From 67f89627685aa15847f695c326d513c6c968d487 Mon Sep 17 00:00:00 2001 From: MichaelKatsoulis Date: Tue, 29 Jun 2021 15:19:59 +0300 Subject: [PATCH 1/4] Add manifest for agent automatic enrolment to fleet Signed-off-by: MichaelKatsoulis --- .../kubernetes/elastic-agent-kubernetes.yaml | 204 ++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 deploy/kubernetes/elastic-agent-kubernetes.yaml diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml new file mode 100644 index 00000000000..eb2f4b9dd45 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kubernetes.yaml @@ -0,0 +1,204 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: elastic-agent + namespace: kube-system + labels: + app: elastic-agent +spec: + selector: + matchLabels: + app: elastic-agent + template: + metadata: + labels: + app: elastic-agent + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: elastic-agent + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: elastic-agent + image: docker.elastic.co/beats/elastic-agent:8.0.0 + env: + - name: FLEET_ENROLL + value: "1" + - name: FLEET_INSECURE + value: "1" + - name: FLEET_URL + value: "fleet_server_ip:port" + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: KIBANA_FLEET_USERNAME + value: "elastic" + - name: KIBANA_FLEET_PASSWORD + value: "" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: proc + mountPath: /hostfs/proc + readOnly: true + - name: cgroup + mountPath: /hostfs/sys/fs/cgroup + readOnly: true + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: proc + hostPath: + path: /proc + - name: cgroup + hostPath: + path: /sys/fs/cgroup + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: elastic-agent +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: ClusterRole + name: elastic-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: elastic-agent +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: Role + name: elastic-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: elastic-agent-kubeadm-config + namespace: kube-system +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: Role + name: elastic-agent-kubeadm-config + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-agent + labels: + k8s-app: elastic-agent +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + verbs: ["get", "list", "watch"] + # Enable this rule only if planing to use kubernetes_secrets provider + #- apiGroups: [""] + # resources: + # - secrets + # verbs: ["get"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: elastic-agent + # should be the namespace where elastic-agent is running + namespace: kube-system + labels: + k8s-app: elastic-agent +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: elastic-agent-kubeadm-config + namespace: kube-system + labels: + k8s-app: elastic-agent +rules: + - apiGroups: [""] + resources: + - configmaps + resourceNames: + - kubeadm-config + verbs: ["get"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elastic-agent + namespace: kube-system + labels: + k8s-app: elastic-agent +--- From 4d526ecb3eaf86e49974472e05ca16e6020bc574 Mon Sep 17 00:00:00 2001 From: MichaelKatsoulis Date: Tue, 29 Jun 2021 15:42:41 +0300 Subject: [PATCH 2/4] Add elastic-agent-managed dir with all manifests and update Makefile Signed-off-by: MichaelKatsoulis --- deploy/kubernetes/Makefile | 2 +- ... => elastic-agent-managed-kubernetes.yaml} | 0 .../elastic-agent-managed-daemonset.yaml | 80 +++++++++++++++++++ .../elastic-agent-managed-role-binding.yaml | 40 ++++++++++ .../elastic-agent-managed-role.yaml | 72 +++++++++++++++++ ...elastic-agent-managed-service-account.yaml | 7 ++ 6 files changed, 200 insertions(+), 1 deletion(-) rename deploy/kubernetes/{elastic-agent-kubernetes.yaml => elastic-agent-managed-kubernetes.yaml} (100%) create mode 100644 deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml create mode 100644 deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role-binding.yaml create mode 100644 deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml create mode 100644 deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-service-account.yaml diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index 364b412b171..d33470966f7 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -1,4 +1,4 @@ -ALL=filebeat metricbeat auditbeat heartbeat elastic-agent-standalone +ALL=filebeat metricbeat auditbeat heartbeat elastic-agent-standalone elastic-agent-managed BEAT_VERSION=$(shell head -n 1 ../../libbeat/docs/version.asciidoc | cut -c 17- ) .PHONY: all $(ALL) diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml similarity index 100% rename from deploy/kubernetes/elastic-agent-kubernetes.yaml rename to deploy/kubernetes/elastic-agent-managed-kubernetes.yaml diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml new file mode 100644 index 00000000000..bced76ac420 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: elastic-agent + namespace: kube-system + labels: + app: elastic-agent +spec: + selector: + matchLabels: + app: elastic-agent + template: + metadata: + labels: + app: elastic-agent + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: elastic-agent + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: elastic-agent + image: docker.elastic.co/beats/elastic-agent:8.0.0 + env: + - name: FLEET_ENROLL + value: "1" + - name: FLEET_INSECURE + value: "1" + - name: FLEET_URL + value: "fleet_server_ip:port" + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: KIBANA_FLEET_USERNAME + value: "elastic" + - name: KIBANA_FLEET_PASSWORD + value: "" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: proc + mountPath: /hostfs/proc + readOnly: true + - name: cgroup + mountPath: /hostfs/sys/fs/cgroup + readOnly: true + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: proc + hostPath: + path: /proc + - name: cgroup + hostPath: + path: /sys/fs/cgroup + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role-binding.