diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index c5af03d2..d269d754 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -12,9 +12,18 @@ spec: listKind: FalconAdmissionList plural: falconadmissions singular: falconadmission - scope: Namespaced + scope: Cluster versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Version of the Operator + jsonPath: .status.version + name: Operator Version + type: string + - description: Version of the Falcon Admission Controller + jsonPath: .status.sensor + name: Falcon Sensor + type: string + name: v1alpha1 schema: openAPIV3Schema: description: FalconAdmission is the Schema for the falconadmissions API @@ -34,13 +43,497 @@ spec: spec: description: FalconAdmissionSpec defines the desired state of FalconAdmission properties: - foo: - description: Foo is an example field of FalconAdmission. Edit falconadmission_types.go - to remove/update + admissionConfig: + description: Additional configuration for Falcon Admission Controller + deployment. + properties: + containerPort: + default: 4443 + description: Port on which the Falcon Admission Controller container + will listen for requests. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + disabledNamespaces: + description: Ignore admission control for a specific set of namespaces. + properties: + ignoreOpenShiftNamespaces: + description: For OpenShift clusters, ignore openshift-specific + namespaces for admission control. + type: boolean + namespaces: + description: Configure a list of namespaces to ignore admission + control. + items: + type: string + type: array + type: object + failurePolicy: + default: Ignore + description: Configure the failure policy for the Falcon Admission + Controller. + enum: + - Ignore + - Fail + type: string + imagePullPolicy: + default: Always + description: PullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - IfNotPresent + - Never + type: string + imagePullSecrets: + description: ImagePullSecrets is an optional list of references + to secrets to use for pulling image from the image location. + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + replicas: + default: 2 + description: Number of replicas for the Falcon Admission Controller + deployment. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + resources: + default: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 300m + memory: 512Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + resourcesClient: + default: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + serviceAccount: + description: Define annotations that will be passed down to admision + controller service account. This is useful for passing along + AWS IAM Role or GCP Workload Identity. + properties: + annotations: + additionalProperties: + type: string + description: Define annotations that will be passed down to + the Service Account. This is useful for passing along AWS + IAM Role or GCP Workload Identity. + type: object + type: object + servicePort: + default: 443 + description: Port on which the Falcon Admission Controller service + will listen for requests from the cluster. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + tls: + description: Configure TLS setings for the Falcon Admission Controller + properties: + validity: + description: Validity of the TLS certificate in days. Default + is 3650 days. + pattern: ^[0-9]{1-4}$ + type: integer + x-kubernetes-int-or-string: true + type: object + updateStrategy: + default: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + description: Type of Deployment update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + properties: + rollingUpdate: + description: RollingUpdate is used to specify the strategy + used to roll out a deployment + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be scheduled + above the desired number of pods. Value can be an absolute + number (ex: 5) or a percentage of desired pods (ex: + 10%). This can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding up. + Defaults to 25%. Example: when this is set to 30%, the + new ReplicaSet can be scaled up immediately when the + rolling update starts, such that the total number of + old and new pods do not exceed 130% of desired pods. + Once old pods have been killed, new ReplicaSet can be + scaled up further, ensuring that total number of pods + running at any time during the update is at most 130% + of desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be unavailable + during the update. Value can be an absolute number (ex: + 5) or a percentage of desired pods (ex: 10%). Absolute + number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet + can be scaled down to 70% of desired pods immediately + when the rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that the + total number of pods available at all times during the + update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object + type: object + falcon: + description: CrowdStrike Falcon sensor configuration + properties: + apd: + default: false + description: Disable