diff --git a/go.mod b/go.mod index d2d30045..402bc8f2 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 github.com/cert-manager/cert-manager v1.12.14 github.com/containers/image/v5 v5.31.1 - github.com/crowdstrike/gofalcon v0.18.0 + github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808 github.com/go-logr/logr v1.4.2 github.com/go-openapi/swag v0.23.0 github.com/google/go-cmp v0.6.0 diff --git a/go.sum b/go.sum index d722da28..1ae41c9e 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ github.com/containers/storage v1.54.0 h1:xwYAlf6n9OnIlURQLLg3FYHbO74fQ/2W2N6EtQE github.com/containers/storage v1.54.0/go.mod h1:PlMOoinRrBSnhYODLxt4EXl0nmJt+X0kjG0Xdt9fMTw= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/crowdstrike/gofalcon v0.18.0 h1:7B1N5nGGDYpb6RVorFQE0R4BSnZLst6YEYgC2F9Xl90= -github.com/crowdstrike/gofalcon v0.18.0/go.mod h1:a12GB+md+hRSgVCb3Pv6CakeTIsDIUCIVWRlJelIhY0= +github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808 h1:4u5t0ieUKpeKH59ZR7W6wGXuL0KsoE3hFliaQOJrmyA= +github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808/go.mod h1:a12GB+md+hRSgVCb3Pv6CakeTIsDIUCIVWRlJelIhY0= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= diff --git a/internal/controller/admission/image_push.go b/internal/controller/admission/image_push.go index 9e44e43d..fd41a3e1 100644 --- a/internal/controller/admission/image_push.go +++ b/internal/controller/admission/image_push.go @@ -165,6 +165,17 @@ func (r *FalconAdmissionReconciler) imageUri(ctx context.Context, falconAdmissio return "", fmt.Errorf("failed to set Falcon Admission Image version: %v", err) } + if falconAdmission.Spec.Registry.Type == falconv1alpha1.RegistryTypeCrowdStrike { + semver := strings.Split(imageTag, "-")[0] + if !falcon_registry.IsMinimumUnifiedSensorVersion(semver, falcon.KacSensor) { + cloud, err := falconAdmission.Spec.FalconAPI.FalconCloudWithSecret(ctx, r.Reader, falconAdmission.Spec.FalconSecret) + if err != nil { + return "", err + } + registryUri = falcon.FalconContainerSensorImageURI(cloud, falcon.RegionedKacSensor) + } + } + return fmt.Sprintf("%s:%s", registryUri, imageTag), nil } diff --git a/internal/controller/falcon_container/image_push.go b/internal/controller/falcon_container/image_push.go index aa50d4d9..faee7f6e 100644 --- a/internal/controller/falcon_container/image_push.go +++ b/internal/controller/falcon_container/image_push.go @@ -17,6 +17,7 @@ import ( "github.com/crowdstrike/falcon-operator/pkg/gcp" "github.com/crowdstrike/falcon-operator/pkg/k8s_utils" "github.com/crowdstrike/falcon-operator/pkg/registry/auth" + "github.com/crowdstrike/falcon-operator/pkg/registry/falcon_registry" "github.com/crowdstrike/falcon-operator/pkg/registry/pushtoken" "github.com/crowdstrike/gofalcon/falcon" "github.com/go-logr/logr" @@ -174,6 +175,17 @@ func (r *FalconContainerReconciler) imageUri(ctx context.Context, falconContaine return "", fmt.Errorf("failed to set Falcon Container Image version: %v", err) } + if falconContainer.Spec.Registry.Type == falconv1alpha1.RegistryTypeCrowdStrike { + semver := strings.Split(imageTag, "-")[0] + if !falcon_registry.IsMinimumUnifiedSensorVersion(semver, falcon.KacSensor) { + cloud, err := falconContainer.Spec.FalconAPI.FalconCloudWithSecret(ctx, r.Reader, falconContainer.Spec.FalconSecret) + if err != nil { + return "", err + } + registryUri = falcon.FalconContainerSensorImageURI(cloud, falcon.RegionedSidecarSensor) + } + } + return fmt.Sprintf("%s:%s", registryUri, imageTag), nil } diff --git a/pkg/node/config_cache.go b/pkg/node/config_cache.go index be0f29ae..252f68a3 100644 --- a/pkg/node/config_cache.go +++ b/pkg/node/config_cache.go @@ -122,7 +122,7 @@ func (cc *ConfigCache) getFalconImage(ctx context.Context, nodesensor *falconv1a } else { imageUri = falcon_registry.ImageURINode(cloud) if nodesensor.Status.Sensor != nil { - if falcon_registry.IsMinimumUnifiedSensorVersion(strings.Split(*nodesensor.Status.Sensor, "-")[0]) { + if falcon_registry.IsMinimumUnifiedSensorVersion(strings.Split(*nodesensor.Status.Sensor, "-")[0], falcon.NodeSensor) { imageUri = falcon_registry.UnifiedImageURINode(cloud) } } diff --git a/pkg/registry/falcon_registry/container.go b/pkg/registry/falcon_registry/container.go index aaabf3e5..a33de211 100644 --- a/pkg/registry/falcon_registry/container.go +++ b/pkg/registry/falcon_registry/container.go @@ -5,15 +5,24 @@ import ( "strings" "github.com/crowdstrike/gofalcon/falcon" + "golang.org/x/mod/semver" +) + +const ( + MinimumUnifiedNodeSensorVersion = "7.31.0" + MinimumUnifiedKacSensorVersion = "7.33.0" + MinimumUnifiedSidecarSensorVersion = "7.33.0" ) func (reg *FalconRegistry) LastContainerTag(ctx context.Context, sensorType falcon.SensorType, versionRequested *string) (string, error) { + var tag string + systemContext, err := reg.systemContext() if err != nil { return "", err } - return lastTag(ctx, systemContext, reg.imageUriContainer(sensorType), func(tag string) bool { + regionedFilter := func(tag string) bool { tagContains := ".container" if sensorType == falcon.ImageSensor || sensorType == falcon.KacSensor { tagContains = "" @@ -22,9 +31,44 @@ func (reg *FalconRegistry) LastContainerTag(ctx context.Context, sensorType falc return (tag[0] >= '0' && tag[0] <= '9' && strings.Contains(tag, tagContains) && (versionRequested == nil || strings.HasPrefix(tag, *versionRequested))) - }) + } + + unifiedFilter := func(tag string) bool { + return (tag[0] >= '0' && tag[0] <= '9' && + (versionRequested == nil || strings.HasPrefix(tag, *versionRequested))) + } + + switch sensorType { + case falcon.KacSensor: + tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.KacSensor), unifiedFilter) + if err != nil { + tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.RegionedKacSensor), regionedFilter) + } + case falcon.SidecarSensor: + tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.SidecarSensor), unifiedFilter) + if err != nil { + tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.RegionedSidecarSensor), regionedFilter) + } + default: + tag, err = lastTag(ctx, systemContext, reg.imageUriContainer(sensorType), regionedFilter) + } + + return tag, err } func (fr *FalconRegistry) imageUriContainer(sensorType falcon.SensorType) string { return falcon.FalconContainerSensorImageURI(fr.falconCloud, sensorType) } + +func IsMinimumUnifiedSensorVersion(version string, sensorType falcon.SensorType) bool { + switch sensorType { + case falcon.NodeSensor: + return semver.Compare("v"+version, "v"+MinimumUnifiedNodeSensorVersion) >= 0 + case falcon.KacSensor: + return semver.Compare("v"+version, "v"+MinimumUnifiedKacSensorVersion) >= 0 + case falcon.SidecarSensor: + return semver.Compare("v"+version, "v"+MinimumUnifiedSidecarSensorVersion) >= 0 + } + + return false +} diff --git a/pkg/registry/falcon_registry/node.go b/pkg/registry/falcon_registry/node.go index a3374137..f079ef89 100644 --- a/pkg/registry/falcon_registry/node.go +++ b/pkg/registry/falcon_registry/node.go @@ -6,11 +6,6 @@ import ( "strings" "github.com/crowdstrike/gofalcon/falcon" - "golang.org/x/mod/semver" -) - -const ( - MinimumUnifiedSensorVersion = "7.31.0" ) func (reg *FalconRegistry) LastNodeTag(ctx context.Context, versionRequested *string) (string, error) { @@ -52,7 +47,3 @@ func UnifiedImageURINode(falconCloud falcon.CloudType) string { func CrowdstrikeRepoOverride(falconCloud falcon.CloudType, repoOverride string) string { return fmt.Sprintf("%s/%s", registryFQDN(falconCloud), repoOverride) } - -func IsMinimumUnifiedSensorVersion(version string) bool { - return semver.Compare("v"+version, "v"+MinimumUnifiedSensorVersion) >= 0 -}