CrowdStrike · gpontejos · Oct 7, 2025
diff --git a/api/falcon/v1alpha1/falconadmission_types.go b/api/falcon/v1alpha1/falconadmission_types.go
@@ -10,11 +10,12 @@ import (
 )
 
 const (
-	DeployWatcherDefault           = true
-	SnapshotsEnabledDefault        = true
-	SnapshotsIntervalDefault       = 22
-	WatcherEnabledDefault          = true
-	AdmissionControlEnabledDefault = true
+	DeployWatcherDefault             = true
+	SnapshotsEnabledDefault          = true
+	SnapshotsIntervalDefault         = 22
+	WatcherEnabledDefault            = true
+	AdmissionControlEnabledDefault   = true
+	AdmissionConfigMapEnabledDefault = true
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -149,6 +150,11 @@ type FalconAdmissionConfigSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable Admission Controller",order=18
 	AdmissionControlEnabled *bool `json:"admissionControlEnabled,omitempty"`
 
+	// KAC watches configmaps by default. It tries to redact sensitive information by doing regex pattern matching for known sensitive patterns, before sending the events to CrowdStrike cloud.
+	// +kubebuilder:default:=true
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Enable ConfigMap Watcher",order=19
+	ConfigMapEnabled *bool `json:"configMapEnabled,omitempty"`
+
 	// Currently ignored and internally set to 1
 	// +kubebuilder:default:=2
 	// +kubebuilder:validation:XIntOrString
@@ -296,6 +302,14 @@ func (watcher FalconAdmissionConfigSpec) GetWatcherEnabled() bool {
 	return *watcher.WatcherEnabled
 }
 
+func (ac FalconAdmissionConfigSpec) GetConfigMapEnabled() bool {
+	if ac.ConfigMapEnabled == nil {
+		return AdmissionConfigMapEnabledDefault
+	}
+
+	return *ac.ConfigMapEnabled
+}
+
 func (ac *FalconAdmission) GetAdmissionControlEnabled() bool {
 	if ac.Spec.AdmissionConfig.AdmissionControlEnabled == nil {
 		return AdmissionControlEnabledDefault

diff --git a/api/falcon/v1alpha1/zz_generated.deepcopy.go b/api/falcon/v1alpha1/zz_generated.deepcopy.go
@@ -358,6 +358,11 @@ func (in *FalconAdmissionConfigSpec) DeepCopyInto(out *FalconAdmissionConfigSpec
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ConfigMapEnabled != nil {
+		in, out := &in.ConfigMapEnabled, &out.ConfigMapEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Replicas != nil {
 		in, out := &in.Replicas, &out.Replicas
 		*out = new(int32)

diff --git a/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml b/config/crd/bases/falcon.crowdstrike.com_falconadmissions.yaml
@@ -58,6 +58,13 @@ spec:
                     description: Determines if the admission controller webhook is
                       enabled
                     type: boolean
+                  configMapEnabled:
+                    default: true
+                    description: KAC watches configmaps by default. It tries to redact
+                      sensitive information by doing regex pattern matching for known
+                      sensitive patterns, before sending the events to CrowdStrike
+                      cloud.
+                    type: boolean
                   containerPort:
                     default: 4443
                     description: Port on which the Falcon Admission Controller container

diff --git a/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml b/config/crd/bases/falcon.crowdstrike.com_falcondeployments.yaml
@@ -111,6 +111,13 @@ spec:
                         description: Determines if the admission controller webhook
                           is enabled
                         type: boolean
+                      configMapEnabled:
+                        default: true
+                        description: KAC watches configmaps by default. It tries to
+                          redact sensitive information by doing regex pattern matching
+                          for known sensitive patterns, before sending the events
+                          to CrowdStrike cloud.
+                        type: boolean
                       containerPort:
                         default: 4443
                         description: Port on which the Falcon Admission Controller

