Bumping to version 1.10.0

- Updated Makefile with version 1.10.0
- Generated manifests and bundle for quay.io/crowdstrike/falcon-operator:1.10.0
- Updated CHANGELOG.md with release notes

Author: Engineering Systems

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.10.0] - 2026-01-06
+
+### Changed
+
+- remove codeql workflow (#753)
+- fix(IAR): Ensure annotations added outside of the operator do not cause reconcile loops for service accounts (#749)
+- feat: Add unified sensor support for KAC and Lumos (#747)
+- feat: Add e2e tests for OLM (#745)
+- chore(lumos): Add injector container hardening (#742)
+- fix(FalconNodeSensor): Add check for incorrect sensor in init container (#738)
+- update docs with allowed secret name for GKE autopilot
+- feat(KAC): Add configMap monitoring (#739)
+- fix: Ensure daemonset pods are recreated when imagePullSecrets is updated (#729)
+- fix(falcon-kac): Ensure all containers are updated for in-place upgrades (#730)
+
 ## [1.9.0] - 2025-11-18
 
 ### Changed

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.9.0
+VERSION ?= 1.10.0
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

bundle/manifests/falcon-operator-admission-controller-role_rbac.authorization.k8s.io_v1_clusterrole.yaml

@@ -19,8 +19,10 @@ rules:
   - nodes
   - pods
   - replicationcontrollers
-  - secrets
   - services
+  - secrets
+  - configmaps
+  - serviceaccounts
   verbs:
   - get
   - list
@@ -49,6 +51,53 @@ rules:
   - admissionregistration.k8s.io
   resources:
   - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - roles
+  - clusterroles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  - httproutes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - virtualservices
   verbs:
   - get
   - list

bundle/manifests/falcon-operator.clusterserviceversion.yaml

@@ -148,7 +148,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Security,Monitoring
     containerImage: quay.io/crowdstrike/falcon-operator
-    createdAt: "2025-11-18T23:39:10Z"
+    createdAt: "2026-01-06T23:11:25Z"
     description: Falcon Operator installs CrowdStrike Falcon Sensors on the cluster
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
@@ -165,7 +165,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     repository: https://github.com/CrowdStrike/falcon-operator
     support: Community Only
-  name: falcon-operator.v1.9.0
+  name: falcon-operator.v1.10.0
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -423,6 +423,10 @@ spec:
       - description: Specifies node affinity for scheduling the Admission Controller.
         displayName: Node Affinity
         path: admissionConfig.nodeAffinity
+      - description: Determines if the admission controller watches for configMap
+          events
+        displayName: Enable ConfigMap Event Watcher
+        path: admissionConfig.configMapWatcherEnabled
       - description: Namespace where Falcon Image Analyzer is installed. KAC needs
           to know this to discover and communicate with IAR.
         displayName: Falcon Image Analyzer Namespace
@@ -1482,6 +1486,10 @@ spec:
       - description: Specifies node affinity for scheduling the Admission Controller.
         displayName: Node Affinity
         path: falconAdmission.admissionConfig.nodeAffinity
+      - description: Determines if the admission controller watches for configMap
+          events
+        displayName: Enable ConfigMap Event Watcher
+        path: falconAdmission.admissionConfig.configMapWatcherEnabled
       - description: Namespace where Falcon Image Analyzer is installed. KAC needs
           to know this to discover and communicate with IAR.
         displayName: Falcon Image Analyzer Namespace
@@ -2086,6 +2094,14 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - apiextensions.k8s.io
+          resources:
+          - customresourcedefinitions
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - apps
           resources:
@@ -2176,6 +2192,16 @@ spec:
           - get
           - patch
           - update
+        - apiGroups:
+          - gateway.networking.k8s.io
+          resources:
+          - gatewayclasses
+          - gateways
+          - httproutes
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - image.openshift.io
           resources:
@@ -2187,6 +2213,23 @@ spec:
           - list
           - update
           - watch
+        - apiGroups:
+          - networking.istio.io
+          resources:
+          - virtualservices
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - networking.k8s.io
+          resources:
+          - ingresses
+          - networkpolicies
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:
@@ -2287,7 +2330,7 @@ spec:
                       fieldPath: metadata.annotations['olm.targetNamespaces']
                 - name: OPERATOR_NAME
                   value: falcon-operator
-                image: quay.io/crowdstrike/falcon-operator:1.9.0
+                image: quay.io/crowdstrike/falcon-operator:1.10.0
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -2386,4 +2429,4 @@ spec:
   provider:
     name: CrowdStrike
     url: https://crowdStrike.com
-  version: 1.9.0
+  version: 1.10.0

bundle/manifests/falcon.crowdstrike.com_falconadmissions.yaml

@@ -58,6 +58,11 @@ spec:
                     description: Determines if the admission controller webhook is
                       enabled
                     type: boolean
+                  configMapWatcherEnabled:
+                    default: true
+                    description: Determines if the admission controller watches for
+                      configMap events
+                    type: boolean
                   containerPort:
                     default: 4443
                     description: Port on which the Falcon Admission Controller container

bundle/manifests/falcon.crowdstrike.com_falcondeployments.yaml

@@ -111,6 +111,11 @@ spec:
                         description: Determines if the admission controller webhook
                           is enabled
                         type: boolean
+                      configMapWatcherEnabled:
+                        default: true
+                        description: Determines if the admission controller watches
+                          for configMap events
+                        type: boolean
                       containerPort:
                         default: 4443
                         description: Port on which the Falcon Admission Controller

config/manager/kustomization.yaml

@@ -15,4 +15,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/crowdstrike/falcon-operator
-  newTag: 1.9.0
+  newTag: 1.10.0

config/manifests/bases/falcon-operator.clusterserviceversion.yaml

@@ -279,6 +279,10 @@ spec:
       - description: Specifies node affinity for scheduling the Admission Controller.
         displayName: Node Affinity
         path: admissionConfig.nodeAffinity
+      - description: Determines if the admission controller watches for configMap
+          events
+        displayName: Enable ConfigMap Event Watcher
+        path: admissionConfig.configMapWatcherEnabled
       - description: Namespace where Falcon Image Analyzer is installed. KAC needs
           to know this to discover and communicate with IAR.
         displayName: Falcon Image Analyzer Namespace
@@ -1338,6 +1342,10 @@ spec:
       - description: Specifies node affinity for scheduling the Admission Controller.
         displayName: Node Affinity
         path: falconAdmission.admissionConfig.nodeAffinity
+      - description: Determines if the admission controller watches for configMap
+          events
+        displayName: Enable ConfigMap Event Watcher
+        path: falconAdmission.admissionConfig.configMapWatcherEnabled
       - description: Namespace where Falcon Image Analyzer is installed. KAC needs
           to know this to discover and communicate with IAR.
         displayName: Falcon Image Analyzer Namespace

deploy/falcon-operator.yaml

@@ -10067,7 +10067,7 @@ spec:
         - name: WATCH_NAMESPACE
         - name: OPERATOR_NAME
           value: falcon-operator
-        image: quay.io/crowdstrike/falcon-operator:1.9.0
+        image: quay.io/crowdstrike/falcon-operator:1.10.0
         livenessProbe:
           httpGet:
             path: /healthz