fix: Override default tolerations for daemonset with empty list

api/falcon/v1alpha1/falconnodesensor_types.go

@@ -44,7 +44,7 @@ type FalconNodeSensorConfig struct {
 	// Specifies tolerations for custom taints. Defaults to allowing scheduling on all nodes.
 	// +kubebuilder:default:={{key: "node-role.kubernetes.io/master", operator: "Exists", effect: "NoSchedule"}, {key: "node-role.kubernetes.io/control-plane", operator: "Exists", effect: "NoSchedule"}, {key: "node-role.kubernetes.io/infra", operator: "Exists", effect: "NoSchedule"}}
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
-	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+	Tolerations *[]corev1.Toleration `json:"tolerations,omitempty"`
 
 	// Specifies node affinity for scheduling the DaemonSet. Defaults to allowing scheduling on all nodes.
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=5
@@ -214,3 +214,27 @@ type FalconNodeSensorList struct {
 func init() {
 	SchemeBuilder.Register(&FalconNodeSensor{}, &FalconNodeSensorList{})
 }
+
+func (sensor FalconNodeSensor) GetTolerations() *[]corev1.Toleration {
+	if sensor.Spec.Node.Tolerations == nil {
+		return &[]corev1.Toleration{
+			{
+				Key:      "node-role.kubernetes.io/master",
+				Operator: "Exists",
+				Effect:   "NoSchedule",
+			},
+			{
+				Key:      "node-role.kubernetes.io/control-plane",
+				Operator: "Exists",
+				Effect:   "NoSchedule",
+			},
+			{
+				Key:      "node-role.kubernetes.io/infra",
+				Operator: "Exists",
+				Effect:   "NoSchedule",
+			},
+		}
+	}
+
+	return sensor.Spec.Node.Tolerations
+}

api/falcon/v1alpha1/zz_generated.deepcopy.go

@@ -1057,9 +1057,13 @@ func (in *FalconNodeSensorConfig) DeepCopyInto(out *FalconNodeSensorConfig) {
 	*out = *in
 	if in.Tolerations != nil {
 		in, out := &in.Tolerations, &out.Tolerations
-		*out = make([]corev1.Toleration, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+		*out = new([]corev1.Toleration)
+		if **in != nil {
+			in, out := *in, *out
+			*out = make([]corev1.Toleration, len(*in))
+			for i := range *in {
+				(*in)[i].DeepCopyInto(&(*out)[i])
+			}
 		}
 	}
 	in.NodeAffinity.DeepCopyInto(&out.NodeAffinity)

internal/controller/assets/daemonset.go

@@ -213,7 +213,7 @@ func Daemonset(dsName, image, serviceAccount string, node *falconv1alpha1.Falcon
 					// NodeSelector is set to linux until windows containers are supported for the Falcon sensor
 					NodeSelector:                  common.NodeSelector,
 					Affinity:                      nodeAffinity(node),
-					Tolerations:                   node.Spec.Node.Tolerations,
+					Tolerations:                   *node.GetTolerations(),
 					HostPID:                       hostpid,
 					HostIPC:                       hostipc,
 					HostNetwork:                   hostnetwork,
@@ -304,7 +304,7 @@ func RemoveNodeDirDaemonset(dsName, image, serviceAccount string, node *falconv1
 					// NodeSelector is set to linux until windows containers are supported for the Falcon sensor
 					NodeSelector:                  common.NodeSelector,
 					Affinity:                      nodeAffinity(node),
-					Tolerations:                   node.Spec.Node.Tolerations,
+					Tolerations:                   *node.GetTolerations(),
 					HostPID:                       hostpid,
 					TerminationGracePeriodSeconds: getTermGracePeriod(node),
 					ImagePullSecrets:              pullSecrets(node),

internal/controller/assets/daemonset_test.go

@@ -188,6 +188,7 @@ func TestDaemonset(t *testing.T) {
 	falconNode.Name = "test"
 	image := "testImage"
 	dsName := "test-DaemonSet"
+	falconNode.Spec.Node.Tolerations = falconNode.GetTolerations()
 
 	privileged := true
 	escalation := true
@@ -217,9 +218,25 @@ func TestDaemonset(t *testing.T) {
 				},
 				Spec: corev1.PodSpec{
 					// NodeSelector is set to linux until windows containers are supported for the Falcon sensor
-					NodeSelector:                  common.NodeSelector,
-					Affinity:                      nodeAffinity(&falconNode),
-					Tolerations:                   falconNode.Spec.Node.Tolerations,
+					NodeSelector: common.NodeSelector,
+					Affinity:     nodeAffinity(&falconNode),
+					Tolerations: []corev1.Toleration{
+						{
+							Key:      "node-role.kubernetes.io/master",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+						{
+							Key:      "node-role.kubernetes.io/control-plane",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+						{
+							Key:      "node-role.kubernetes.io/infra",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+					},
 					HostPID:                       hostpid,
 					HostIPC:                       hostipc,
 					HostNetwork:                   hostnetwork,
@@ -298,6 +315,7 @@ func TestRemoveNodeDirDaemonset(t *testing.T) {
 	falconNode.Name = "test"
 	image := "testImage"
 	dsName := "test-DaemonSet"
+	falconNode.Spec.Node.Tolerations = falconNode.GetTolerations()
 
 	privileged := true
 	nonPrivileged := false
@@ -324,9 +342,25 @@ func TestRemoveNodeDirDaemonset(t *testing.T) {
 				},
 				Spec: corev1.PodSpec{
 					// NodeSelector is set to linux until windows containers are supported for the Falcon sensor
-					NodeSelector:                  common.NodeSelector,
-					Affinity:                      nodeAffinity(&falconNode),
-					Tolerations:                   falconNode.Spec.Node.Tolerations,
+					NodeSelector: common.NodeSelector,
+					Affinity:     nodeAffinity(&falconNode),
+					Tolerations: []corev1.Toleration{
+						{
+							Key:      "node-role.kubernetes.io/master",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+						{
+							Key:      "node-role.kubernetes.io/control-plane",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+						{
+							Key:      "node-role.kubernetes.io/infra",
+							Operator: "Exists",
+							Effect:   "NoSchedule",
+						},
+					},
 					HostPID:                       hostpid,
 					TerminationGracePeriodSeconds: getTermGracePeriod(&falconNode),
 					ImagePullSecrets:              pullSecrets(&falconNode),

internal/controller/falcon_node/falconnodesensor_controller.go

@@ -638,13 +638,13 @@ func updateDaemonSetContainerProxy(ds *appsv1.DaemonSet, logger logr.Logger) boo
 // If an update is needed, this will update the tolerations from the given DaemonSet
 func (r *FalconNodeSensorReconciler) updateDaemonSetTolerations(ctx context.Context, ds *appsv1.DaemonSet, nodesensor *falconv1alpha1.FalconNodeSensor, logger logr.Logger) (bool, error) {
 	tolerations := &ds.Spec.Template.Spec.Tolerations
-	origTolerations := nodesensor.Spec.Node.Tolerations
-	tolerationsUpdate := !equality.Semantic.DeepEqual(*tolerations, origTolerations)
+	origTolerations := nodesensor.GetTolerations()
+	tolerationsUpdate := !equality.Semantic.DeepEqual(*tolerations, *origTolerations)
 	if tolerationsUpdate {
 		logger.Info("Updating FalconNodeSensor DaemonSet Tolerations")
-		mergedTolerations := k8s_utils.MergeTolerations(*tolerations, origTolerations)
+		mergedTolerations := k8s_utils.MergeTolerations(*tolerations, *origTolerations)
 		*tolerations = mergedTolerations
-		nodesensor.Spec.Node.Tolerations = mergedTolerations
+		nodesensor.Spec.Node.Tolerations = &mergedTolerations
 
 		if err := r.Update(ctx, nodesensor); err != nil {
 			logger.Error(err, "Failed to update FalconNodeSensor Tolerations")