the Falcon Sensor's use of a proxy. + type: boolean + aph: + description: The application proxy host to use for Falcon sensor + proxy configuration. + type: string + app: + description: The application proxy port to use for Falcon sensor + proxy configuration. + maximum: 65535 + minimum: 0 + type: integer + billing: + description: Utilize default or Pay-As-You-Go billing. + enum: + - default + - metered + type: string + cid: + description: Falcon Customer ID (CID) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + provisioning_token: + description: Installation token that prevents unauthorized hosts + from being accidentally or maliciously added to your customer + ID (CID). + pattern: ^[0-9a-fA-F]{8}$ + type: string + tags: + description: 'Sensor grouping tags are optional, user-defined + identifiers that can used to group and filter hosts. Allowed + characters: all alphanumerics, ''/'', ''-'', and ''_''.' + items: + type: string + type: array + trace: + default: none + description: Set sensor trace level. + enum: + - none + - err + - warn + - info + - debug + type: string + type: object + falcon_api: + description: "FalconAPI configures connection from your local Falcon + operator to CrowdStrike Falcon platform. \n When configured, it + will pull the sensor from registry.crowdstrike.com and deploy the + appropriate sensor to the cluster. \n If using the API is not desired, + the sensor can be manually configured by setting the Image and Version + fields." + properties: + cid: + description: Falcon Customer ID (CID) Override (optional, default + is derived from the API Key pair) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + client_id: + description: Falcon OAuth2 API Client ID + type: string + client_secret: + description: Falcon OAuth2 API Client Secret + type: string + cloud_region: + description: Cloud Region defines CrowdStrike Falcon Cloud Region + to which the operator will connect and register. + enum: + - autodiscover + - us-1 + - us-2 + - eu-1 + - us-gov-1 + type: string + required: + - client_id + - client_secret + - cloud_region + type: object + image: + description: Location of the Falcon Sensor image. Use only in cases + when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. + pattern: ^.*:.*$ + type: string + installNamespace: + default: falcon-kac + description: Namespace where the Falcon Admission Controller should + be installed. For best security practices, this should be a dedicated + namespace that is not used for any other purpose. It also should + not be the same namespace where the Falcon Operator or the Falcon + Sensor is installed. + type: string + registry: + description: Registry configures container image registry to which + the Admission Controller image will be pushed. + properties: + acr_name: + description: Azure Container Registry Name represents the name + of the ACR for the Falcon Container push. Only applicable to + Azure cloud. + type: string + tls: + description: TLS configures TLS connection for push of Falcon + Container image to the registry + properties: + caCertificate: + description: Allow for users to provide a CA Cert Bundle, + as either a string or base64 encoded string + type: string + caCertificateConfigMap: + description: Allow for users to provide a ConfigMap containing + a CA Cert Bundle under a key ending in .crt + type: string + insecure_skip_verify: + description: Allow pushing to docker registries over HTTPS + with failed TLS verification. Note that this does not affect + other TLS connections. + type: boolean + type: object + type: + description: Type of container registry to be used + enum: + - acr + - ecr + - gcr + - crowdstrike + - openshift + type: string + required: + - type + type: object + resourcequota: + description: ResourceQuota configures the ResourceQuota for the Falcon + Admission Controller. This is useful for limiting the number of + pods that can be created in the namespace. + properties: + pods: + default: "2" + description: Limits the number of admission controller pods that + can be created in the namespace. + type: string + type: object + version: + description: 'Falcon Admission Controller Version. The latest version + will be selected when version specifier is missing. Example: 6.31, + 6.31.0, 6.31.0-1409, etc.' type: string type: object status: description: FalconAdmissionStatus defines the observed state of FalconAdmission + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + sensor: + description: Version of the CrowdStrike Falcon Sensor + type: string + version: + description: Version of the CrowdStrike Falcon Operator + type: string type: object type: object served: true diff --git a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml index 9c011104..844d266a 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconnodesensors.yaml @@ -145,7 +145,8 @@ spec: type: boolean image: description: Location of the Falcon Sensor image. Use only in - cases when you mirror the original image to your repository/name:tag + cases when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. pattern: ^.