diff --git a/api/falcon/v1alpha1/conditions.go b/api/falcon/v1alpha1/conditions.go index cf8d3804..0e6dbbf6 100644 --- a/api/falcon/v1alpha1/conditions.go +++ b/api/falcon/v1alpha1/conditions.go @@ -3,6 +3,7 @@ package v1alpha1 const ( // Following strings are condition types + ConditionUnknown string = "Unknown" ConditionSuccess string = "Success" ConditionFailed string = "Failed" ConditionPending string = "Pending" diff --git a/config/rbac/falconadmission_editor_role.yaml b/config/rbac/falconadmission_editor_role.yaml index d5183b7d..8721b2e2 100644 --- a/config/rbac/falconadmission_editor_role.yaml +++ b/config/rbac/falconadmission_editor_role.yaml @@ -3,16 +3,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: falconadmission-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: falcon-operator - app.kubernetes.io/part-of: falcon-operator - app.kubernetes.io/managed-by: kustomize - name: falconadmission-editor-role + crowdstrike.com/component: rbac + crowdstrike.com/created-by: falcon-operator + crowdstrike.com/instance: falconadmission-editor-role + crowdstrike.com/managed-by: kustomize + crowdstrike.com/name: clusterrole + crowdstrike.com/part-of: Falcon + crowdstrike.com/provider: crowdstrike + name: falconcontainer-editor-role rules: - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions verbs: @@ -24,7 +25,7 @@ rules: - update - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/status verbs: diff --git a/config/rbac/falconadmission_viewer_role.yaml b/config/rbac/falconadmission_viewer_role.yaml index 9ddceab8..f2e709f9 100644 --- a/config/rbac/falconadmission_viewer_role.yaml +++ b/config/rbac/falconadmission_viewer_role.yaml @@ -3,16 +3,17 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: falconadmission-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: falcon-operator - app.kubernetes.io/part-of: falcon-operator - app.kubernetes.io/managed-by: kustomize - name: falconadmission-viewer-role + crowdstrike.com/component: rbac + crowdstrike.com/created-by: falcon-operator + crowdstrike.com/instance: falconadmission-viewer-role + crowdstrike.com/managed-by: kustomize + crowdstrike.com/name: clusterrole + crowdstrike.com/part-of: Falcon + crowdstrike.com/provider: crowdstrike + name: falconcontainer-viewer-role rules: - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions verbs: @@ -20,7 +21,7 @@ rules: - list - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/status verbs: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8482742d..17e505ba 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -136,7 +136,7 @@ rules: - update - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions verbs: @@ -148,13 +148,13 @@ rules: - update - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/finalizers verbs: - update - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/status verbs: diff --git a/config/samples/falcon_v1alpha1_falconadmission.yaml b/config/samples/falcon_v1alpha1_falconadmission.yaml index 957515d2..4855a9dd 100644 --- a/config/samples/falcon_v1alpha1_falconadmission.yaml +++ b/config/samples/falcon_v1alpha1_falconadmission.yaml @@ -2,11 +2,13 @@ apiVersion: crowdstrike.com/v1alpha1 kind: FalconAdmission metadata: labels: - app.kubernetes.io/name: falconadmission - app.kubernetes.io/instance: falconadmission-sample - app.kubernetes.io/part-of: falcon-operator - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: falcon-operator + crowdstrike.com/component: sample + crowdstrike.com/created-by: falcon-operator + crowdstrike.com/instance: falconadmission-sample + crowdstrike.com/managed-by: kustomize + crowdstrike.com/name: clusterrole + crowdstrike.com/part-of: Falcon + crowdstrike.com/provider: