Skip to content

Add iar kac tolerations #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
gpontejos-cs wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Add iar kac tolerations #821

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a2e042c
feat: Add tolerations to KAC and IAR
gpontejos-cs May 27, 2026
45a4a15
Testing
gpontejos-cs Jun 1, 2026
57e16c2
testing
gpontejos-cs Jun 1, 2026
07168ce
testing
gpontejos-cs Jun 1, 2026
df25152
Testing
gpontejos-cs Jun 1, 2026
bfda6dd
fix rolling deployment loops
gpontejos-cs Jun 2, 2026
4a7d1eb
updating deep equal and thresholds
gpontejos-cs Jun 2, 2026
ad56bd0
fix rollingupdate in iar
gpontejos-cs Jun 2, 2026
5b2d924
fix iar rolling update
gpontejos-cs Jun 2, 2026
05ed5fe
fix rolling update
gpontejos-cs Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion api/falcon/v1alpha1/falconadmission_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,13 +198,18 @@ type FalconAdmissionConfigSpec struct {
ResourcesAC *corev1.ResourceRequirements `json:"resources,omitempty"`

// Type of Deployment update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
// +kubebuilder:default:={"rollingUpdate":{"maxUnavailable":0,"maxSurge":1}}
// +kubebuilder:default:={}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deployment Update Strategy",order=11
DepUpdateStrategy FalconAdmissionUpdateStrategy `json:"updateStrategy,omitempty"`

// Specifies node affinity for scheduling the Admission Controller.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=19
NodeAffinity *corev1.NodeAffinity `json:"nodeAffinity,omitempty"`

// Specifies tolerations for scheduling the Admission Controller.
// +kubebuilder:default:={}
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=20
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

type FalconAdmissionServiceAccount struct {
Expand All @@ -215,6 +220,7 @@ type FalconAdmissionServiceAccount struct {

type FalconAdmissionUpdateStrategy struct {
// RollingUpdate is used to specify the strategy used to roll out a deployment
// +kubebuilder:default:={"maxUnavailable":0,"maxSurge":1}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Admission Controller deployment update configuration",order=1,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:updateStrategy"}
RollingUpdate appsv1.RollingUpdateDeployment `json:"rollingUpdate,omitempty"`
}
Expand Down
10 changes: 8 additions & 2 deletions api/falcon/v1alpha1/falconimageanalyzer_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,14 @@ type FalconImageAnalyzerSpec struct {
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Image Analyzer Version",order=7
Version *string `json:"version,omitempty"`

// Specifies node affinity for scheduling the Sensor.
// Specifies node affinity for scheduling the Falcon Image Analyzer Sensor.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=8
NodeAffinity *corev1.NodeAffinity `json:"nodeAffinity,omitempty"`

// Specifies tolerations for scheduling the Falcon Image Analyzer Sensor.
// +kubebuilder:default:={}
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=9
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

type FalconImageAnalyzerConfigSpec struct {
Expand Down Expand Up @@ -85,7 +90,7 @@ type FalconImageAnalyzerConfigSpec struct {
PriorityClass FalconImageAnalyzerPriorityClass `json:"priorityClass,omitempty"`

// Type of Deployment update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
// +kubebuilder:default:={"rollingUpdate":{"maxUnavailable":0,"maxSurge":1}}
// +kubebuilder:default:={}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Deployment Update Strategy",order=7
DepUpdateStrategy FalconImageAnalyzerUpdateStrategy `json:"updateStrategy,omitempty"`

Expand Down Expand Up @@ -142,6 +147,7 @@ type FalconImageAnalyzerServiceAccount struct {

