Feature Request: Auto-remove node taint after falcon-sensor pod becomes Ready #721
Description
Problem
Currently, to ensure the falcon-sensor pod is the first workload scheduled on new nodes, clusters can use an initial taint (e.g., falcon-init=waiting:NoSchedule) that only the falcon-sensor DaemonSet tolerates. However, the operator does not automatically remove this taint after the sensor pod reaches Ready state, requiring manual intervention or a separate script.
Proposed Solution
Enhance the Falcon Operator to automatically remove a specified taint from a node once the falcon-sensor pod scheduled by the DaemonSet on that node reports Ready status. This will ensure no unmanaged pods are run and reduce operational overhead in maintaining sensor coverage.
Similar to --remove-cilium-node-taints used in cilium operator
Benefits
- Ensures sensor is always the first pod on any new node
- No manual intervention required for taint management
- Simplifies onboarding of new nodes into secured clusters
Implementation Hints
- Make the taint key configurable in the FalconNodeSensor spec
- Watch for sensor pod readiness per node
- Patch node to remove the taint when appropriate