From 5bee1483349de1074fe9a0492166c1cfc9a52404 Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 8 Jul 2020 12:03:58 +0300 Subject: [PATCH 1/6] Add k8s manifests Signed-off-by: chrismark --- deploy/kubernetes/elastic-agent.yaml | 147 ++++++++++++++++++ .../elastic-agent-daemonset.yaml | 44 ++++++ .../elastic-agent-deployment.yaml | 42 +++++ .../elastic-agent-role-binding.yaml | 12 ++ .../elastic-agent/elastic-agent-role.yaml | 36 +++++ .../elastic-agent-service-account.yaml | 7 + 6 files changed, 288 insertions(+) create mode 100644 deploy/kubernetes/elastic-agent.yaml create mode 100644 deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml create mode 100644 deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml create mode 100644 deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml create mode 100644 deploy/kubernetes/elastic-agent/elastic-agent-role.yaml create mode 100644 deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml diff --git a/deploy/kubernetes/elastic-agent.yaml b/deploy/kubernetes/elastic-agent.yaml new file mode 100644 index 00000000000..f20ca2796e9 --- /dev/null +++ b/deploy/kubernetes/elastic-agent.yaml @@ -0,0 +1,147 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management +--- diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml new file mode 100644 index 00000000000..9dd5727d1f7 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml new file mode 100644 index 00000000000..a1f026442db --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml new file mode 100644 index 00000000000..bc451c6adf3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml new file mode 100644 index 00000000000..66b1bdc0437 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml new file mode 100644 index 00000000000..107e4210814 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management From 38114a5fd98b5300819037e2785a655e5f158f03 Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 8 Jul 2020 12:30:01 +0300 Subject: [PATCH 2/6] Add docs Signed-off-by: chrismark --- ...ent.yaml => elastic-agent-kubernetes.yaml} | 0 .../docs/running-on-kubernetes.asciidoc | 109 ++++++++++++++++++ 2 files changed, 109 insertions(+) rename deploy/kubernetes/{elastic-agent.yaml => elastic-agent-kubernetes.yaml} (100%) create mode 100644 x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc diff --git a/deploy/kubernetes/elastic-agent.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml similarity index 100% rename from deploy/kubernetes/elastic-agent.yaml rename to deploy/kubernetes/elastic-agent-kubernetes.yaml diff --git a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..75a0146180d --- /dev/null +++ b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,109 @@ +[[running-on-kubernetes]] +[role="xpack"] +=== Run {agent} on Kubernetes + +You can use {agent} https://www.docker.elastic.co/r/beats/elastic-agent[Docker images] on Kubernetes to +retrieve cluster metrics. + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {agent} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +You deploy {agent} in two different ways at the same time: + +* As a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] +to ensure that there's a running instance on each node of the cluster. These +instances are used to retrieve most metrics from the host, such as system +metrics, Docker stats, and metrics from all the services running on top of +Kubernetes. + +* As a single {agent} instance created using a https://kubernetes.io/docs/concepts/workloads/controllers/Deployment/[Deployment]. +This instance is used to retrieve metrics that are unique for the whole +cluster, such as Kubernetes events or +https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]. + +Everything is deployed under the `kube-system` namespace by default. To change +the namespace, modify the manifest file. + +To download the manifest file, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/elastic-agent-kubernetes.yaml +------------------------------------------------ + +[float] +==== Settings + +By default, {agent} is enrolled to an existing Kibana deployment, +if present using the specified credentials. FLEET_ENROLLMENT_TOKEN parameter is used to connect Agent to the +corresponding Ingest Management configuration. It is suggested to connect Daemonset Agents to a node configuration +and Deployment Agent to a cluster scope configuration. Then Kubernetes package will be possible to enable cluster scope +datasets using cluster scope configuration while node scope datasets will be enabled under node scope configuration. + +To specify different destination/credentials, +change the following parameters in the manifest file: + +[source,yaml] +------------------------------------------------ +- name: FLEET_ENROLLMENT_TOKEN + value: "abcdf_token" +- name: KIBANA_HOST + value: "http://kibana:5601" +- name: KIBANA_USERNAME + value: "elastic" +- name: KIBANA_PASSWORD + value: "changeme" +------------------------------------------------ + +[float] +===== Running {agent} on master nodes + +Kubernetes master nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints] +to limit the workloads that can run on them. To run {agent} on master nodes you may need to +update the Daemonset spec to include proper tolerations: + +[source,yaml] +------------------------------------------------ +spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule +------------------------------------------------ + + +[float] +==== Deploy + +If planing to deploy `state_*` datasets of Kubernetes package, +https://github.com/kubernetes/kube-state-metrics#usage[kube-state-metrics] is needed to be already deployed +in the cluster. If `kube-state-metrics` is not already running, deploy it now (see the +https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[Kubernetes +deployment] docs). + +To deploy {} to Kubernetes, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f elastic-agent-kubernetes.yaml +------------------------------------------------ + +To check the status, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get pods -l group=ingest-management + +NAME READY STATUS RESTARTS AGE +agent-ingest-management-clusterscope-574dbfc48f-sfrdt 1/1 Running 3 8d +agent-ingest-management-nodescope-jt9zj 1/1 Running 3 8d +------------------------------------------------ + +Agents should be enrolled to Fleet and user should be able to deploy Kubernetes package accordingly. From 800d663b291926a536df37757ede10f98eb86cb7 Mon Sep 17 00:00:00 2001 From: chrismark Date: Wed, 8 Jul 2020 12:37:20 +0300 Subject: [PATCH 3/6] fix Signed-off-by: chrismark --- x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc index 75a0146180d..bea8349da4b 100644 --- a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc +++ b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc @@ -44,8 +44,8 @@ curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kuber By default, {agent} is enrolled to an existing Kibana deployment, if present using the specified credentials. FLEET_ENROLLMENT_TOKEN parameter is used to connect Agent to the -corresponding Ingest Management configuration. It is suggested to connect Daemonset Agents to a node configuration -and Deployment Agent to a cluster scope configuration. Then Kubernetes package will be possible to enable cluster scope +corresponding Ingest Management configuration. It is suggested to connect Daemonset Agents to a node scope configuration +and Deployment Agent to a cluster scope configuration. Then Kubernetes package will be deployed enabling cluster scope datasets using cluster scope configuration while node scope datasets will be enabled under node scope configuration. To specify different destination/credentials, From f96ed0b7fa8442c07711cfe76e109d716351981c Mon Sep 17 00:00:00 2001 From: chrismark Date: Thu, 23 Jul 2020 12:36:24 +0300 Subject: [PATCH 4/6] Fix start commands Signed-off-by: chrismark --- deploy/kubernetes/elastic-agent-kubernetes.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml index f20ca2796e9..e2ecb564aa6 100644 --- a/deploy/kubernetes/elastic-agent-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-kubernetes.yaml @@ -23,6 +23,10 @@ spec: containers: - name: agent-ingest-management-nodescope image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + command: ["/bin/sh", "-c"] + args: [ + "yes | ./elastic-agent enroll $KIBANA_HOST $FLEET_ENROLLMENT_TOKEN && ./elastic-agent run" + ] env: - name: FLEET_ENROLL value: "1" @@ -66,6 +70,10 @@ spec: containers: - name: agent-ingest-management-clusterscope image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + command: ["/bin/sh", "-c"] + args: [ + "yes | ./elastic-agent enroll $KIBANA_HOST $FLEET_ENROLLMENT_TOKEN && ./elastic-agent run" + ] env: - name: FLEET_ENROLL value: "1" From e08e319668d194fba3400cd431a25826bed6172e Mon Sep 17 00:00:00 2001 From: chrismark Date: Thu, 23 Jul 2020 12:43:02 +0300 Subject: [PATCH 5/6] minor fix Signed-off-by: chrismark --- x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc index bea8349da4b..19b4628fde9 100644 --- a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc +++ b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc @@ -88,7 +88,7 @@ in the cluster. If `kube-state-metrics` is not already running, deploy it now (s https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[Kubernetes deployment] docs). -To deploy {} to Kubernetes, run: +To deploy to Kubernetes, run: ["source", "sh", subs="attributes"] ------------------------------------------------ From ab8780b426105d435c6e6131e3024e6b4d9d8781 Mon Sep 17 00:00:00 2001 From: chrismark Date: Thu, 23 Jul 2020 16:30:35 +0300 Subject: [PATCH 6/6] Move back to default startup command Signed-off-by: chrismark --- deploy/kubernetes/elastic-agent-kubernetes.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml index e2ecb564aa6..f20ca2796e9 100644 --- a/deploy/kubernetes/elastic-agent-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-kubernetes.yaml @@ -23,10 +23,6 @@ spec: containers: - name: agent-ingest-management-nodescope image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT - command: ["/bin/sh", "-c"] - args: [ - "yes | ./elastic-agent enroll $KIBANA_HOST $FLEET_ENROLLMENT_TOKEN && ./elastic-agent run" - ] env: - name: FLEET_ENROLL value: "1" @@ -70,10 +66,6 @@ spec: containers: - name: agent-ingest-management-clusterscope image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT - command: ["/bin/sh", "-c"] - args: [ - "yes | ./elastic-agent enroll $KIBANA_HOST $FLEET_ENROLLMENT_TOKEN && ./elastic-agent run" - ] env: - name: FLEET_ENROLL value: "1"