type FalconImageAnalyzerUpdateStrategy struct {
// RollingUpdate is used to specify the strategy used to roll out a deployment
// +kubebuilder:default:={"maxUnavailable":0,"maxSurge":1}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Falcon Image Analyzer deployment update configuration",order=1,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:updateStrategy"}
RollingUpdate appsv1.RollingUpdateDeployment `json:"rollingUpdate,omitempty"`
}
Expand Down
14 changes: 14 additions & 0 deletions api/falcon/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -424,6 +424,13 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
*out = new(corev1.NodeAffinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionConfigSpec.
Expand Down Expand Up @@ -1208,6 +1215,13 @@ func (in *FalconImageAnalyzerSpec) DeepCopyInto(out *FalconImageAnalyzerSpec) {
*out = new(corev1.NodeAffinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconImageAnalyzerSpec.
Expand Down
24 changes: 20 additions & 4 deletions bundle/manifests/falcon-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Security,Monitoring
containerImage: quay.io/crowdstrike/falcon-operator
createdAt: "2025-11-05T18:34:58Z"
createdAt: "2026-06-02T21:19:50Z"
description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
features.operators.openshift.io/cnf: "false"
features.operators.openshift.io/cni: "false"
Expand Down Expand Up @@ -431,6 +431,9 @@ spec:
to know this to discover and communicate with IAR.
displayName: Falcon Image Analyzer Namespace
path: admissionConfig.falconImageAnalyzerNamespace
- description: Specifies tolerations for scheduling the Admission Controller.
displayName: Tolerations
path: admissionConfig.tolerations
version: v1alpha1
- description: FalconContainer is the Schema for the falconcontainers API
displayName: Falcon Container
Expand Down Expand Up @@ -1429,7 +1432,8 @@ spec:
- description: Set the falcon image analyzer volume size limit.
displayName: Falcon Image Analyzer Volume Size Limit
path: falconImageAnalyzer.imageAnalyzerConfig.sizeLimit
- description: Specifies node affinity for scheduling the Sensor.
- description: Specifies node affinity for scheduling the Falcon Image Analyzer
Sensor.
displayName: Node Affinity
path: falconImageAnalyzer.nodeAffinity
- description: Utilize default or Pay-As-You-Go billing.
Expand Down Expand Up @@ -1458,6 +1462,10 @@ spec:
- description: Set the falcon image analyzer volume mount path.
displayName: Falcon Image Analyzer Volume Mount Path
path: falconImageAnalyzer.imageAnalyzerConfig.mountPath
- description: Specifies tolerations for scheduling the Falcon Image Analyzer
Sensor.
displayName: Tolerations
path: falconImageAnalyzer.tolerations
- description: Falcon Node Sensor Controller Configuration
displayName: Falcon Node Sensor Configuration
path: falconNodeSensor
Expand Down Expand Up @@ -1559,6 +1567,9 @@ spec:
to know this to discover and communicate with IAR.
displayName: Falcon Image Analyzer Namespace
path: falconAdmission.admissionConfig.falconImageAnalyzerNamespace
- description: Specifies tolerations for scheduling the Admission Controller.
displayName: Tolerations
path: falconAdmission.admissionConfig.tolerations
- description: |-
Advanced configures various options that go against industry practices or are otherwise not recommended for use.
Adjusting these settings may result in incorrect or undesirable behavior. Proceed at your own risk.
Expand Down Expand Up @@ -1802,12 +1813,17 @@ spec:
- description: Set the falcon image analyzer volume size limit.
displayName: Falcon Image Analyzer Volume Size Limit
path: imageAnalyzerConfig.sizeLimit
- description: Specifies node affinity for scheduling the Sensor.
- description: Specifies node affinity for scheduling the Falcon Image Analyzer
Sensor.
displayName: Node Affinity
path: nodeAffinity
- description: Set the falcon image analyzer volume mount path.
displayName: Falcon Image Analyzer Volume Mount Path
path: imageAnalyzerConfig.mountPath
- description: Specifies tolerations for scheduling the Falcon Image Analyzer
Sensor.
displayName: Tolerations
path: tolerations
- description: Name of the Kubernetes Cluster.
displayName: Falcon Image Analyzer Cluster Name
path: imageAnalyzerConfig.clusterName
Expand Down Expand Up @@ -2398,7 +2414,7 @@ spec:
fieldPath: metadata.annotations['olm.targetNamespaces']
- name: OPERATOR_NAME
value: falcon-operator
image: quay.io/crowdstrike/falcon-operator:1.6.0
image: quay.io/crowdstrike/falcon-operator:iar-kac-tolerations
livenessProbe:
httpGet:
path: /healthz
Expand Down
50 changes: 46 additions & 4 deletions bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,15 +643,57 @@ spec:
type: integer
x-kubernetes-int-or-string: true
type: object
tolerations:
default: []
description: Specifies tolerations for scheduling the Admission
Controller.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
default:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
default: {}
description: Type of Deployment update. Can be "RollingUpdate"
or "OnDelete". Default is RollingUpdate.
properties:
rollingUpdate:
default:
maxSurge: 1
maxUnavailable: 0
description: RollingUpdate is used to specify the strategy
used to roll out a deployment
properties:
Expand Down
Loading