crowdstrike name: falconadmission-sample spec: # TODO(user): Add fields here diff --git a/controllers/falconadmission_controller.go b/controllers/falconadmission_controller.go index f7802e4d..9d6d488a 100644 --- a/controllers/falconadmission_controller.go +++ b/controllers/falconadmission_controller.go @@ -17,9 +17,9 @@ type FalconAdmissionReconciler struct { Scheme *runtime.Scheme } -//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=crowdstrike.com,resources=falconadmissions/finalizers,verbs=update +//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=falcon.crowdstrike.com,resources=falconadmissions/finalizers,verbs=update // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index cb5e613f..df4ba9b0 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -2884,7 +2884,7 @@ rules: - update - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions verbs: @@ -2896,13 +2896,13 @@ rules: - update - watch - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/finalizers verbs: - update - apiGroups: - - crowdstrike.com + - falcon.crowdstrike.com resources: - falconadmissions/status verbs: diff --git a/internal/controller/assets/resourcequota.go b/internal/controller/assets/resourcequota.go index 53791fb0..e900ce3f 100644 --- a/internal/controller/assets/resourcequota.go +++ b/internal/controller/assets/resourcequota.go @@ -8,7 +8,7 @@ import ( ) // ResourceQuota returns a ResourceQuota object for the admission controller -func ResourceQuota(name string, namespace string, component string) *corev1.ResourceQuota { +func ResourceQuota(name string, namespace string, component string, resourcePod string) *corev1.ResourceQuota { labels := common.CRLabels("resourcequota", name, component) return &corev1.ResourceQuota{ @@ -23,7 +23,7 @@ func ResourceQuota(name string, namespace string, component string) *corev1.Reso }, Spec: corev1.ResourceQuotaSpec{ Hard: corev1.ResourceList{ - corev1.ResourcePods: resource.MustParse("2"), + corev1.ResourcePods: resource.MustParse(resourcePod), }, ScopeSelector: &corev1.ScopeSelector{ MatchExpressions: []corev1.ScopedResourceSelectorRequirement{ @@ -31,7 +31,7 @@ func ResourceQuota(name string, namespace string, component string) *corev1.Reso Operator: corev1.ScopeSelectorOpIn, ScopeName: corev1.ResourceQuotaScopePriorityClass, Values: []string{ - "system-cluster-critical", + common.FalconPriorityClassName, }, }, }, diff --git a/internal/controller/assets/resourcequota_test.go b/internal/controller/assets/resourcequota_test.go index 144a3a00..61499a36 100644 --- a/internal/controller/assets/resourcequota_test.go +++ b/internal/controller/assets/resourcequota_test.go @@ -32,7 +32,7 @@ func TestResourceQuota(t *testing.T) { Operator: corev1.ScopeSelectorOpIn, ScopeName: corev1.ResourceQuotaScopePriorityClass, Values: []string{ - "system-cluster-critical", + common.FalconPriorityClassName, }, }, }, @@ -40,7 +40,7 @@ func TestResourceQuota(t *testing.T) { }, } - got := ResourceQuota("test", "test", "test") + got := ResourceQuota("test", "test", "test", "2") if diff := cmp.Diff(&want, &got); diff != "" { t.Errorf("ResourceQuota() mismatch (-want +got): %s", diff) } diff --git a/internal/controller/assets/validatingwebhook.go b/internal/controller/assets/validatingwebhook.go index f72b7f5a..73d26279 100644 --- a/internal/controller/assets/validatingwebhook.go +++ b/internal/controller/assets/validatingwebhook.go @@ -7,22 +7,21 @@ import ( ) // ValidatingWebhook returns a ValidatingWebhookConfiguration object -func ValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte) *arv1.ValidatingWebhookConfiguration { +func ValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte, port int32, failPolicy