CrowdStrike · redhatrises · Mar 6, 2023 · Mar 6, 2023 · Mar 6, 2023
diff --git a/apis/falcon/v1alpha1/falconcontainer_types.go b/apis/falcon/v1alpha1/falconcontainer_types.go
@@ -90,6 +90,13 @@ type FalconContainerInjectorSpec struct {
 
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Azure Config file path",order=12
 	AzureConfigPath string `json:"azureConfigPath,omitempty"`
+
+	// +kubebuilder:default:=2
+	// +kubebuilder:validation:XIntOrString
+	// +kubebuilder:validation:Minimum:=0
+	// +kubebuilder:validation:Maximum:=65535
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Injector replica count",order=13
+	Replicas *int32 `json:"replicas,omitempty"`
 }
 
 type FalconContainerServiceAccount struct {

diff --git a/apis/falcon/v1alpha1/zz_generated.deepcopy.go b/apis/falcon/v1alpha1/zz_generated.deepcopy.go
@@ -299,6 +299,11 @@ func (in *FalconContainerInjectorSpec) DeepCopyInto(out *FalconContainerInjector
 			}
 		}
 	}
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconContainerInjectorSpec.

diff --git a/bundle/manifests/falcon-operator.clusterserviceversion.yaml b/bundle/manifests/falcon-operator.clusterserviceversion.yaml
@@ -176,6 +176,8 @@ spec:
         path: injector.disableDefaultPodInjection
       - displayName: Azure Config file path
         path: injector.azureConfigPath
+      - displayName: Injector replica count
+        path: injector.replicas
       - displayName: Annotations
         path: injector.serviceAccount.annotations
       version: v1alpha1

diff --git a/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml b/bundle/manifests/falcon.crowdstrike.com_falconcontainers.yaml
@@ -1689,6 +1689,13 @@ spec:
                     required:
                     - name
                     type: object
+                  replicas:
+                    default: 2
+                    format: int32
+                    maximum: 65535
+                    minimum: 0
+                    type: integer
+                    x-kubernetes-int-or-string: true
                   resources:
                     description: ResourceRequirements describes the compute resource
                       requirements.

diff --git a/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml b/config/crd/bases/falcon.crowdstrike.com_falconcontainers.yaml
@@ -1690,6 +1690,13 @@ spec:
                     required:
                     - name
                     type: object
+                  replicas:
+                    default: 2
+                    format: int32
+                    maximum: 65535
+                    minimum: 0
+                    type: integer
+                    x-kubernetes-int-or-string: true
                   resources:
                     description: ResourceRequirements describes the compute resource
                       requirements.

diff --git a/config/manifests/bases/falcon-operator.clusterserviceversion.yaml b/config/manifests/bases/falcon-operator.clusterserviceversion.yaml
@@ -129,6 +129,8 @@ spec:
         path: injector.disableDefaultPodInjection
       - displayName: Azure Config file path
         path: injector.azureConfigPath
+      - displayName: Injector replica count
+        path: injector.replicas
       - displayName: Annotations
         path: injector.serviceAccount.annotations
       version: v1alpha1

diff --git a/controllers/falcon_container/injector.go b/controllers/falcon_container/injector.go
@@ -128,7 +128,6 @@ func (r *FalconContainerReconciler) newDeployment(imageUri string, falconContain
 	if falconContainer.Spec.Injector.Resources != nil {
 		resources = falconContainer.Spec.Injector.Resources
 	}
-	var replicas int32 = 1
 	var rootUid int64 = 0
 	var readMode int32 = 420
 	runNonRoot := true
@@ -233,7 +232,7 @@ func (r *FalconContainerReconciler) newDeployment(imageUri string, falconContain
 			Labels:    FcLabels,
 		},
 		Spec: appsv1.DeploymentSpec{
-			Replicas: &replicas,
+			Replicas: falconContainer.Spec.Injector.Replicas,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: FcLabels,
 			},
@@ -263,6 +262,15 @@ func (r *FalconContainerReconciler) newDeployment(imageUri string, falconContain
 							},
 						},
 					},
+					TopologySpreadConstraints: []corev1.TopologySpreadConstraint{{
+						MaxSkew:           1,
+						TopologyKey:       "kubernetes.io/hostname",
+						WhenUnsatisfiable: corev1.ScheduleAnyway,
+						LabelSelector: &metav1.LabelSelector{
+							MatchLabels: map[string]string{common.FalconInstanceNameKey: injectorName},
+						},
+					},
+					},
 					ImagePullSecrets: imagePullSecrets,
 					SecurityContext: &corev1.PodSecurityContext{
 						RunAsNonRoot: &runNonRoot,

diff --git a/deploy/falcon-operator.yaml b/deploy/falcon-operator.yaml
@@ -1697,6 +1697,13 @@ spec:
                     required:
                     - name
                     type: object
+                  replicas:
+                    default: 2
+                    format: int32
+                    maximum: 65535
+                    minimum: 0
+                    type: integer
+                    x-kubernetes-int-or-string: true
                   resources:
                     description: ResourceRequirements describes the compute resource
                       requirements.

diff --git a/docs/container/README.md b/docs/container/README.md
@@ -66,6 +66,7 @@ spec:
 | injector.serviceAccount.name              | (optional) Name of Service Account to create in falcon-system namespace                                                                                                                                                 |
 | injector.serviceAccount.annotations       | (optional) Annotations that should be added to the Service Account (e.g. for IAM role association)                                                                                                                      |
 | injector.listenPort                       | (optional) Override the default Injector Listen Port of 4433                                                                                                                                                            |
+| injector.replicas                       | (optional) Override the default Injector Replica count of 2                                                                                                                                                            |
 | injector.tls.validity                     | (optional) Override the default Injector CA validity of 3650 days                                                                                                                                                       |
 | injector.imagePullPolicy                  | (optional) Override the default Falcon Container image pull policy of Always                                                                                                                                            |
 | injector.imagePullSecretName              | (optional) Provide a secret containing an alternative pull token for the Falcon Container image                                                                                                                         |