diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go index f6db868f..fa6ec12e 100644 --- a/api/falcon/v1alpha1/falconadmission_types.go +++ b/api/falcon/v1alpha1/falconadmission_types.go @@ -10,11 +10,12 @@ import ( ) const ( - DeployWatcherDefault = true - SnapshotsEnabledDefault = true - SnapshotsIntervalDefault = 22 - WatcherEnabledDefault = true - AdmissionControlEnabledDefault = true + DeployWatcherDefault = true + SnapshotsEnabledDefault = true + SnapshotsIntervalDefault = 22 + WatcherEnabledDefault = true + AdmissionControlEnabledDefault = true + AdmissionConfigMapEnabledDefault = true ) // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! @@ -149,6 +150,11 @@ type FalconAdmissionConfigSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable Admission Controller",order=18 AdmissionControlEnabled *bool `json:"admissionControlEnabled,omitempty"` + // KAC watches configmaps by default. It tries to redact sensitive information by doing regex pattern matching for known sensitive patterns, before sending the events to CrowdStrike cloud. + // +kubebuilder:default:=true + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable ConfigMap Watcher",order=19 + ConfigMapEnabled *bool `json:"configMapEnabled,omitempty"` + // Currently ignored and internally set to 1 // +kubebuilder:default:=2 // +kubebuilder:validation:XIntOrString @@ -296,6 +302,14 @@ func (watcher FalconAdmissionConfigSpec) GetWatcherEnabled() bool { return *watcher.WatcherEnabled } +func (ac FalconAdmissionConfigSpec) GetConfigMapEnabled() bool { + if ac.ConfigMapEnabled == nil { + return AdmissionConfigMapEnabledDefault + } + + return *ac.ConfigMapEnabled +} + func (ac *FalconAdmission) GetAdmissionControlEnabled() bool { if ac.Spec.AdmissionConfig.AdmissionControlEnabled == nil { return AdmissionControlEnabledDefault diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go index 493f5736..0caa71af 100644 --- a/api/falcon/v1alpha1/zz_generated.deepcopy.go +++ b/api/falcon/v1alpha1/zz_generated.deepcopy.go @@ -358,6 +358,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec *out = new(bool) **out = **in } + if in.ConfigMapEnabled != nil { + in, out := &in.ConfigMapEnabled, &out.ConfigMapEnabled + *out = new(bool) + **out = **in + } if in.Replicas != nil { in, out := &in.Replicas, &out.Replicas *out = new(int32) diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml index e7fe42d3..d115f4c3 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml @@ -58,6 +58,13 @@ spec: description: Determines if the admission controller webhook is enabled type: boolean + configMapEnabled: + default: true + description: KAC watches configmaps by default. It tries to redact + sensitive information by doing regex pattern matching for known + sensitive patterns, before sending the events to CrowdStrike + cloud. + type: boolean containerPort: default: 4443 description: Port on which the Falcon Admission Controller container diff --git a/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml b/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml index 3dc45fa1..904c21ce 100644 --- a/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml +++ b/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml @@ -111,6 +111,13 @@ spec: description: Determines if the admission controller webhook is enabled type: boolean + configMapEnabled: + default: true + description: KAC watches configmaps by default. It tries to + redact sensitive information by doing regex pattern matching + for known sensitive patterns, before sending the events + to CrowdStrike cloud. + type: boolean containerPort: default: 4443 description: Port on which the Falcon Admission Controller diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index bd37420c..f56cb66c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -70,6 +70,14 @@ rules: - list - update - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch - apiGroups: - apps resources: @@ -160,6 +168,16 @@ rules: - get - patch - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + verbs: + - get + - list + - watch - apiGroups: - image.openshift.io resources: @@ -171,6 +189,23 @@ rules: - list - update - watch +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/docs/deployment/openshift/resources/admission/README.md b/docs/deployment/openshift/resources/admission/README.md index 2ae440be..8225d87b 100644 --- a/docs/deployment/openshift/resources/admission/README.md +++ b/docs/deployment/openshift/resources/admission/README.md @@ -72,6 +72,7 @@ spec: | admissionConfig.snapshotsEnabled | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility. | | admissionConfig.snapshotsInterval | (optional) Time interval between two snapshots of Kubernetes resources in the cluster | | admissionConfig.watcherEnabled | (optional) Determines if Kubernetes resources are watched for cluster visibility | +| admissionConfig.configMapEnabled | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events | | admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.admissionControlEnabled | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26. | | admissionConfig.resourcesClientNoWebhook | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient | diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md index 037d4a5b..0261691d 100644 --- a/docs/resources/admission/README.md +++ b/docs/resources/admission/README.md @@ -72,6 +72,7 @@ spec: | admissionConfig.snapshotsEnabled | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility. | | admissionConfig.snapshotsInterval | (optional) Time interval between two snapshots of Kubernetes resources in the cluster | | admissionConfig.watcherEnabled | (optional) Determines if Kubernetes resources are watched for cluster visibility | +| admissionConfig.configMapEnabled | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events | | admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.admissionControlEnabled | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26. | | admissionConfig.resourcesClientNoWebhook | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient | diff --git a/docs/src/resources/admission.md.tmpl b/docs/src/resources/admission.md.tmpl index 7c957a2f..263b3cfd 100644 --- a/docs/src/resources/admission.md.tmpl +++ b/docs/src/resources/admission.md.tmpl @@ -72,6 +72,7 @@ spec: | admissionConfig.snapshotsEnabled | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility. | | admissionConfig.snapshotsInterval | (optional) Time interval between two snapshots of Kubernetes resources in the cluster | | admissionConfig.watcherEnabled | (optional) Determines if Kubernetes resources are watched for cluster visibility | +| admissionConfig.configMapEnabled | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events | | admissionConfig.replicas | (optional) Currently ignored and internally set to 1 | | admissionConfig.admissionControlEnabled | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26. | | admissionConfig.resourcesClientNoWebhook | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient | diff --git a/internal/controller/admission/configmap.go b/internal/controller/admission/configmap.go index f3218623..0403b962 100644 --- a/internal/controller/admission/configmap.go +++ b/internal/controller/admission/configmap.go @@ -77,6 +77,7 @@ func (r *FalconAdmissionReconciler) newConfigMap(ctx context.Context, name strin data["__CS_SNAPSHOTS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetSnapshotsEnabled()) data["__CS_SNAPSHOT_INTERVAL"] = falconAdmission.Spec.AdmissionConfig.GetSnapshotsInterval().String() data["__CS_WATCH_EVENTS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetWatcherEnabled()) + data["__CS_VISIBILITY_CONFIGMAPS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetConfigMapEnabled()) cid := "" if falconAdmission.Spec.Falcon.CID != nil { diff --git a/internal/controller/admission/falconadmission_controller.go b/internal/controller/admission/falconadmission_controller.go index 4b9265aa..3d01a511 100644 --- a/internal/controller/admission/falconadmission_controller.go +++ b/internal/controller/admission/falconadmission_controller.go @@ -74,7 +74,7 @@ func (r *FalconAdmissionReconciler) GetK8sReader() client.Reader { //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update -//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch +//+kubebuilder:rbac:groups="",resources=nodes;serviceaccounts,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=get;list;watch //+kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch //+kubebuilder:rbac:groups="apps",resources=replicasets,verbs=get;list;watch @@ -85,7 +85,11 @@ func (r *FalconAdmissionReconciler) GetK8sReader() client.Reader { //+kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=create;get;list;update;watch;delete +//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies;ingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch +//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses;gateways;httproutes,verbs=get;list;watch +//+kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.