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role-binding.yaml new file mode 100644 index 00000000000..3dbc5a47fb6 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role-binding.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: elastic-agent +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: ClusterRole + name: elastic-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: elastic-agent +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: Role + name: elastic-agent + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: elastic-agent-kubeadm-config + namespace: kube-system +subjects: + - kind: ServiceAccount + name: elastic-agent + namespace: kube-system +roleRef: + kind: Role + name: elastic-agent-kubeadm-config + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml new file mode 100644 index 00000000000..71c26085c27 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml @@ -0,0 +1,72 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-agent + labels: + k8s-app: elastic-agent +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + verbs: ["get", "list", "watch"] + # Enable this rule only if planing to use kubernetes_secrets provider + #- apiGroups: [""] + # resources: + # - secrets + # verbs: ["get"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: elastic-agent + # should be the namespace where elastic-agent is running + namespace: kube-system + labels: + k8s-app: elastic-agent +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: elastic-agent-kubeadm-config + namespace: kube-system + labels: + k8s-app: elastic-agent +rules: + - apiGroups: [""] + resources: + - configmaps + resourceNames: + - kubeadm-config + verbs: ["get"] diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-service-account.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-service-account.yaml new file mode 100644 index 00000000000..43372b547d0 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elastic-agent + namespace: kube-system + labels: + k8s-app: elastic-agent From fefeb93bcadf4d454a9d6cce2e318e5fd6c383b2 Mon Sep 17 00:00:00 2001 From: MichaelKatsoulis Date: Tue, 29 Jun 2021 16:59:26 +0300 Subject: [PATCH 3/4] Removing leading dashes --- deploy/kubernetes/elastic-agent-managed-kubernetes.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml index eb2f4b9dd45..4f6d930e8e9 100644 --- a/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: DaemonSet metadata: From 08e9149454fccb1df8e4ab7a3c269e3774d31407 Mon Sep 17 00:00:00 2001 From: MichaelKatsoulis Date: Thu, 1 Jul 2021 15:35:03 +0300 Subject: [PATCH 4/4] Review updates --- .../kubernetes/elastic-agent-managed-kubernetes.yaml | 10 ++++++++-- .../elastic-agent-managed-daemonset.yaml | 6 ++++-- .../elastic-agent-managed-role.yaml | 4 ++++ 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml index 4f6d930e8e9..dc9fd86e6af 100644 --- a/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml @@ -26,10 +26,12 @@ spec: env: - name: FLEET_ENROLL value: "1" + # Set to true in case of insecure or unverified HTTP - name: FLEET_INSECURE - value: "1" + value: false + # The ip:port pair of fleet server - name: FLEET_URL - value: "fleet_server_ip:port" + value: "https://fleet-server:8220" - name: KIBANA_HOST value: "http://kibana:5601" - name: KIBANA_FLEET_USERNAME @@ -157,6 +159,10 @@ rules: - nodes/stats verbs: - get + - apiGroups: [ "batch" ] + resources: + - jobs + verbs: [ "get", "list", "watch" ] # required for apiserver - nonResourceURLs: - "/metrics" diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml index bced76ac420..0efd907a84d 100644 --- a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml @@ -26,10 +26,12 @@ spec: env: - name: FLEET_ENROLL value: "1" + # Set to true in case of insecure or unverified HTTP - name: FLEET_INSECURE - value: "1" + value: false + # The ip:port pair of fleet server - name: FLEET_URL - value: "fleet_server_ip:port" + value: "https://fleet-server:8220" - name: KIBANA_HOST value: "http://kibana:5601" - name: KIBANA_FLEET_USERNAME diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml index 71c26085c27..37d159333cd 100644 --- a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml +++ b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml @@ -35,6 +35,10 @@ rules: - nodes/stats verbs: - get + - apiGroups: [ "batch" ] + resources: + - jobs + verbs: [ "get", "list", "watch" ] # required for apiserver - nonResourceURLs: - "/metrics"