redhatrises
commented
2 months ago Hello,
This is intentional as the operator is not meant to manage the CS UI or the CS plaform, and this functionality is really outside the scope of the operator itself. Operationally, using the lambda function is operationally a better approach.
amanfredi
By default, terminated hosts persist in the Crowdstrike UI for 45 days unless manually deregistered. This can cause extremely high numbers of hosts in environments that frequently scale up and down. It seems like the Falcon Operator would be well positioned to automatically hide these hosts upon termination. I thought this might be accomplished with a preStop hook on the falcon-node-sensor daemonset.
Crowdstrike provides a lambda function to do this in the following repo: https://github.com/CrowdStrike/cloud-scripts-hide-host/tree/main