Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow flexible configuration of container affinity #200

Closed
wants to merge 2 commits into from
Closed

Allow flexible configuration of container affinity #200

wants to merge 2 commits into from

Conversation

617m4rc
Copy link

@617m4rc 617m4rc commented Jun 1, 2023

Allow more flexible configuration of the container affinity. This change allows for better support of mixed scenarios where the regular worker nodes are protected by the node sensor and only certain containers should be protected by the container sensor, e.g. when using AWS Fargate, Azure Container Instances, Google Cloud Run. Resolves #134

@redhatrises
Copy link
Contributor

Hello,

Thanks for opening this, but unfortunately, this PR doesn't work as described or intended since it only sets the affinity for the webhook injector service and not the actual sidecar injected sensor. The container sensor uses a mutating webhook which is cluster-wide so setting the affinity for the injection service won't actually tell the sensor to only inject into pods on say fargate-only nodes. This means that in mixed clusters the sensor will be injected into all pods.

Setting sensor.falcon-system.crowdstrike.com/injection to disabled in each namespace/pod or disabling injection by default and setting sensor.falcon-system.crowdstrike.com/injection to enabled in each namespace/pod is the way to do it which is pretty standard/common for kubernetes deployments.

@617m4rc 617m4rc closed this Jun 21, 2023
@bellaned
Copy link

Hello,

Thanks for opening this, but unfortunately, this PR doesn't work as described or intended since it only sets the affinity for the webhook injector service and not the actual sidecar injected sensor. The container sensor uses a mutating webhook which is cluster-wide so setting the affinity for the injection service won't actually tell the sensor to only inject into pods on say fargate-only nodes. This means that in mixed clusters the sensor will be injected into all pods.

Setting sensor.falcon-system.crowdstrike.com/injection to disabled in each namespace/pod or disabling injection by default and setting sensor.falcon-system.crowdstrike.com/injection to enabled in each namespace/pod is the way to do it which is pretty standard/common for kubernetes deployments.

Hi,

Is it actually possible to run falcon helm chart with:
node:
enabled: true
container:
enabled: true

Because in our setup we have issue with using both node sensors and container sensors - using argo for the deployment.
And as I've reached the falcon support they said to me that this is not possible - to have both sensors run simultaneously.

Thanks in advance!

@617m4rc 617m4rc deleted the feature/container-affinity branch June 22, 2023 11:36
@redhatrises
Copy link
Contributor

bellaned

Yes. However, this would only be for mixed cluster like EKS with Fargate nodes. Which in that case, you would need to disable the sidecar injection in each namespace or pod not running on Fargate nodes. What is not supported is running both the sidecar in pods that run on nodes that have the sensor also installed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: Add option to limit the Container Sensor to Fargate Pods
3 participants
@617m4rc @redhatrises @bellaned