*:.*$ type: string imagePullPolicy: diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml index a3ea55e5..4ec3f4cb 100644 --- a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml @@ -17,6 +17,211 @@ spec: apiservicedefinitions: {} customresourcedefinitions: owned: + - description: FalconAdmission is the Schema for the falconadmissions API + displayName: Falcon Admission + kind: FalconAdmission + name: falconadmissions.falcon.crowdstrike.com + specDescriptors: + - description: Configure a list of namespaces to ignore admission control. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces.namespaces + - description: ImagePullSecrets is an optional list of references to secrets + to use for pulling image from the image location. + displayName: Falcon Admission Controller Image Pull Secrets + path: admissionConfig.imagePullSecrets + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Secret + - description: Define annotations that will be passed down to the Service Account. + This is useful for passing along AWS IAM Role or GCP Workload Identity. + displayName: Service Account Annotations + path: admissionConfig.serviceAccount.annotations + - description: Validity of the TLS certificate in days. Default is 3650 days. + displayName: Falcon Container Injector TLS Validity Length (days) + path: admissionConfig.tls.validity + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: RollingUpdate is used to specify the strategy used to roll out + a deployment + displayName: Falcon Admisison Controller deployment update configuration + path: admissionConfig.updateStrategy.rollingUpdate + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:updateStrategy + - description: Falcon Customer ID (CID) + displayName: Falcon Customer ID (CID) + path: falcon.cid + - description: Falcon OAuth2 API Client ID + displayName: Client ID + path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: Namespace where the Falcon Admission Controller should be installed. + For best security practices, this should be a dedicated namespace that is + not used for any other purpose. It also should not be the same namespace + where the Falcon Operator or the Falcon Sensor is installed. + displayName: Install Namespace + path: installNamespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Allow pushing to docker registries over HTTPS with failed TLS + verification. Note that this does not affect other TLS connections. + displayName: Skip Registry TLS Verification + path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type + - description: Limits the number of admission controller pods that can be created + in the namespace. + displayName: Resource Quota Pod Limit + path: resourcequota.pods + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:podCount + - description: For OpenShift clusters, ignore openshift-specific namespaces + for admission control. + displayName: Ignore OpenShift Namespaces + path: admissionConfig.disabledNamespaces.ignoreOpenShiftNamespaces + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - displayName: Falcon Admission Controller Image Pull Policy + path: admissionConfig.imagePullPolicy + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:imagePullPolicy + - description: Installation token that prevents unauthorized hosts from being + accidentally or maliciously added to your customer ID (CID). + displayName: Provisioning Token + path: falcon.provisioning_token + - description: "FalconAPI configures connection from your local Falcon operator + to CrowdStrike Falcon platform. \n When configured, it will pull the sensor + from registry.crowdstrike.com and deploy the appropriate sensor to the cluster. + \n If using the API is not desired, the sensor can be manually configured + by setting the Image and Version fields." + displayName: Falcon Platform API Configuration + path: falcon_api + - description: Falcon OAuth2 API Client Secret + displayName: Client Secret + path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls + - description: Allow for users to provide a CA Cert Bundle, as either a string + or base64 encoded string + displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded + path: registry.tls.caCertificate + - description: Port on which the Falcon Admission Controller service will listen + for requests from the cluster. + displayName: Falcon Admission Controller Service Port + path: admissionConfig.servicePort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: CrowdStrike Falcon sensor configuration + displayName: Falcon Sensor Configuration + path: falcon + - description: Disable the Falcon Sensor's use of a proxy. + displayName: Disable Falcon Proxy + path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which + the operator will connect and register. + displayName: CrowdStrike Falcon Cloud Region + path: falcon_api.cloud_region + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name + - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle + under a key ending in .crt + displayName: ConfigMap containing Registry CA Certificate Bundle + path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap + - description: Port on which the Falcon Admission Controller container will + listen for requests. + displayName: Falcon Admission Controller Container Port + path: admissionConfig.containerPort + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy host to use for Falcon sensor proxy configuration. + displayName: Disable Falcon Proxy Host + path: falcon.aph + - description: Falcon Customer ID (CID) Override (optional, default is derived + from the API Key pair) + displayName: Falcon Customer ID (CID) + path: falcon_api.cid + - description: ResourceQuota configures the ResourceQuota for the Falcon Admission + Controller. This is useful for limiting the number of pods that can be created + in the namespace. + displayName: Falcon Admission Controller Resource Quota + path: resourcequota + - description: Additional configuration for Falcon Admission Controller deployment. + displayName: Falcon Admission Controller Configuration + path: admissionConfig + - description: Number of replicas for the Falcon Admission Controller deployment. + displayName: Admission Controller Replica Count + path: admissionConfig.replicas + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: The application proxy port to use for Falcon sensor proxy configuration. + displayName: Falcon Proxy Port + path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: Configure the failure policy for the Falcon Admission Controller. + displayName: Falcon Admission Controller Failure Policy + path: admissionConfig.failurePolicy + - description: 'Sensor grouping tags are optional, user-defined identifiers + that can used to group and filter hosts. Allowed characters: all alphanumerics, + ''/'', ''-'', and ''_''.' + displayName: Sensor Grouping Tags + path: falcon.tags + - description: Registry configures container image registry to which the Admission + Controller image will be pushed. + displayName: Falcon Admission Controller Registry Configuration + path: registry + - description: Define annotations that will be passed down to admision controller + service account. This is useful for passing along AWS IAM Role or GCP Workload + Identity. + displayName: Service Account Configuration + path: admissionConfig.serviceAccount + - description: Set sensor trace level. + displayName: Trace Level + path: falcon.trace + - description: Location of the Falcon Sensor image. Use only in cases when you + mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 + API is not used. + displayName: Falcon Admission Controller Image URI + path: image + - description: Configure TLS setings for the Falcon Admission Controller + displayName: Falcon Admission Controller TLS Configuration + path: admissionConfig.tls + - description: Utilize default or Pay-As-You-Go billing. + displayName: Billing + path: falcon.billing + - description: 'Falcon Admission Controller Version. The latest version will + be selected when version specifier is missing. Example: 6.31, 6.31.0, 6.31.0-1409, + etc.' + displayName: Falcon Admission Controller Version + path: version + - displayName: Falcon Admission Controller Client Resources + path: admissionConfig.resourcesClient + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - displayName: Falcon Admission Controller Resources + path: admissionConfig.resources + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:resourceRequirements + - description: Type of Deployment update. Can be "RollingUpdate" or "OnDelete". + Default is RollingUpdate. + displayName: Deployment Update Strategy + path: admissionConfig.updateStrategy + - description: Ignore admission control for a specific set of namespaces. + displayName: Ignore Namespace List + path: admissionConfig.disabledNamespaces + version: v1alpha1 - description: FalconContainer is the Schema for the falconcontainers API displayName: Falcon Container kind: FalconContainer @@ -30,6 +235,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Define annotations that will be passed down to injector service account. This is useful for passing along AWS IAM Role or GCP Workload Identity. displayName: Service Account Configuration @@ -40,6 +247,11 @@ spec: verification. Note that this does not affect other TLS connections. displayName: Skip Registry TLS Verification path: registry.tls.insecure_skip_verify + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Type of container registry to be used + displayName: Registry Type + path: registry.type - description: Installation token that prevents unauthorized hosts from being accidentally or maliciously added to your customer ID (CID). displayName: Provisioning Token @@ -51,8 +263,14 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - displayName: Falcon Container Injector Listen Port path: injector.listenPort + - description: TLS configures TLS connection for push of Falcon Container image + to the registry + displayName: Registry TLS Configuration + path: registry.tls - description: Allow for users to provide a CA Cert Bundle, as either a string or base64 encoded string displayName: Registry CA Certificate Bundle; optionally (double) base64 encoded @@ -60,6 +278,8 @@ spec: - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -70,10 +290,16 @@ spec: Container image will be pushed displayName: Falcon Container Image Registry Configuration path: registry + - description: Azure Container Registry Name represents the name of the ACR + for the Falcon Container push. Only applicable to Azure cloud. + displayName: Azure Container Registry Name + path: registry.acr_name - description: Allow for users to provide a ConfigMap containing a CA Cert Bundle under a key ending in .crt displayName: ConfigMap containing Registry CA Certificate Bundle path: registry.tls.caCertificateConfigMap + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:selector:core:v1:ConfigMap - description: The application proxy host to use for Falcon sensor proxy configuration. displayName: Disable Falcon Proxy Host path: falcon.aph @@ -90,6 +316,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - displayName: Falcon Container Image Pull Secret Name path: injector.imagePullSecret - description: 'Sensor grouping tags are optional, user-defined identifiers @@ -145,6 +373,8 @@ spec: - description: Falcon OAuth2 API Client ID displayName: Client ID path: falcon_api.client_id + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: ImagePullSecrets is an optional list of references to secrets in the falcon-system namespace to use for pulling image from image_override location. @@ -159,13 +389,18 @@ spec: - description: Falcon OAuth2 API Client Secret displayName: Client Secret path: falcon_api.client_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:password - description: Location of the Falcon Sensor image. Use only in cases when you - mirror the original image to your repository/name:tag + mirror the original image to your repository/name:tag, and CrowdStrike OAuth2 + API is not used. displayName: Image path: node.image - description: Disable the Falcon Sensor's use of a proxy. displayName: Disable Falcon Proxy path: falcon.apd + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - description: Cloud Region defines CrowdStrike Falcon Cloud Region to which the operator will connect and register. displayName: CrowdStrike Falcon Cloud Region @@ -189,6 +424,8 @@ spec: - description: The application proxy port to use for Falcon sensor proxy configuration. displayName: Falcon Proxy Port path: falcon.app + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number - description: Specifies node affinity for scheduling the DaemonSet. Defaults to allowing scheduling on all nodes. displayName: Node Affinity diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 17e505ba..18b5d097 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -37,6 +37,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -46,6 +54,18 @@ rules: - deletecollection - get - list + - update + - watch +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - update - watch - apiGroups: - "" @@ -91,6 +111,17 @@ rules: - list - update - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - apps resources: @@ -120,9 +151,11 @@ rules: - leases verbs: - create + - delete - get - list - update + - watch - apiGroups: - "" resources: @@ -237,6 +270,18 @@ rules: - list - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - security.openshift.io resourceNames: diff --git a/config/samples/falcon_v1alpha1_falconadmission.yaml b/config/samples/falcon_v1alpha1_falconadmission.yaml index 8269d616..9b532329 100644 --- a/config/samples/falcon_v1alpha1_falconadmission.yaml +++ b/config/samples/falcon_v1alpha1_falconadmission.yaml @@ -15,6 +15,8 @@ spec: client_id: PLEASE_FILL_IN client_secret: PLEASE_FILL_IN cloud_region: autodiscover + registry: + type: crowdstrike falcon: trace: none tags: diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml index d0b743c7..e1381e02 100644 --- a/deploy/falcon-operator.yaml +++ b/deploy/falcon-operator.yaml @@ -26,9 +26,18 @@ spec: listKind: FalconAdmissionList plural: falconadmissions singular: falconadmission - scope: Namespaced + scope: Cluster versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Version of the Operator + jsonPath: .status.version + name: Operator Version + type: string + - description: Version of the Falcon Admission Controller + jsonPath: .status.sensor + name: Falcon Sensor + type: string + name: v1alpha1 schema: openAPIV3Schema: description: FalconAdmission is the Schema for the falconadmissions API @@ -48,13 +57,497 @@ spec: spec: description: FalconAdmissionSpec defines the desired state of FalconAdmission properties: - foo: - description: Foo is an example field of FalconAdmission. Edit falconadmission_types.go - to remove/update + admissionConfig: + description: Additional configuration for Falcon Admission Controller + deployment. + properties: + containerPort: + default: 4443 + description: Port on which the Falcon Admission Controller container + will listen for requests. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + disabledNamespaces: + description: Ignore admission control for a specific set of namespaces. + properties: + ignoreOpenShiftNamespaces: + description: For OpenShift clusters, ignore openshift-specific + namespaces for admission control. + type: boolean + namespaces: + description: Configure a list of namespaces to ignore admission + control. + items: + type: string + type: array + type: object + failurePolicy: + default: Ignore + description: Configure the failure policy for the Falcon Admission + Controller. + enum: + - Ignore + - Fail + type: string + imagePullPolicy: + default: Always + description: PullPolicy describes a policy for if/when to pull + a container image + enum: + - Always + - IfNotPresent + - Never + type: string + imagePullSecrets: + description: ImagePullSecrets is an optional list of references + to secrets to use for pulling image from the image location. + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + replicas: + default: 2 + description: Number of replicas for the Falcon Admission Controller + deployment. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + resources: + default: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 300m + memory: 512Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + resourcesClient: + default: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + description: ResourceRequirements describes the compute resource + requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + serviceAccount: + description: Define annotations that will be passed down to admision + controller service account. This is useful for passing along + AWS IAM Role or GCP Workload Identity. + properties: + annotations: + additionalProperties: + type: string + description: Define annotations that will be passed down to + the Service Account. This is useful for passing along AWS + IAM Role or GCP Workload Identity. + type: object + type: object + servicePort: + default: 443 + description: Port on which the Falcon Admission Controller service + will listen for requests from the cluster. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + x-kubernetes-int-or-string: true + tls: + description: Configure TLS setings for the Falcon Admission Controller + properties: + validity: + description: Validity of the TLS certificate in days. Default + is 3650 days. + pattern: ^[0-9]{1-4}$ + type: integer + x-kubernetes-int-or-string: true + type: object + updateStrategy: + default: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + description: Type of Deployment update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + properties: + rollingUpdate: + description: RollingUpdate is used to specify the strategy + used to roll out a deployment + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be scheduled + above the desired number of pods. Value can be an absolute + number (ex: 5) or a percentage of desired pods (ex: + 10%). This can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding up. + Defaults to 25%. Example: when this is set to 30%, the + new ReplicaSet can be scaled up immediately when the + rolling update starts, such that the total number of + old and new pods do not exceed 130% of desired pods. + Once old pods have been killed, new ReplicaSet can be + scaled up further, ensuring that total number of pods + running at any time during the update is at most 130% + of desired pods.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of pods that can be unavailable + during the update. Value can be an absolute number (ex: + 5) or a percentage of desired pods (ex: 10%). Absolute + number is calculated from percentage by rounding down. + This can not be 0 if MaxSurge is 0. Defaults to 25%. + Example: when this is set to 30%, the old ReplicaSet + can be scaled down to 70% of desired pods immediately + when the rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that the + total number of pods available at all times during the + update is at least 70% of desired pods.' + x-kubernetes-int-or-string: true + type: object + type: object + type: object + falcon: + description: CrowdStrike Falcon sensor configuration + properties: + apd: + default: false + description: Disable the Falcon Sensor's use of a proxy. + type: boolean + aph: + description: The application proxy host to use for Falcon sensor + proxy configuration. + type: string + app: + description: The application proxy port to use for Falcon sensor + proxy configuration. + maximum: 65535 + minimum: 0 + type: integer + billing: + description: Utilize default or Pay-As-You-Go billing. + enum: + - default + - metered + type: string + cid: + description: Falcon Customer ID (CID) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + provisioning_token: + description: Installation token that prevents unauthorized hosts + from being accidentally or maliciously added to your