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -70,6 +70,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -160,6 +168,16 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  - httproutes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - image.openshift.io
   resources:
@@ -171,6 +189,23 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - virtualservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

diff --git a/docs/deployment/openshift/resources/admission/README.md b/docs/deployment/openshift/resources/admission/README.md
@@ -72,6 +72,7 @@ spec:
 | admissionConfig.snapshotsEnabled          | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility.                                                                                                               |
 | admissionConfig.snapshotsInterval         | (optional) Time interval between two snapshots of Kubernetes resources in the cluster                                                                                                                                   |
 | admissionConfig.watcherEnabled            | (optional) Determines if Kubernetes resources are watched for cluster visibility                                                                                                                                        |
+| admissionConfig.configMapEnabled          | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events                                                                                                              |
 | admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.admissionControlEnabled   | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26.                                                                                                                                         |
 | admissionConfig.resourcesClientNoWebhook  | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient                                  |

diff --git a/docs/resources/admission/README.md b/docs/resources/admission/README.md
@@ -72,6 +72,7 @@ spec:
 | admissionConfig.snapshotsEnabled          | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility.                                                                                                               |
 | admissionConfig.snapshotsInterval         | (optional) Time interval between two snapshots of Kubernetes resources in the cluster                                                                                                                                   |
 | admissionConfig.watcherEnabled            | (optional) Determines if Kubernetes resources are watched for cluster visibility                                                                                                                                        |
+| admissionConfig.configMapEnabled          | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events                                                                                                              |
 | admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.admissionControlEnabled   | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26.                                                                                                                                         |
 | admissionConfig.resourcesClientNoWebhook  | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient                                  |

diff --git a/docs/src/resources/admission.md.tmpl b/docs/src/resources/admission.md.tmpl
@@ -72,6 +72,7 @@ spec:
 | admissionConfig.snapshotsEnabled          | (optional) Determines if snapshots of Kubernetes resources are periodically taken for cluster visibility.                                                                                                               |
 | admissionConfig.snapshotsInterval         | (optional) Time interval between two snapshots of Kubernetes resources in the cluster                                                                                                                                   |
 | admissionConfig.watcherEnabled            | (optional) Determines if Kubernetes resources are watched for cluster visibility                                                                                                                                        |
+| admissionConfig.configMapEnabled          | (optional) Specifies whether the Falcon Admission Controller monitors Kubernetes ConfigMap resource events                                                                                                              |
 | admissionConfig.replicas                  | (optional) Currently ignored and internally set to 1                                                                                                                                                                    |
 | admissionConfig.admissionControlEnabled   | (optional) Enable the Admission Controller. Available for KAC versions >= 7.26.                                                                                                                                         |
 | admissionConfig.resourcesClientNoWebhook  | (optional) Configure the default resources for the client container only when the admission webhoook is disabled. This will override any values set in admissionConfig.resourcesClient                                  |

diff --git a/internal/controller/admission/configmap.go b/internal/controller/admission/configmap.go
@@ -77,6 +77,7 @@ func (r *FalconAdmissionReconciler) newConfigMap(ctx context.Context, name strin
 	data["__CS_SNAPSHOTS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetSnapshotsEnabled())
 	data["__CS_SNAPSHOT_INTERVAL"] = falconAdmission.Spec.AdmissionConfig.GetSnapshotsInterval().String()
 	data["__CS_WATCH_EVENTS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetWatcherEnabled())
+	data["__CS_VISIBILITY_CONFIGMAPS_ENABLED"] = strconv.FormatBool(falconAdmission.Spec.AdmissionConfig.GetConfigMapEnabled())
 
 	cid := ""
 	if falconAdmission.Spec.Falcon.CID != nil {

diff --git a/internal/controller/admission/falconadmission_controller.go b/internal/controller/admission/falconadmission_controller.go
@@ -74,7 +74,7 @@ func (r *FalconAdmissionReconciler) GetK8sReader() client.Reader {
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update
-//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=nodes;serviceaccounts,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=replicationcontrollers,verbs=get;list;watch
 //+kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch
 //+kubebuilder:rbac:groups="apps",resources=replicasets,verbs=get;list;watch
@@ -85,7 +85,11 @@ func (r *FalconAdmissionReconciler) GetK8sReader() client.Reader {
 //+kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=create;get;list;update;watch;delete
+//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies;ingresses,verbs=get;list;watch
+//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
+//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses;gateways;httproutes,verbs=get;list;watch
+//+kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.