	FalconAdmissionClientStartupProbePath  = "/startz"
+	FalconAdmissionClientLivenessProbePath = "/livez"
+	FalconAdmissionStartupProbePath        = "/startz-kac"
+	FalconAdmissionLivenessProbePath       = "/livez-kac"
+	FalconAdmissionServiceHTTPSName        = "webhook-port"
 	FalconServiceHTTPSName                 = "https"
 	FalconServiceHTTPSPort                 = 443
 
@@ -33,9 +38,11 @@ const (
 	FalconPartOfValue         = "Falcon"
 	FalconCreatedValue        = "falcon-operator"
 	FalconManagedByValue      = "controller-manager"
+	FalconPriorityClassName   = "system-cluster-critical"
 
-	SidecarServiceAccountName  = "falcon-operator-sidecar-sensor"
-	FalconPullSecretName       = "crowdstrike-falcon-pull-secret"
-	NodeServiceAccountName     = "falcon-operator-node-sensor"
-	NodeClusterRoleBindingName = "crowdstrike-falcon-node-sensor"
+	SidecarServiceAccountName   = "falcon-operator-sidecar-sensor"
+	FalconPullSecretName        = "crowdstrike-falcon-pull-secret"
+	NodeServiceAccountName      = "falcon-operator-node-sensor"
+	AdmissionServiceAccountName = "falcon-operator-admission-controller"
+	NodeClusterRoleBindingName  = "crowdstrike-falcon-node-sensor"
 )

pkg/common/vars.go

@@ -6,11 +6,12 @@ import (
 )
 
 var (
-	NodeSelector            = map[string]string{"kubernetes.io/os": "linux"}
-	FalconShellCommand      = []string{"/bin/bash"}
-	OrigDSConfVersion       = "0"
-	FalconOperatorNamespace = "falcon-operator"
-	FalconInjectorCommand   = []string{"injector"}
+	NodeSelector              = map[string]string{"kubernetes.io/os": "linux"}
+	FalconShellCommand        = []string{"/bin/bash"}
+	OrigDSConfVersion         = "0"
+	FalconOperatorNamespace   = "falcon-operator"
+	FalconInjectorCommand     = []string{"injector"}
+	DefaultDisabledNamespaces = []string{"kube-system", "kube-public"}
 )
 
 func init() {