customer + ID (CID). + pattern: ^[0-9a-fA-F]{8}$ + type: string + tags: + description: 'Sensor grouping tags are optional, user-defined + identifiers that can used to group and filter hosts. Allowed + characters: all alphanumerics, ''/'', ''-'', and ''_''.' + items: + type: string + type: array + trace: + default: none + description: Set sensor trace level. + enum: + - none + - err + - warn + - info + - debug + type: string + type: object + falcon_api: + description: "FalconAPI configures connection from your local Falcon + operator to CrowdStrike Falcon platform. \n When configured, it + will pull the sensor from registry.crowdstrike.com and deploy the + appropriate sensor to the cluster. \n If using the API is not desired, + the sensor can be manually configured by setting the Image and Version + fields." + properties: + cid: + description: Falcon Customer ID (CID) Override (optional, default + is derived from the API Key pair) + pattern: ^[0-9a-fA-F]{32}-[0-9a-fA-F]{2}$ + type: string + client_id: + description: Falcon OAuth2 API Client ID + type: string + client_secret: + description: Falcon OAuth2 API Client Secret + type: string + cloud_region: + description: Cloud Region defines CrowdStrike Falcon Cloud Region + to which the operator will connect and register. + enum: + - autodiscover + - us-1 + - us-2 + - eu-1 + - us-gov-1 + type: string + required: + - client_id + - client_secret + - cloud_region + type: object + image: + description: Location of the Falcon Sensor image. Use only in cases + when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. + pattern: ^.*:.*$ + type: string + installNamespace: + default: falcon-kac + description: Namespace where the Falcon Admission Controller should + be installed. For best security practices, this should be a dedicated + namespace that is not used for any other purpose. It also should + not be the same namespace where the Falcon Operator or the Falcon + Sensor is installed. + type: string + registry: + description: Registry configures container image registry to which + the Admission Controller image will be pushed. + properties: + acr_name: + description: Azure Container Registry Name represents the name + of the ACR for the Falcon Container push. Only applicable to + Azure cloud. + type: string + tls: + description: TLS configures TLS connection for push of Falcon + Container image to the registry + properties: + caCertificate: + description: Allow for users to provide a CA Cert Bundle, + as either a string or base64 encoded string + type: string + caCertificateConfigMap: + description: Allow for users to provide a ConfigMap containing + a CA Cert Bundle under a key ending in .crt + type: string + insecure_skip_verify: + description: Allow pushing to docker registries over HTTPS + with failed TLS verification. Note that this does not affect + other TLS connections. + type: boolean + type: object + type: + description: Type of container registry to be used + enum: + - acr + - ecr + - gcr + - crowdstrike + - openshift + type: string + required: + - type + type: object + resourcequota: + description: ResourceQuota configures the ResourceQuota for the Falcon + Admission Controller. This is useful for limiting the number of + pods that can be created in the namespace. + properties: + pods: + default: "2" + description: Limits the number of admission controller pods that + can be created in the namespace. + type: string + type: object + version: + description: 'Falcon Admission Controller Version. The latest version + will be selected when version specifier is missing. Example: 6.31, + 6.31.0, 6.31.0-1409, etc.' type: string type: object status: description: FalconAdmissionStatus defines the observed state of FalconAdmission + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + sensor: + description: Version of the CrowdStrike Falcon Sensor + type: string + version: + description: Version of the CrowdStrike Falcon Operator + type: string type: object type: object served: true @@ -2209,7 +2702,8 @@ spec: type: boolean image: description: Location of the Falcon Sensor image. Use only in - cases when you mirror the original image to your repository/name:tag + cases when you mirror the original image to your repository/name:tag, + and CrowdStrike OAuth2 API is not used. pattern: ^.*:.*$ type: string imagePullPolicy: @@ -2817,6 +3311,14 @@ rules: - list - update - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -2826,6 +3328,18 @@ rules: - deletecollection - get - list + - update + - watch +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - update - watch - apiGroups: - "" @@ -2871,6 +3385,17 @@ rules: - list - update - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - apps resources: @@ -2900,9 +3425,11 @@ rules: - leases verbs: - create + - delete - get - list - update + - watch - apiGroups: - "" resources: @@ -3017,6 +3544,18 @@ rules: - list - update - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - update + - watch - apiGroups: - security.openshift.io resourceNames: