Skip to content

feat: support kubernetes tolerations for FalconAdmission and FalconImageAnalyzer #709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ivanaguilario wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat: support kubernetes tolerations for FalconAdmission and FalconImageAnalyzer #709

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a6bde2d
chore: FalconAdmission support tolerations
ivanaguilario Sep 29, 2025
1fb5993
chore: FalconImageAnalyzer support tolerations
ivanaguilario Sep 29, 2025
002d132
fix tests
ivanaguilario Sep 29, 2025
31bbbac
e2e tests
ivanaguilario Sep 29, 2025
bafe963
fix falcon-image-analyzer
ivanaguilario Sep 29, 2025
e1eebb9
fix tests
ivanaguilario Sep 29, 2025
516f0cf
reconciler checks
ivanaguilario Oct 17, 2025
8a1cd48
merge main
ivanaguilario Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions api/falcon/v1alpha1/falconadmission_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,11 @@ type FalconAdmissionConfigSpec struct {
// Specifies node affinity for scheduling the Admission Controller.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=18
NodeAffinity *corev1.NodeAffinity `json:"nodeAffinity,omitempty"`

// Specifies tolerations for custom taints on the admission controller pods.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=19
Tolerations *[]corev1.Toleration `json:"tolerations,omitempty"`
}

type FalconAdmissionServiceAccount struct {
Expand Down Expand Up @@ -346,3 +351,10 @@ func (ac *FalconAdmission) GetFalconSpec() FalconSensor {
func (ac *FalconAdmission) SetFalconSpec(falconSpec FalconSensor) {
ac.Spec.Falcon = falconSpec
}

func (ac *FalconAdmission) GetTolerations() *[]corev1.Toleration {
if ac.Spec.AdmissionConfig.Tolerations == nil {
return nil
}
return ac.Spec.AdmissionConfig.Tolerations
}
12 changes: 12 additions & 0 deletions api/falcon/v1alpha1/falconimageanalyzer_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,11 @@ type FalconImageAnalyzerConfigSpec struct {
// +kubebuilder:default:={}
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="KAC Inter-communication Configuration",order=14
KAC FalconImageAnalyzerKACSpec `json:"kac,omitempty"`

// Specifies tolerations for custom taints on the image analyzer pods.
// +optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=14
Tolerations *[]corev1.Toleration `json:"tolerations,omitempty"`
}

type FalconImageAnalyzerPriorityClass struct {
Expand Down Expand Up @@ -265,3 +270,10 @@ func (fia *FalconImageAnalyzer) GetFalconSpec() FalconSensor {
func (fia *FalconImageAnalyzer) SetFalconSpec(FalconSensor) {
// noop
}

func (fia *FalconImageAnalyzer) GetTolerations() *[]corev1.Toleration {
if fia.Spec.ImageAnalyzerConfig.Tolerations == nil {
return nil
}
return fia.Spec.ImageAnalyzerConfig.Tolerations
}
23 changes: 23 additions & 0 deletions api/falcon/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,17 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
*out = new(corev1.NodeAffinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = new([]corev1.Toleration)
if **in != nil {
in, out := *in, *out
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
}

// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FalconAdmissionConfigSpec.
Expand Down Expand Up @@ -1063,6 +1074,18 @@ func (in *FalconImageAnalyzerConfigSpec) DeepCopyInto(out *FalconImageAnalyzerCo
in.DepUpdateStrategy.DeepCopyInto(&out.DepUpdateStrategy)
in.Exclusions.DeepCopyInto(&out.Exclusions)
in.RegistryConfig.DeepCopyInto(&out.RegistryConfig)
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = new([]corev1.Toleration)
if **in != nil {
in, out := *in, *out
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}

out.IARAgentService = in.IARAgentService
out.KAC = in.KAC
}
Expand Down
40 changes: 40 additions & 0 deletions config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,46 @@ spec:
type: integer
x-kubernetes-int-or-string: true
type: object
tolerations:
description: Specifies tolerations for custom taints on the admission
controller pods.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
default:
rollingUpdate:
Expand Down
80 changes: 80 additions & 0 deletions config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -699,6 +699,46 @@ spec:
type: integer
x-kubernetes-int-or-string: true
type: object
tolerations:
description: Specifies tolerations for custom taints on the
admission controller pods.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
default:
rollingUpdate:
Expand Down Expand Up @@ -3554,6 +3594,46 @@ spec:
default: 20Gi
description: Set the falcon image analyzer volume size limit.
type: string
tolerations:
description: Specifies tolerations for custom taints on the
image analyzer pods.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
default:
rollingUpdate:
Expand Down
40 changes: 40 additions & 0 deletions config/crd/bases/falcon.crowdstrike.com_falconimageanalyzers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,46 @@ spec:
default: 20Gi
description: Set the falcon image analyzer volume size limit.
type: string
tolerations:
description: Specifies tolerations for custom taints on the image
analyzer pods.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
updateStrategy:
default:
rollingUpdate:
Expand Down
39 changes: 39 additions & 0 deletions config/samples/falcon_v1alpha1_falconadmission_with_tolerations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconAdmission
metadata:
labels:
crowdstrike.com/component: sample
crowdstrike.com/created-by: falcon-operator
crowdstrike.com/instance: falcon-admission
crowdstrike.com/managed-by: kustomize
crowdstrike.com/name: falconadmission
crowdstrike.com/part-of: Falcon
crowdstrike.com/provider: crowdstrike
name: falcon-kac
spec:
falcon_api:
client_id: PLEASE_FILL_IN
client_secret: PLEASE_FILL_IN
cloud_region: autodiscover
registry:
type: crowdstrike
falcon:
trace: none
tags:
- admission_controller
admissionConfig:
# Example tolerations configuration
tolerations:
# Tolerate control-plane nodes
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
# Tolerate master nodes
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Custom toleration example
- key: "dedicated"
operator: "Equal"
value: "admission"
effect: "NoSchedule"
35 changes: 35 additions & 0 deletions config/samples/falcon_v1alpha1_falconimageanalyzer_with_tolerations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconImageAnalyzer
metadata:
labels:
crowdstrike.com/component: sample
crowdstrike.com/created-by: falcon-operator
crowdstrike.com/instance: falcon-image-analyzer
crowdstrike.com/managed-by: kustomize
crowdstrike.com/name: falconimageanalyzer
crowdstrike.com/part-of: Falcon
crowdstrike.com/provider: crowdstrike
name: falcon-image-analyzer
spec:
falcon_api:
client_id: PLEASE_FILL_IN
client_secret: PLEASE_FILL_IN
cloud_region: autodiscover
registry:
type: crowdstrike
imageAnalyzerConfig:
# Example tolerations configuration
tolerations:
# Tolerate control-plane nodes
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
# Tolerate master nodes
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Custom toleration example for dedicated image analyzer nodes
- key: "dedicated"
operator: "Equal"
value: "image-analyzer"
effect: "NoSchedule"
37 changes: 37 additions & 0 deletions config/samples/falcon_v1alpha1_falconnodesensor_with_tolerations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconNodeSensor
metadata:
labels:
crowdstrike.com/component: sample
crowdstrike.com/created-by: falcon-operator
crowdstrike.com/instance: falcon-node-sensor
crowdstrike.com/managed-by: kustomize
crowdstrike.com/name: falconnodesensor
crowdstrike.com/part-of: Falcon
crowdstrike.com/provider: crowdstrike
name: falcon-node-sensor
spec:
falcon_api:
client_id: PLEASE_FILL_IN
client_secret: PLEASE_FILL_IN
cloud_region: autodiscover
node:
# Custom tolerations for the node sensor DaemonSet
tolerations:
# Tolerate control-plane nodes
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
# Tolerate master nodes
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
# Tolerate infra nodes
- key: "node-role.kubernetes.io/infra"
operator: "Exists"
effect: "NoSchedule"
# Custom toleration for dedicated security nodes
- key: "dedicated"
operator: "Equal"
value: "security"
effect: "NoSchedule"
5 changes: 5 additions & 0 deletions internal/controller/admission/falconadmission_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -608,6 +608,11 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionDeployment(ctx context.Con
updated = true
}

if !equality.Semantic.DeepEqual(existingDeployment.Spec.Template.Spec.Tolerations, dep.Spec.Template.Spec.Tolerations) {
existingDeployment.Spec.Template.Spec.Tolerations = dep.Spec.Template.Spec.Tolerations
updated = true
}

if len(dep.Spec.Template.Spec.Containers) != len(existingDeployment.Spec.Template.Spec.Containers) {
existingDeployment.Spec.Template.Spec.Containers = dep.Spec.Template.Spec.Containers
updated = true
Expand Down
Loading