arv1.FailurePolicyType, disabledNamespaces []string) *arv1.ValidatingWebhookConfiguration { failurePolicy := arv1.Ignore matchPolicy := arv1.Equivalent sideEffects := arv1.SideEffectClassNone timeoutSeconds := int32(5) operatorSelector := metav1.LabelSelectorOpNotIn path := "/validate" - port := int32(443) scope := arv1.AllScopes admissionOperatorValues := []string{"disabled"} - labels := common.CRLabels("mutatingwebhook", name, common.FalconAdmissionController) + labels := common.CRLabels("validatingwebhook", name, common.FalconAdmissionController) return &arv1.ValidatingWebhookConfiguration{ TypeMeta: metav1.TypeMeta{ APIVersion: arv1.SchemeGroupVersion.String(), - Kind: "MutatingWebhookConfiguration", + Kind: "ValidatingWebhookConfiguration", }, ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -34,9 +33,8 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund Name: webhookName, AdmissionReviewVersions: []string{"v1"}, SideEffects: &sideEffects, - // TODO: add support for failurePolicy but only for this failurePolicy - FailurePolicy: &failurePolicy, - MatchPolicy: &matchPolicy, + FailurePolicy: &failPolicy, + MatchPolicy: &matchPolicy, ClientConfig: arv1.WebhookClientConfig{ CABundle: caBundle, Service: &arv1.ServiceReference{ @@ -52,13 +50,7 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund { Key: "kubernetes.io/metadata.name", Operator: operatorSelector, - Values: []string{ - namespace, - "kube-system", - "kube-public", - "falcon-system", - }, - // TODO: Need to add a list of custom namespaces as well as openshift namespaces + Values: disabledNamespaces, }, { Key: common.FalconAdmissionReviewKey, @@ -110,13 +102,7 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund { Key: "kubernetes.io/metadata.name", Operator: operatorSelector, - Values: []string{ - namespace, - "kube-system", - "kube-public", - "falcon-system", - }, - // TODO: Need to add a list of custom namespaces as well as openshift namespaces + Values: disabledNamespaces, }, { Key: common.FalconAdmissionReviewKey, diff --git a/internal/controller/assets/validatingwebhook_test.go b/internal/controller/assets/validatingwebhook_test.go index 956e89a4..67471edd 100644 --- a/internal/controller/assets/validatingwebhook_test.go +++ b/internal/controller/assets/validatingwebhook_test.go @@ -11,31 +11,30 @@ import ( // TestValidatingWebhook tests the ValidatingWebhook function func TestValidatingWebhook(t *testing.T) { - want := testValidatingWebhook("test", "test", "test", []byte("test")) + want := testValidatingWebhook("test", "test", "test", []byte("test"), 123, arv1.Ignore, []string{"ns1", "ns2"}) - got := ValidatingWebhook("test", "test", "test", []byte("test")) + got := ValidatingWebhook("test", "test", "test", []byte("test"), 123, arv1.Ignore, []string{"ns1", "ns2"}) if diff := cmp.Diff(want, got); diff != "" { t.Errorf("ValidatingWebhook() mismatch (-want +got): %s", diff) } } // testValidatingWebhook is a helper function to create a ValidatingWebhookConfiguration -func testValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte) *arv1.ValidatingWebhookConfiguration { +func testValidatingWebhook(name string, namespace string, webhookName string, caBundle []byte, port int32, failPolicy arv1.FailurePolicyType, disabledNamespaces []string) *arv1.ValidatingWebhookConfiguration { failurePolicy := arv1.Ignore matchPolicy := arv1.Equivalent sideEffects := arv1.SideEffectClassNone timeoutSeconds := int32(5) operatorSelector := metav1.LabelSelectorOpNotIn path := "/validate" - port := int32(443) scope := arv1.AllScopes admissionOperatorValues := []string{"disabled"} - labels := common.CRLabels("mutatingwebhook", name, common.FalconAdmissionController) + labels := common.CRLabels("validatingwebhook", name, common.FalconAdmissionController) return &arv1.ValidatingWebhookConfiguration{ TypeMeta: metav1.TypeMeta{ APIVersion: arv1.SchemeGroupVersion.String(), - Kind: "MutatingWebhookConfiguration", + Kind: "ValidatingWebhookConfiguration", }, ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -47,9 +46,8 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca Name: webhookName, AdmissionReviewVersions: []string{"v1"}, SideEffects: &sideEffects, - // TODO: add support for failurePolicy but only for this failurePolicy - FailurePolicy: &failurePolicy, - MatchPolicy: &matchPolicy, + FailurePolicy: &failPolicy, + MatchPolicy: &matchPolicy, ClientConfig: arv1.WebhookClientConfig{ CABundle: caBundle, Service: &arv1.ServiceReference{ @@ -65,13 +63,7 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca { Key: "kubernetes.io/metadata.name", Operator: operatorSelector, - Values: []string{ - namespace, - "kube-system", - "kube-public", - "falcon-system", - }, - // TODO: Need to add a list of custom namespaces as well as openshift namespaces + Values: []string{"ns1", "ns2"}, }, { Key: common.FalconAdmissionReviewKey, @@ -123,13 +115,7 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca { Key: "kubernetes.io/metadata.name", Operator: operatorSelector, - Values: []string{ - namespace, - "kube-system", - "kube-public", - "falcon-system", - }, - // TODO: Need to add a list of custom namespaces as well as openshift namespaces + Values: []string{"ns1", "ns2"}, }, { Key: common.FalconAdmissionReviewKey, diff --git a/pkg/common/constants.go b/pkg/common/constants.go index a76318f4..12d3a41e 100644 --- a/pkg/common/constants.go +++ b/pkg/common/constants.go @@ -13,6 +13,11 @@ const ( FalconDaemonsetInitBinaryInvocation = "falcon-daemonset-init -i" FalconDaemonsetCleanupBinaryInvocation = "falcon-daemonset-init -u" FalconContainerProbePath = "/live" + FalconAdmissionClientStartupProbePath = "/startz" + FalconAdmissionClientLivenessProbePath = "/livez" + FalconAdmissionStartupProbePath = "/startz-kac" + FalconAdmissionLivenessProbePath = "/livez-kac" + FalconAdmissionServiceHTTPSName = "webhook-port" FalconServiceHTTPSName = "https" FalconServiceHTTPSPort = 443 @@ -33,9 +38,11 @@ const ( FalconPartOfValue = "Falcon" FalconCreatedValue = "falcon-operator" FalconManagedByValue = "controller-manager" + FalconPriorityClassName = "system-cluster-critical" - SidecarServiceAccountName = "falcon-operator-sidecar-sensor" - FalconPullSecretName = "crowdstrike-falcon-pull-secret" - NodeServiceAccountName = "falcon-operator-node-sensor" - NodeClusterRoleBindingName = "crowdstrike-falcon-node-sensor" + SidecarServiceAccountName = "falcon-operator-sidecar-sensor" + FalconPullSecretName = "crowdstrike-falcon-pull-secret" + NodeServiceAccountName = "falcon-operator-node-sensor" + AdmissionServiceAccountName = "falcon-operator-admission-controller" + NodeClusterRoleBindingName = "crowdstrike-falcon-node-sensor" ) diff --git a/pkg/common/vars.go b/pkg/common/vars.go index d4c85023..0287c4e9 100644 --- a/pkg/common/vars.go +++ b/pkg/common/vars.go @@ -6,11 +6,12 @@ import ( ) var ( - NodeSelector = map[string]string{"kubernetes.io/os": "linux"} - FalconShellCommand = []string{"/bin/bash"} - OrigDSConfVersion = "0" - FalconOperatorNamespace = "falcon-operator" - FalconInjectorCommand = []string{"injector"} + NodeSelector = map[string]string{"kubernetes.io/os": "linux"} + FalconShellCommand = []string{"/bin/bash"} + OrigDSConfVersion = "0" + FalconOperatorNamespace = "falcon-operator" + FalconInjectorCommand = []string{"injector"} + DefaultDisabledNamespaces = []string{"kube-system", "kube-public"} ) func init() {