diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/README.md b/deploy/helm/elastic-agent/examples/user-cluster-role/README.md index 749c2b07096..c0ec7be31ef 100644 --- a/deploy/helm/elastic-agent/examples/user-cluster-role/README.md +++ b/deploy/helm/elastic-agent/examples/user-cluster-role/README.md @@ -1,6 +1,6 @@ -# Example: Kubernetes Integration with User-created service account +# Example: Kubernetes Integration with User-created cluster role -In this example we install the built-in `kubernetes` integration with the default built-in values, including the use of a user-created service account. +In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role. ## Prerequisites: 1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)): @@ -10,21 +10,28 @@ In this example we install the built-in `kubernetes` integration with the defaul --from-literal=url=... ``` -2. `kubernetes` integration assets installed through Kibana ([Kibana - Install and uninstall Elastic Agent integration assets](https://www.elastic.co/guide/en/fleet/current/install-uninstall-integration-assets.html)) +2. `nginx` integration assets are installed through Kibana + +3. Create a cluster role. -3. A k8s service account ```console - kubectl create serviceaccount user-sa + kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs ``` ## Run: -```console -helm install elastic-agent ../../ \ - -f ./agent-kubernetes-values.yaml \ - --set outputs.default.type=ESSecretAuthAPI \ - --set outputs.default.secretName=es-api-secret -``` +1. Install Helm chart + ```console + helm install elastic-agent ../../ \ + -f ./agent-nginx-values.yaml \ + --set outputs.default.type=ESSecretAuthAPI \ + --set outputs.default.secretName=es-api-secret + ``` + +2. Install the nginx deployment + ```console + kubectl apply -f ./nginx.yaml + ``` ## Validate: -1. The Kibana `kubernetes`-related dashboards should start showing up the respective info. +1. The Kibana `nginx`-related dashboards should start showing nginx related data. diff --git a/deploy/helm/elastic-agent/examples/user-service-account/agent-nginx-values.yaml b/deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml similarity index 100% rename from deploy/helm/elastic-agent/examples/user-service-account/agent-nginx-values.yaml rename to deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml index 30268b2dcee..db9fbf0ffab 100644 --- a/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml @@ -1,66 +1,9 @@ --- -# Source: elastic-agent/templates/agent/k8s/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: agent-clusterwide-example - namespace: "default" - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -stringData: - - agent.yml: |- - id: agent-clusterwide-example - outputs: - default: - hosts: - - http://elasticsearch:9200 - password: changeme - type: elasticsearch - username: elastic - secret_references: [] - agent: - monitoring: - enabled: true - logs: true - metrics: true - namespace: default - use_output: default - providers: - kubernetes: - node: ${NODE_NAME} - scope: cluster - kubernetes_leaderelection: - enabled: true - inputs: - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.apiserver - streams: - - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.apiserver - type: metrics - hosts: - - https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT} - id: kubernetes/metrics-kubernetes.apiserver - metricsets: - - apiserver - period: 30s - ssl.certificate_authorities: - - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - type: kubernetes/metrics - use_output: default ---- -# Source: elastic-agent/templates/agent/k8s/secret.yaml +# Source: elastic-agent/templates/agent/service-account.yaml apiVersion: v1 -kind: Secret +kind: ServiceAccount metadata: - name: agent-ksmsharded-example + name: agent-nginx-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -68,293 +11,12 @@ metadata: app.kubernetes.io/instance: example app.kubernetes.io/version: 9.0.0 app.kubernetes.io/managed-by: Helm -stringData: - - agent.yml: |- - id: agent-ksmsharded-example - outputs: - default: - hosts: - - http://elasticsearch:9200 - password: changeme - type: elasticsearch - username: elastic - secret_references: [] - agent: - monitoring: - enabled: true - logs: true - metrics: true - namespace: default - use_output: default - providers: - kubernetes: - enabled: false - kubernetes_leaderelection: - enabled: false - inputs: - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_container - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_container - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_container - metricsets: - - state_container - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_cronjob - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_cronjob - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_cronjob - metricsets: - - state_cronjob - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_daemonset - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_daemonset - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_daemonset - metricsets: - - state_daemonset - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_deployment - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_deployment - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_deployment - metricsets: - - state_deployment - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_job - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_job - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_job - metricsets: - - state_job - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_namespace - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_namespace - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_namespace - metricsets: - - state_namespace - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_node - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_node - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_node - metricsets: - - state_node - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_persistentvolumeclaim - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim - metricsets: - - state_persistentvolumeclaim - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_persistentvolume - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_persistentvolume - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_persistentvolume - metricsets: - - state_persistentvolume - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_pod - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_pod - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_pod - metricsets: - - state_pod - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_replicaset - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_replicaset - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_replicaset - metricsets: - - state_replicaset - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_resourcequota - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_resourcequota - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_resourcequota - metricsets: - - state_resourcequota - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_service - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_service - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_service - metricsets: - - state_service - period: 10s - use_output: default - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_statefulset - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_statefulset - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_statefulset - metricsets: - - state_statefulset - period: 10s - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.state_storageclass - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.state_storageclass - type: metrics - hosts: - - localhost:8080 - id: kubernetes/metrics-kubernetes.state_storageclass - metricsets: - - state_storageclass - period: 10s - type: kubernetes/metrics - use_output: default --- # Source: elastic-agent/templates/agent/k8s/secret.yaml apiVersion: v1 kind: Secret metadata: - name: agent-pernode-example + name: agent-nginx-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -365,7 +27,7 @@ metadata: stringData: agent.yml: |- - id: agent-pernode-example + id: agent-nginx-example outputs: default: hosts: @@ -374,646 +36,42 @@ stringData: type: elasticsearch username: elastic secret_references: [] - agent: - monitoring: - enabled: true - logs: true - metrics: true - namespace: default - use_output: default providers: - kubernetes: - node: ${NODE_NAME} - scope: node kubernetes_leaderelection: enabled: false inputs: - data_stream: namespace: default - id: filestream-container-logs + id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f + meta: + package: + name: nginx + version: 1.19.1 + name: nginx-1 + package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f + preset: nginx + revision: 1 streams: - data_stream: - dataset: kubernetes.container_logs - type: logs - id: kubernetes-container-logs-${kubernetes.pod.name}-${kubernetes.container.id} - parsers: - - container: - format: auto - stream: all - paths: - - /var/log/containers/*${kubernetes.container.id}.log - processors: - - add_fields: - fields: - annotations.elastic_co/dataset: ${kubernetes.annotations.elastic.co/dataset|""} - annotations.elastic_co/namespace: ${kubernetes.annotations.elastic.co/namespace|""} - annotations.elastic_co/preserve_original_event: ${kubernetes.annotations.elastic.co/preserve_original_event|""} - target: kubernetes - - drop_fields: - fields: - - kubernetes.annotations.elastic_co/dataset - ignore_missing: true - when: - equals: - kubernetes.annotations.elastic_co/dataset: "" - - drop_fields: - fields: - - kubernetes.annotations.elastic_co/namespace - ignore_missing: true - when: - equals: - kubernetes.annotations.elastic_co/namespace: "" - - drop_fields: - fields: - - kubernetes.annotations.elastic_co/preserve_original_event - ignore_missing: true - when: - equals: - kubernetes.annotations.elastic_co/preserve_original_event: "" - - add_tags: - tags: - - preserve_original_event - when: - and: - - has_fields: - - kubernetes.annotations.elastic_co/preserve_original_event - - regexp: - kubernetes.annotations.elastic_co/preserve_original_event: ^(?i)true$ - prospector.scanner.symlinks: true - type: filestream - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.container - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.container - type: metrics - hosts: - - https://${env.NODE_NAME}:10250 - id: kubernetes/metrics-kubernetes.container - metricsets: - - container - period: 10s - ssl.verification_mode: none - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.node - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.node + dataset: nginx.stubstatus type: metrics hosts: - - https://${env.NODE_NAME}:10250 - id: kubernetes/metrics-kubernetes.node + - http://nginx.default.svc.cluster.local:80 + id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f metricsets: - - node + - stubstatus period: 10s - ssl.verification_mode: none - type: kubernetes/metrics + server_status_path: /nginx_status + tags: + - nginx-stubstatus + type: nginx/metrics use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.pod - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.pod - type: metrics - hosts: - - https://${env.NODE_NAME}:10250 - id: kubernetes/metrics-kubernetes.pod - metricsets: - - pod - period: 10s - ssl.verification_mode: none - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.system - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.system - type: metrics - hosts: - - https://${env.NODE_NAME}:10250 - id: kubernetes/metrics-kubernetes.system - metricsets: - - system - period: 10s - ssl.verification_mode: none - type: kubernetes/metrics - use_output: default - - data_stream: - namespace: default - id: kubernetes/metrics-kubernetes.volume - streams: - - add_metadata: true - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - data_stream: - dataset: kubernetes.volume - type: metrics - hosts: - - https://${env.NODE_NAME}:10250 - id: kubernetes/metrics-kubernetes.volume - metricsets: - - volume - period: 10s - ssl.verification_mode: none - type: kubernetes/metrics - use_output: default ---- -# Source: elastic-agent/templates/agent/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agent-clusterWide-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [ "" ] # "" indicates the core API group - resources: - - nodes - - namespaces - - events - - pods - - services - - configmaps - - persistentvolumes - - persistentvolumeclaims - - persistentvolumeclaims/status - - nodes/metrics - - nodes/proxy - - nodes/stats - verbs: - - get - - watch - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - watch - - list - - nonResourceURLs: - - /metrics - verbs: - - get - - watch - - list - - apiGroups: [ "coordination.k8s.io" ] - resources: - - leases - verbs: - - get - - create - - update - - nonResourceURLs: - - /healthz - - /healthz/* - - /livez - - /livez/* - - /metrics - - /metrics/slis - - /readyz - - /readyz/* - verbs: - - get - - apiGroups: [ "apps" ] - resources: - - replicasets - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - nonResourceURLs: - - /metrics - verbs: - - get - - watch - - list - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - watch ---- -# Source: elastic-agent/templates/agent/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agent-ksmSharded-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [ "" ] # "" indicates the core API group - resources: - - nodes - - namespaces - - events - - pods - - services - - configmaps - - persistentvolumes - - persistentvolumeclaims - - persistentvolumeclaims/status - - nodes/metrics - - nodes/proxy - - nodes/stats - verbs: - - get - - watch - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - watch - - list - - nonResourceURLs: - - /metrics - verbs: - - get - - watch - - list - - apiGroups: [ "coordination.k8s.io" ] - resources: - - leases - verbs: - - get - - create - - update - - nonResourceURLs: - - /healthz - - /healthz/* - - /livez - - /livez/* - - /metrics - - /metrics/slis - - /readyz - - /readyz/* - verbs: - - get - - apiGroups: [ "apps" ] - resources: - - replicasets - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - pods - - persistentvolumes - - persistentvolumeclaims - - persistentvolumeclaims/status - - nodes - - nodes/metrics - - nodes/proxy - - nodes/stats - - services - - events - - configmaps - - secrets - - nodes - - pods - - services - - serviceaccounts - - resourcequotas - - replicationcontrollers - - limitranges - - endpoints - verbs: - - get - - watch - - list - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - - volumeattachments - verbs: - - get - - watch - - list - - nonResourceURLs: - - /healthz - - /healthz/* - - /livez - - /livez/* - - /metrics - - /metrics/slis - - /readyz - - /readyz/* - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - - ingressclasses - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - get - - list - - watch ---- -# Source: elastic-agent/templates/agent/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agent-perNode-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: [ "" ] # "" indicates the core API group - resources: - - nodes - - namespaces - - events - - pods - - services - - configmaps - - persistentvolumes - - persistentvolumeclaims - - persistentvolumeclaims/status - - nodes/metrics - - nodes/proxy - - nodes/stats - verbs: - - get - - watch - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - watch - - list - - nonResourceURLs: - - /metrics - verbs: - - get - - watch - - list - - apiGroups: [ "coordination.k8s.io" ] - resources: - - leases - verbs: - - get - - create - - update - - nonResourceURLs: - - /healthz - - /healthz/* - - /livez - - /livez/* - - /metrics - - /metrics/slis - - /readyz - - /readyz/* - verbs: - - get - - apiGroups: [ "apps" ] - resources: - - replicasets - - deployments - - daemonsets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch ---- -# Source: elastic-agent/templates/agent/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agent-clusterWide-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: user-sa-clusterWide - namespace: "default" -roleRef: - kind: ClusterRole - name: agent-clusterWide-example-default - apiGroup: rbac.authorization.k8s.io ---- -# Source: elastic-agent/templates/agent/cluster-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: agent-ksmSharded-example-default - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -subjects: - - kind: ServiceAccount - name: user-sa-ksmSharded - namespace: "default" -roleRef: - kind: ClusterRole - name: agent-ksmSharded-example-default - apiGroup: rbac.authorization.k8s.io --- # Source: elastic-agent/templates/agent/cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: agent-perNode-example-default + name: agent-nginx-example-default labels: helm.sh/chart: elastic-agent-0.0.1 app.kubernetes.io/name: elastic-agent @@ -1022,18 +80,18 @@ metadata: app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: user-sa-perNode + name: agent-nginx-example namespace: "default" roleRef: kind: ClusterRole - name: agent-perNode-example-default + name: user-cr apiGroup: rbac.authorization.k8s.io --- -# Source: elastic-agent/templates/agent/k8s/daemonset.yaml +# Source: elastic-agent/templates/agent/k8s/deployment.yaml apiVersion: apps/v1 -kind: DaemonSet +kind: Deployment metadata: - name: agent-pernode-example + name: agent-nginx-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -1044,293 +102,36 @@ metadata: spec: selector: matchLabels: - name: agent-pernode-example + name: agent-nginx-example template: metadata: labels: - name: agent-pernode-example + name: agent-nginx-example annotations: - checksum/config: 53aa4ccc3e8557125fecf738e70722e2aaa1199ee79a823f684a9d4a296af7b0 + checksum/config: 4b3a03273d11151ee0f8bbdc8e235f8b6d2b344e09dedc632ae6f7f9e8e0ef34 spec: dnsPolicy: ClusterFirstWithHostNet automountServiceAccountToken: true - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: user-sa-perNode + serviceAccountName: agent-nginx-example volumes: - - hostPath: - path: /proc - name: proc - - hostPath: - path: /sys/fs/cgroup - name: cgroup - - hostPath: - path: /var/lib/docker/containers - name: varlibdockercontainers - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /etc - name: etc-full - - hostPath: - path: /var/lib - name: var-lib - name: agent-data hostPath: - path: /etc/elastic-agent/default/agent-pernode-example/state + path: /etc/elastic-agent/default/agent-nginx-example/state type: DirectoryOrCreate - name: config secret: defaultMode: 0444 - secretName: agent-pernode-example + secretName: agent-nginx-example containers: - name: agent imagePullPolicy: IfNotPresent image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] securityContext: - capabilities: - add: - - DAC_READ_SEARCH - - CHOWN - - SETPCAP - - SYS_PTRACE - drop: - - ALL - privileged: false - runAsGroup: 1000 - runAsUser: 1000 - resources: - limits: - memory: 1000Mi - requests: - cpu: 100m - memory: 400Mi - volumeMounts: - - mountPath: /hostfs/proc - name: proc - readOnly: true - - mountPath: /hostfs/sys/fs/cgroup - name: cgroup - readOnly: true - - mountPath: /var/lib/docker/containers - name: varlibdockercontainers - readOnly: true - - mountPath: /var/log - name: varlog - readOnly: true - - mountPath: /hostfs/etc - name: etc-full - readOnly: true - - mountPath: /hostfs/var/lib - name: var-lib - readOnly: true - - name: agent-data - mountPath: /usr/share/elastic-agent/state - - name: config - mountPath: /etc/elastic-agent/agent.yml - readOnly: true - subPath: agent.yml - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: STATE_PATH - value: "/usr/share/elastic-agent/state" - - name: ELASTIC_NETINFO - value: "false" ---- -# Source: elastic-agent/templates/agent/k8s/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: agent-clusterwide-example - namespace: "default" - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - name: agent-clusterwide-example - template: - metadata: - labels: - name: agent-clusterwide-example - annotations: - checksum/config: 73527b0aad319ef33239ef3c862820c5ee5cafb42e2ce164049646791b69ec68 - - spec: - dnsPolicy: ClusterFirstWithHostNet - automountServiceAccountToken: true - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: user-sa-clusterWide - volumes: - - emptyDir: {} - name: agent-data - - - name: config - secret: - defaultMode: 0444 - secretName: agent-clusterwide-example - containers: - - name: agent - imagePullPolicy: IfNotPresent - image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" - args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] - securityContext: - capabilities: - add: - - CHOWN - - SETPCAP - - DAC_READ_SEARCH - - SYS_PTRACE - drop: - - ALL - privileged: false - runAsGroup: 1000 - runAsUser: 1000 - resources: - limits: - memory: 800Mi - requests: - cpu: 100m - memory: 400Mi - volumeMounts: - - name: agent-data - mountPath: /usr/share/elastic-agent/state - - name: config - mountPath: /etc/elastic-agent/agent.yml - readOnly: true - subPath: agent.yml - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: STATE_PATH - value: "/usr/share/elastic-agent/state" - - name: ELASTIC_NETINFO - value: "false" ---- -# Source: elastic-agent/templates/agent/k8s/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: agent-ksmsharded-example - namespace: "default" - labels: - helm.sh/chart: elastic-agent-0.0.1 - app.kubernetes.io/name: elastic-agent - app.kubernetes.io/instance: example - app.kubernetes.io/version: 9.0.0 - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - name: agent-ksmsharded-example - template: - metadata: - labels: - name: agent-ksmsharded-example - annotations: - checksum/config: 4ec2b2ef4d3c5c103e79e47a45d4b3b4f9f774e85293f9a5b2d56556025f1d2d - - spec: - dnsPolicy: ClusterFirstWithHostNet - automountServiceAccountToken: true - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: user-sa-ksmSharded - volumes: - - emptyDir: {} - name: agent-data - - - name: config - secret: - defaultMode: 0444 - secretName: agent-ksmsharded-example - containers: - - args: - - --pod=$(POD_NAME) - - --pod-namespace=$(POD_NAMESPACE) - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.12.0 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - name: kube-state-metrics - ports: - - containerPort: 8080 - name: http-metrics - - containerPort: 8081 - name: telemetry - readinessProbe: - httpGet: - path: / - port: 8081 - initialDelaySeconds: 5 - timeoutSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - - name: agent - imagePullPolicy: IfNotPresent - image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" - args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] - securityContext: - capabilities: - add: - - CHOWN - - SETPCAP - - DAC_READ_SEARCH - - SYS_PTRACE - drop: - - ALL - privileged: false - runAsGroup: 1000 - runAsUser: 1000 - resources: - limits: - memory: 800Mi - requests: - cpu: 100m - memory: 400Mi + runAsUser: 0 volumeMounts: - name: agent-data mountPath: /usr/share/elastic-agent/state @@ -1349,5 +150,3 @@ spec: fieldPath: metadata.name - name: STATE_PATH value: "/usr/share/elastic-agent/state" - - name: ELASTIC_NETINFO - value: "false" diff --git a/deploy/helm/elastic-agent/examples/user-service-account/README.md b/deploy/helm/elastic-agent/examples/user-service-account/README.md index c0ec7be31ef..749c2b07096 100644 --- a/deploy/helm/elastic-agent/examples/user-service-account/README.md +++ b/deploy/helm/elastic-agent/examples/user-service-account/README.md @@ -1,6 +1,6 @@ -# Example: Kubernetes Integration with User-created cluster role +# Example: Kubernetes Integration with User-created service account -In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role. +In this example we install the built-in `kubernetes` integration with the default built-in values, including the use of a user-created service account. ## Prerequisites: 1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)): @@ -10,28 +10,21 @@ In this example we define a `nginx` custom integration alongside a custom agent --from-literal=url=... ``` -2. `nginx` integration assets are installed through Kibana - -3. Create a cluster role. +2. `kubernetes` integration assets installed through Kibana ([Kibana - Install and uninstall Elastic Agent integration assets](https://www.elastic.co/guide/en/fleet/current/install-uninstall-integration-assets.html)) +3. A k8s service account ```console - kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs + kubectl create serviceaccount user-sa ``` ## Run: -1. Install Helm chart - ```console - helm install elastic-agent ../../ \ - -f ./agent-nginx-values.yaml \ - --set outputs.default.type=ESSecretAuthAPI \ - --set outputs.default.secretName=es-api-secret - ``` - -2. Install the nginx deployment - ```console - kubectl apply -f ./nginx.yaml - ``` +```console +helm install elastic-agent ../../ \ + -f ./agent-kubernetes-values.yaml \ + --set outputs.default.type=ESSecretAuthAPI \ + --set outputs.default.secretName=es-api-secret +``` ## Validate: -1. The Kibana `nginx`-related dashboards should start showing nginx related data. +1. The Kibana `kubernetes`-related dashboards should start showing up the respective info. diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/agent-kubernetes-values.yaml b/deploy/helm/elastic-agent/examples/user-service-account/agent-kubernetes-values.yaml similarity index 100% rename from deploy/helm/elastic-agent/examples/user-cluster-role/agent-kubernetes-values.yaml rename to deploy/helm/elastic-agent/examples/user-service-account/agent-kubernetes-values.yaml diff --git a/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml index db9fbf0ffab..30268b2dcee 100644 --- a/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml +++ b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml @@ -1,9 +1,66 @@ --- -# Source: elastic-agent/templates/agent/service-account.yaml +# Source: elastic-agent/templates/agent/k8s/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agent-clusterwide-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +stringData: + + agent.yml: |- + id: agent-clusterwide-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default + providers: + kubernetes: + node: ${NODE_NAME} + scope: cluster + kubernetes_leaderelection: + enabled: true + inputs: + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.apiserver + streams: + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.apiserver + type: metrics + hosts: + - https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT} + id: kubernetes/metrics-kubernetes.apiserver + metricsets: + - apiserver + period: 30s + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + type: kubernetes/metrics + use_output: default +--- +# Source: elastic-agent/templates/agent/k8s/secret.yaml apiVersion: v1 -kind: ServiceAccount +kind: Secret metadata: - name: agent-nginx-example + name: agent-ksmsharded-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -11,12 +68,293 @@ metadata: app.kubernetes.io/instance: example app.kubernetes.io/version: 9.0.0 app.kubernetes.io/managed-by: Helm +stringData: + + agent.yml: |- + id: agent-ksmsharded-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default + providers: + kubernetes: + enabled: false + kubernetes_leaderelection: + enabled: false + inputs: + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_container + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_container + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_container + metricsets: + - state_container + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_cronjob + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_cronjob + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_cronjob + metricsets: + - state_cronjob + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_daemonset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_daemonset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_daemonset + metricsets: + - state_daemonset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_deployment + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_deployment + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_deployment + metricsets: + - state_deployment + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_job + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_job + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_job + metricsets: + - state_job + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_namespace + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_namespace + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_namespace + metricsets: + - state_namespace + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_node + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_node + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_node + metricsets: + - state_node + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_persistentvolumeclaim + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim + metricsets: + - state_persistentvolumeclaim + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_persistentvolume + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_persistentvolume + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_persistentvolume + metricsets: + - state_persistentvolume + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_pod + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_pod + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_pod + metricsets: + - state_pod + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_replicaset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_replicaset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_replicaset + metricsets: + - state_replicaset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_resourcequota + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_resourcequota + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_resourcequota + metricsets: + - state_resourcequota + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_service + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_service + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_service + metricsets: + - state_service + period: 10s + use_output: default + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_statefulset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_statefulset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_statefulset + metricsets: + - state_statefulset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_storageclass + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_storageclass + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_storageclass + metricsets: + - state_storageclass + period: 10s + type: kubernetes/metrics + use_output: default --- # Source: elastic-agent/templates/agent/k8s/secret.yaml apiVersion: v1 kind: Secret metadata: - name: agent-nginx-example + name: agent-pernode-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -27,7 +365,7 @@ metadata: stringData: agent.yml: |- - id: agent-nginx-example + id: agent-pernode-example outputs: default: hosts: @@ -36,42 +374,606 @@ stringData: type: elasticsearch username: elastic secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default providers: + kubernetes: + node: ${NODE_NAME} + scope: node kubernetes_leaderelection: enabled: false inputs: - data_stream: namespace: default - id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f - meta: - package: - name: nginx - version: 1.19.1 - name: nginx-1 - package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f - preset: nginx - revision: 1 + id: filestream-container-logs streams: - data_stream: - dataset: nginx.stubstatus + dataset: kubernetes.container_logs + type: logs + id: kubernetes-container-logs-${kubernetes.pod.name}-${kubernetes.container.id} + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.container.id}.log + processors: + - add_fields: + fields: + annotations.elastic_co/dataset: ${kubernetes.annotations.elastic.co/dataset|""} + annotations.elastic_co/namespace: ${kubernetes.annotations.elastic.co/namespace|""} + annotations.elastic_co/preserve_original_event: ${kubernetes.annotations.elastic.co/preserve_original_event|""} + target: kubernetes + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/dataset + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/dataset: "" + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/namespace + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/namespace: "" + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/preserve_original_event + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/preserve_original_event: "" + - add_tags: + tags: + - preserve_original_event + when: + and: + - has_fields: + - kubernetes.annotations.elastic_co/preserve_original_event + - regexp: + kubernetes.annotations.elastic_co/preserve_original_event: ^(?i)true$ + prospector.scanner.symlinks: true + type: filestream + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.container + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.container + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.container + metricsets: + - container + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.node + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.node type: metrics hosts: - - http://nginx.default.svc.cluster.local:80 - id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.node metricsets: - - stubstatus + - node period: 10s - server_status_path: /nginx_status - tags: - - nginx-stubstatus - type: nginx/metrics + ssl.verification_mode: none + type: kubernetes/metrics use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.pod + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.pod + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.pod + metricsets: + - pod + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.system + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.system + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.system + metricsets: + - system + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.volume + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.volume + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.volume + metricsets: + - volume + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-clusterWide-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ksmSharded-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + - pods + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes + - nodes/metrics + - nodes/proxy + - nodes/stats + - services + - events + - configmaps + - secrets + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - get + - watch + - list + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingressclasses + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - get + - list + - watch +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-perNode-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch --- # Source: elastic-agent/templates/agent/cluster-role-binding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: agent-nginx-example-default + name: agent-clusterWide-example-default labels: helm.sh/chart: elastic-agent-0.0.1 app.kubernetes.io/name: elastic-agent @@ -80,18 +982,58 @@ metadata: app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: agent-nginx-example + name: user-sa-clusterWide namespace: "default" roleRef: kind: ClusterRole - name: user-cr + name: agent-clusterWide-example-default apiGroup: rbac.authorization.k8s.io --- -# Source: elastic-agent/templates/agent/k8s/deployment.yaml +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ksmSharded-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: user-sa-ksmSharded + namespace: "default" +roleRef: + kind: ClusterRole + name: agent-ksmSharded-example-default + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-perNode-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: user-sa-perNode + namespace: "default" +roleRef: + kind: ClusterRole + name: agent-perNode-example-default + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/k8s/daemonset.yaml apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: - name: agent-nginx-example + name: agent-pernode-example namespace: "default" labels: helm.sh/chart: elastic-agent-0.0.1 @@ -102,36 +1044,293 @@ metadata: spec: selector: matchLabels: - name: agent-nginx-example + name: agent-pernode-example template: metadata: labels: - name: agent-nginx-example + name: agent-pernode-example annotations: - checksum/config: 4b3a03273d11151ee0f8bbdc8e235f8b6d2b344e09dedc632ae6f7f9e8e0ef34 + checksum/config: 53aa4ccc3e8557125fecf738e70722e2aaa1199ee79a823f684a9d4a296af7b0 spec: dnsPolicy: ClusterFirstWithHostNet automountServiceAccountToken: true - serviceAccountName: agent-nginx-example + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-perNode volumes: + - hostPath: + path: /proc + name: proc + - hostPath: + path: /sys/fs/cgroup + name: cgroup + - hostPath: + path: /var/lib/docker/containers + name: varlibdockercontainers + - hostPath: + path: /var/log + name: varlog + - hostPath: + path: /etc + name: etc-full + - hostPath: + path: /var/lib + name: var-lib - name: agent-data hostPath: - path: /etc/elastic-agent/default/agent-nginx-example/state + path: /etc/elastic-agent/default/agent-pernode-example/state type: DirectoryOrCreate - name: config secret: defaultMode: 0444 - secretName: agent-nginx-example + secretName: agent-pernode-example containers: - name: agent imagePullPolicy: IfNotPresent image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] securityContext: - runAsUser: 0 + capabilities: + add: + - DAC_READ_SEARCH + - CHOWN + - SETPCAP + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + resources: + limits: + memory: 1000Mi + requests: + cpu: 100m + memory: 400Mi + volumeMounts: + - mountPath: /hostfs/proc + name: proc + readOnly: true + - mountPath: /hostfs/sys/fs/cgroup + name: cgroup + readOnly: true + - mountPath: /var/lib/docker/containers + name: varlibdockercontainers + readOnly: true + - mountPath: /var/log + name: varlog + readOnly: true + - mountPath: /hostfs/etc + name: etc-full + readOnly: true + - mountPath: /hostfs/var/lib + name: var-lib + readOnly: true + - name: agent-data + mountPath: /usr/share/elastic-agent/state + - name: config + mountPath: /etc/elastic-agent/agent.yml + readOnly: true + subPath: agent.yml + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: "/usr/share/elastic-agent/state" + - name: ELASTIC_NETINFO + value: "false" +--- +# Source: elastic-agent/templates/agent/k8s/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-clusterwide-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-clusterwide-example + template: + metadata: + labels: + name: agent-clusterwide-example + annotations: + checksum/config: 73527b0aad319ef33239ef3c862820c5ee5cafb42e2ce164049646791b69ec68 + + spec: + dnsPolicy: ClusterFirstWithHostNet + automountServiceAccountToken: true + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-clusterWide + volumes: + - emptyDir: {} + name: agent-data + + - name: config + secret: + defaultMode: 0444 + secretName: agent-clusterwide-example + containers: + - name: agent + imagePullPolicy: IfNotPresent + image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" + args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] + securityContext: + capabilities: + add: + - CHOWN + - SETPCAP + - DAC_READ_SEARCH + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + resources: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 400Mi + volumeMounts: + - name: agent-data + mountPath: /usr/share/elastic-agent/state + - name: config + mountPath: /etc/elastic-agent/agent.yml + readOnly: true + subPath: agent.yml + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: "/usr/share/elastic-agent/state" + - name: ELASTIC_NETINFO + value: "false" +--- +# Source: elastic-agent/templates/agent/k8s/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: agent-ksmsharded-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-ksmsharded-example + template: + metadata: + labels: + name: agent-ksmsharded-example + annotations: + checksum/config: 4ec2b2ef4d3c5c103e79e47a45d4b3b4f9f774e85293f9a5b2d56556025f1d2d + + spec: + dnsPolicy: ClusterFirstWithHostNet + automountServiceAccountToken: true + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-ksmSharded + volumes: + - emptyDir: {} + name: agent-data + + - name: config + secret: + defaultMode: 0444 + secretName: agent-ksmsharded-example + containers: + - args: + - --pod=$(POD_NAME) + - --pod-namespace=$(POD_NAMESPACE) + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.12.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + name: kube-state-metrics + ports: + - containerPort: 8080 + name: http-metrics + - containerPort: 8081 + name: telemetry + readinessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + - name: agent + imagePullPolicy: IfNotPresent + image: "docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT" + args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] + securityContext: + capabilities: + add: + - CHOWN + - SETPCAP + - DAC_READ_SEARCH + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + resources: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 400Mi volumeMounts: - name: agent-data mountPath: /usr/share/elastic-agent/state @@ -150,3 +1349,5 @@ spec: fieldPath: metadata.name - name: STATE_PATH value: "/usr/share/elastic-agent/state" + - name: ELASTIC_NETINFO + value: "false"