falcon-operator icon indicating copy to clipboard operation
falcon-operator copied to clipboard
verified publisher icon CrowdStrike

feat: support kubernetes tolerations for FalconAdmission and FalconImageAnalyzer

Open ivanaguilario opened this issue 4 months ago • 2 comments

This PR adds support for kubernetes tolerations in the FalconAdmission and FalconImageAnalyzer CRDs.

Closes #654

This is blocking us from deploying Crowdstrike Falcon across all our Kubernetes clusters as we use tolerations in order to gate workloads to specific node groups.

Added e2e tests for deploying FalconAdmission, FalconImageAnalyzer and FalconNodeSensor with tolerations set.

ivanaguilario avatar Sep 29 '25 16:09 ivanaguilario

@ivanaguilario Thanks for creating this. Can you please add the following:

  1. A check within the reconciler here for IAR to ensure that the the tolerations cause a reconciliation loop? GKE Autopilot and OpenShift will add tolerations with their mutators and since the Deployment is owned by the IAR controller it'll trigger another reconcile. It's not exactly a breaking change for all deployments but it will flood the logs and continuously spam the API server.
  2. The same as above but in KAC here.

The above can also be achieved by updating watches with predicates.

gpontejos avatar Oct 04 '25 01:10 gpontejos

Hi there @gpontejos! Thanks for taking a look. Sorry for the late reply, got a bit busy the past few weeks.

I added the reconciler checks as requested. I saw there was already some similar work done so for consistency I took the same approach.

Let me know if anything else is needed.

Thanks!

ivanaguilario avatar Oct 17 '25 13:10 ivanaguilario