search

CrowdStrike / falcon-operator

https://artifacthub.io/packages/olm/falcon-operator/falcon-operator
Apache License 2.0
49 stars 37 forks source link

bug: "invalid memory address" for FalconImageAnalyzer resource #575

Open comptonad opened 2 months ago

comptonad commented 2 months ago

I created the following FalconImageAnalyzer resource:

apiVersion: falcon.crowdstrike.com/v1alpha1
kind: FalconImageAnalyzer
metadata:
  name: falcon-image-analyzer
spec:
  installNamespace: falcon-image-analyzer
  image: <our-registry>/crowdstrike/falcon-imageanalyzer:1.0.13
  imageAnalyzerConfig:
    clusterName: <our-cluster-name>
    imagePullPolicy: IfNotPresent
    imagePullSecrets:
      - name: <our-secret-name>

And now the falcon-operator is in a CrashLoopBackOff with the following error:

2024-08-07T17:19:48Z    INFO    Observed a panic in reconciler: runtime error: invalid memory address or nil pointer dereference    {"controller": "falconimageanalyzer", "controllerGroup": "falcon.crowdstrike.com", "controllerKind": "FalconImageAnalyzer", "FalconImageAnalyzer": {"name":"falcon-image-analyzer"}, "namespace": "", "name": "falcon-image-analyzer", "reconcileID": "4708945a-7892-4e55-81b0-da27cb541104"}
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x26e11f5]

goroutine 346 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:115 +0x1e5
panic({0x2b2ce00?, 0x5427a10?})
    /usr/lib/golang/src/runtime/panic.go:914 +0x21f
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).newConfigMap(0xc00009ac00?, {0x3540aa8, 0xc000a00120}, {0xc00007d360, 0x1c}, 0xc00002f080)
    /workspace/internal/controller/falcon_image_analyzer/configmap.go:76 +0xd5
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).reconcileGenericConfigMap(0xc00012d380, {0xc00007d360, 0x1c}, 0x30bab7c?, {0x3540aa8, 0xc000a00120}, {{{0x0, 0x0}, {0xc000443548, 0x15}}}, ...)
    /workspace/internal/controller/falcon_image_analyzer/configmap.go:33 +0x87
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).reconcileConfigMap(0xc00012d380, {0x3540aa8, 0xc000a00120}, {{{0x0?, 0x426a88?}, {0xc000443548?, 0x7b36f3?}}}, {{0x3544fa8, 0xc000a00150}, 0x0}, ...)
    /workspace/internal/controller/falcon_image_analyzer/configmap.go:29 +0x125
github.com/crowdstrike/falcon-operator/internal/controller/falcon_image_analyzer.(*FalconImageAnalyzerReconciler).Reconcile(0xc00012d380, {0x3540aa8?, 0xc000a00120}, {{{0x0?, 0x0?}, {0xc000443548?, 0x41edc5?}}})
    /workspace/internal/controller/falcon_image_analyzer/falconimage_controller.go:212 +0xddc
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x3540aa8?, {0x3540aa8?, 0xc000a00120?}, {{{0x0?, 0x2988c80?}, {0xc000443548?, 0x352e940?}}})
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:118 +0xb7
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000514c80, {0x3540ae0, 0xc0000d43c0}, {0x2c37f60?, 0xc0005489a0?})
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:314 +0x368
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000514c80, {0x3540ae0, 0xc0000d43c0})
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265 +0x1c9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226 +0x79
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 130
    /opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:222 +0x565

Looking at the line in the error above, the FalconImageAnalyzer controller is expecting the FalconAPI struct to exist which it does not on the resource I created.

There seems to be a gap in the logic around the config map handling here but I'm not confident enough in my understanding of what is supposed to happen here to create a PR with a fix.

redhatrises commented 2 months ago

Hello,

Currently, having FalconAPI configured and set is required for IAR functionality.

comptonad commented 2 months ago

I've attempted to add FalconAPI but I'm seeing 403s in the image analyzer pod logs. What permissions are needed in this case? 

time="2024-08-07T20:33:23Z" level=error msg="error getting imageanalyzer config. will try again" mode=watcher error="received 403 from uri https://api.crowdstrike.com/image-assessment/runtime/entities/config/v1 - response = {\n \"meta\": {\n  \"query_time\": 1.28e-7,\n  \"powered_by\": \"crowdstrike-api-gateway\",\n  \"trace_id\": \"17b24113-f416-4eb3-99b8-1018bbc50fa5\"\n },\n \"errors\": [\n  {\n   \"code\": 403,\n   \"message\": \"access denied, authorization failed\"\n  }\n ]\n}"

I've followed the readme and like the CRD readmes it says I only need Falcon Images Download: Read and Sensor Download: Read, which to my understanding is just for pulling the docker images if an image is not specified. And to note, the credentials I've provided work for the falcon-container-sensor-pull.sh script so I know they are valid.

comptonad commented 2 months ago

Minor update with additional context, in the above example I had falcon_api.cloud_region set to us-1. When I try the value us-2 I get 401s

time="2024-08-08T14:27:37Z" level=error msg="error getting imageanalyzer config. will try again" mode=watcher error="received 401 from uri https://api.us-2.crowdstrike.com/image-assessment/runtime/entities/config/v1 - response = {\n \"meta\": {\n  \"query_time\": 1.61e-7,\n  \"powered_by\": \"crowdstrike-api-gateway\",\n  \"trace_id\": \"becccaf4-8c36-4890-a20e-cd1b814e3cdc\"\n },\n \"errors\": [\n  {\n   \"code\": 401,\n   \"message\": \"access denied, invalid bearer token\"\n  }\n ]\n}"

And just for kicks I tried autodiscover (noted in some of the other resources) and I got this

time="2024-08-08T14:25:58Z" level=error msg="error getting imageanalyzer config. will try again" error="unable to get JWT: unable to refresh JWT from crowdstrike: unable to complete request to crowdstrike Auth: Post \"/oauth2/token\": unsupported protocol scheme \"\"" mode=watcher