elastic · ChrsMark · Apr 23, 2020 · Apr 21, 2020 · Apr 22, 2020 · Apr 22, 2020
diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml
@@ -79,10 +79,11 @@ data:
       hosts: ["https://${NODE_NAME}:10250"]
       bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
       ssl.verification_mode: "none"
-      # If using Red Hat OpenShift remove ssl.verification_mode entry and
-      # uncomment these settings:
+      # If there is a CA bundle that contains the issuer of the certificate used in the Kubelet API,
+      # remove ssl.verification_mode entry and use the CA, for instance:
       #ssl.certificate_authorities:
         #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    # Currently `proxy` metricset is not supported on Openshift, comment out section
     - module: kubernetes
       metricsets:
         - proxy

diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml
@@ -79,10 +79,11 @@ data:
       hosts: ["https://${NODE_NAME}:10250"]
       bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
       ssl.verification_mode: "none"
-      # If using Red Hat OpenShift remove ssl.verification_mode entry and
-      # uncomment these settings:
+      # If there is a CA bundle that contains the issuer of the certificate used in the Kubelet API,
+      # remove ssl.verification_mode entry and use the CA, for instance:
       #ssl.certificate_authorities:
         #- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+    # Currently `proxy` metricset is not supported on Openshift, comment out section
     - module: kubernetes
       metricsets:
         - proxy

diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc
@@ -85,6 +85,15 @@ spec:
 If you are using Red Hat OpenShift, you need to specify additional settings in
 the manifest file and enable the container to run as privileged.
 
+. Modify the `DaemonSet` container spec in the manifest file:
++
+[source,yaml]
+-----
+  securityContext:
+    runAsUser: 0
+    privileged: true
+-----
 # If using Red Hat OpenShift uncomment this: 
 # If using Red Hat OpenShift uncomment this: 
+
 . In the manifest file, edit the `metricbeat-daemonset-modules` ConfigMap, and
 specify the following settings under `kubernetes.yml` in the `data` section:
 +
@@ -103,7 +112,26 @@ specify the following settings under `kubernetes.yml` in the `data` section:
       hosts: ["https://${NODE_NAME}:10250"]
       bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
       ssl.certificate_authorities:
-        - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+        - /path/to/kubelet-service-ca.crt
+-----
+NOTE: `kubelet-service-ca.crt` can be any CA bundle that contains the issuer of the certificate used in the Kubelet API.
+According to each specific installation of Openshift this can be found either in `secrets` or in `configmaps`.
+In some installations it can be available as part of the service account secret, in
+`/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`.
+In case of using Openshift installer[https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md]
+for GCP then the following `configmap` can be mounted in Metricbeat Pod and use `ca-bundle.crt`
+in `ssl.certificate_authorities`:
++
+[source,shell]
+-----
+Name:         kubelet-serving-ca
+Namespace:    openshift-kube-apiserver
+Labels:       <none>
+Annotations:  <none>
+
+Data
+====
+ca-bundle.crt:
 -----
 
 . Under the `metricbeat` ClusterRole, add the following resources: