diff --git a/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml b/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml index 704efe84cb8..4a89c783f4b 100644 --- a/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml +++ b/deploy/helm/elastic-agent/examples/fleet-managed/fleet-values.yaml @@ -9,31 +9,35 @@ agent: mode: deployment securityContext: runAsUser: 0 - rules: - # minimum cluster role ruleset required by agent - - apiGroups: [ "" ] - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: [ "apps" ] - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - verbs: - - get - - list - - watch + serviceAccount: + create: true + clusterRole: + create: true + rules: + # minimum cluster role ruleset required by agent + - apiGroups: [ "" ] + resources: + - nodes + - namespaces + - pods + verbs: + - get + - watch + - list + - apiGroups: [ "apps" ] + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + verbs: + - get + - list + - watch providers: kubernetes_leaderelection: enabled: false diff --git a/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml b/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml index 7485bb21897..ef7158164c3 100644 --- a/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml +++ b/deploy/helm/elastic-agent/examples/nginx-custom-integration/agent-nginx-values.yaml @@ -36,31 +36,35 @@ agent: mode: deployment securityContext: runAsUser: 0 - rules: - # minimum cluster role ruleset required by agent - - apiGroups: [ "" ] - resources: - - nodes - - namespaces - - pods - verbs: - - get - - watch - - list - - apiGroups: [ "apps" ] - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: [ "batch" ] - resources: - - jobs - verbs: - - get - - list - - watch + serviceAccount: + create: true + clusterRole: + create: true + rules: + # minimum cluster role ruleset required by agent + - apiGroups: [ "" ] + resources: + - nodes + - namespaces + - pods + verbs: + - get + - watch + - list + - apiGroups: [ "apps" ] + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + verbs: + - get + - list + - watch providers: kubernetes_leaderelection: enabled: false diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/README.md b/deploy/helm/elastic-agent/examples/user-cluster-role/README.md new file mode 100644 index 00000000000..c0ec7be31ef --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-cluster-role/README.md @@ -0,0 +1,37 @@ +# Example: Kubernetes Integration with User-created cluster role + +In this example we define a `nginx` custom integration alongside a custom agent preset defined in [agent-nginx-values.yaml](agent-nginx-values.yaml) including the use of a user-created cluster role. Note that the user is responsible for assigning the correct permissions to the cluster role. + +## Prerequisites: +1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)): + ```console + kubectl create secret generic es-api-secret \ + --from-literal=api_key=... \ + --from-literal=url=... + ``` + +2. `nginx` integration assets are installed through Kibana + +3. Create a cluster role. + + ```console + kubectl create clusterrole user-cr --verb=get,list,watch --resource=pods,namespaces,nodes,replicasets,jobs + ``` + +## Run: +1. Install Helm chart + ```console + helm install elastic-agent ../../ \ + -f ./agent-nginx-values.yaml \ + --set outputs.default.type=ESSecretAuthAPI \ + --set outputs.default.secretName=es-api-secret + ``` + +2. Install the nginx deployment + ```console + kubectl apply -f ./nginx.yaml + ``` + +## Validate: + +1. The Kibana `nginx`-related dashboards should start showing nginx related data. diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml b/deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml new file mode 100644 index 00000000000..f127b3cdfd3 --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-cluster-role/agent-nginx-values.yaml @@ -0,0 +1,50 @@ +kubernetes: + enabled: false + +extraIntegrations: + nginx/metrics: + id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f + preset: nginx + name: nginx-1 + revision: 1 + type: nginx/metrics + use_output: default + meta: + package: + name: nginx + version: 1.19.1 + data_stream: + namespace: default + package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f + streams: + - id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f + data_stream: + dataset: nginx.stubstatus + type: metrics + metricsets: + - stubstatus + hosts: + - 'http://nginx.default.svc.cluster.local:80' + tags: + - nginx-stubstatus + period: 10s + server_status_path: /nginx_status + +agent: + presets: + nginx: + annotations: + elastic-agent.k8s.elastic.co/preset: nginx + mode: deployment + securityContext: + runAsUser: 0 + serviceAccount: + create: true + annotations: + elastic-agent.k8s.elastic.co/sa: nginx + clusterRole: + create: false + name: user-cr + providers: + kubernetes_leaderelection: + enabled: false diff --git a/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml new file mode 100644 index 00000000000..8deafc61478 --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-cluster-role/rendered/manifest.yaml @@ -0,0 +1,161 @@ +--- +# Source: elastic-agent/templates/agent/service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-nginx-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/preset: nginx + elastic-agent.k8s.elastic.co/sa: nginx +--- +# Source: elastic-agent/templates/agent/k8s/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agent-nginx-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/preset: nginx +stringData: + + agent.yml: |- + id: agent-nginx-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + inputs: + - data_stream: + namespace: default + id: nginx/metrics-nginx-69240207-6fcc-4d19-aee3-dbf716e3bb0f + meta: + package: + name: nginx + version: 1.19.1 + name: nginx-1 + package_policy_id: 69240207-6fcc-4d19-aee3-dbf716e3bb0f + preset: nginx + revision: 1 + streams: + - data_stream: + dataset: nginx.stubstatus + type: metrics + hosts: + - http://nginx.default.svc.cluster.local:80 + id: nginx/metrics-nginx.stubstatus-69240207-6fcc-4d19-aee3-dbf716e3bb0f + metricsets: + - stubstatus + period: 10s + server_status_path: /nginx_status + tags: + - nginx-stubstatus + type: nginx/metrics + use_output: default + providers: + kubernetes_leaderelection: + enabled: false + leader_lease: example-nginx +--- +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-nginx-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/preset: nginx +subjects: + - kind: ServiceAccount + name: agent-nginx-example + namespace: "default" +roleRef: + kind: ClusterRole + name: user-cr + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/k8s/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-nginx-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-nginx-example + template: + metadata: + labels: + name: agent-nginx-example + annotations: + checksum/config: 99eaac30ab163ab5f4cedbdbf3e6936d34c2b0e2c22dee59947487bab88fcc26 + elastic-agent.k8s.elastic.co/preset: nginx + spec: + automountServiceAccountToken: true + containers: + - args: + - -c + - /etc/elastic-agent/agent.yml + - -e + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: /usr/share/elastic-agent/state + image: docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT + imagePullPolicy: IfNotPresent + name: agent + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /usr/share/elastic-agent/state + name: agent-data + - mountPath: /etc/elastic-agent/agent.yml + name: config + readOnly: true + subPath: agent.yml + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: agent-nginx-example + volumes: + - hostPath: + path: /etc/elastic-agent/default/agent-nginx-example/state + type: DirectoryOrCreate + name: agent-data + - name: config + secret: + defaultMode: 292 + secretName: agent-nginx-example diff --git a/deploy/helm/elastic-agent/examples/user-service-account/README.md b/deploy/helm/elastic-agent/examples/user-service-account/README.md new file mode 100644 index 00000000000..749c2b07096 --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-service-account/README.md @@ -0,0 +1,30 @@ +# Example: Kubernetes Integration with User-created service account + +In this example we install the built-in `kubernetes` integration with the default built-in values, including the use of a user-created service account. + +## Prerequisites: +1. A k8s secret that contains the connection details to an Elasticsearch cluster such as the URL and the API key ([Kibana - Creating API Keys](https://www.elastic.co/guide/en/kibana/current/api-keys.html)): + ```console + kubectl create secret generic es-api-secret \ + --from-literal=api_key=... \ + --from-literal=url=... + ``` + +2. `kubernetes` integration assets installed through Kibana ([Kibana - Install and uninstall Elastic Agent integration assets](https://www.elastic.co/guide/en/fleet/current/install-uninstall-integration-assets.html)) + +3. A k8s service account + ```console + kubectl create serviceaccount user-sa + ``` + +## Run: +```console +helm install elastic-agent ../../ \ + -f ./agent-kubernetes-values.yaml \ + --set outputs.default.type=ESSecretAuthAPI \ + --set outputs.default.secretName=es-api-secret +``` + +## Validate: + +1. The Kibana `kubernetes`-related dashboards should start showing up the respective info. diff --git a/deploy/helm/elastic-agent/examples/user-service-account/agent-kubernetes-values.yaml b/deploy/helm/elastic-agent/examples/user-service-account/agent-kubernetes-values.yaml new file mode 100644 index 00000000000..2d3c71866f3 --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-service-account/agent-kubernetes-values.yaml @@ -0,0 +1,27 @@ +kubernetes: + enabled: true + +agent: + unprivileged: true + presets: + perNode: + serviceAccount: + create: false + name: user-sa-perNode + clusterRole: + annotations: + elastic-agent.k8s.elastic.co/cr: nginx + clusterWide: + serviceAccount: + create: false + name: user-sa-clusterWide + clusterRole: + annotations: + elastic-agent.k8s.elastic.co/cr: nginx + ksmSharded: + serviceAccount: + create: false + name: user-sa-ksmSharded + clusterRole: + annotations: + elastic-agent.k8s.elastic.co/cr: nginx diff --git a/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml new file mode 100644 index 00000000000..2c12cf1ed01 --- /dev/null +++ b/deploy/helm/elastic-agent/examples/user-service-account/rendered/manifest.yaml @@ -0,0 +1,1364 @@ +--- +# Source: elastic-agent/templates/agent/k8s/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agent-clusterwide-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +stringData: + + agent.yml: |- + id: agent-clusterwide-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default + inputs: + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.apiserver + streams: + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.apiserver + type: metrics + hosts: + - https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT} + id: kubernetes/metrics-kubernetes.apiserver + metricsets: + - apiserver + period: 30s + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + type: kubernetes/metrics + use_output: default + providers: + kubernetes: + node: ${NODE_NAME} + scope: cluster + kubernetes_leaderelection: + enabled: true + leader_lease: example-clusterwide +--- +# Source: elastic-agent/templates/agent/k8s/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agent-ksmsharded-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +stringData: + + agent.yml: |- + id: agent-ksmsharded-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default + inputs: + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_container + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_container + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_container + metricsets: + - state_container + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_cronjob + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_cronjob + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_cronjob + metricsets: + - state_cronjob + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_daemonset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_daemonset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_daemonset + metricsets: + - state_daemonset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_deployment + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_deployment + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_deployment + metricsets: + - state_deployment + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_job + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_job + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_job + metricsets: + - state_job + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_namespace + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_namespace + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_namespace + metricsets: + - state_namespace + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_node + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_node + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_node + metricsets: + - state_node + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_persistentvolumeclaim + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_persistentvolumeclaim + metricsets: + - state_persistentvolumeclaim + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_persistentvolume + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_persistentvolume + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_persistentvolume + metricsets: + - state_persistentvolume + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_pod + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_pod + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_pod + metricsets: + - state_pod + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_replicaset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_replicaset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_replicaset + metricsets: + - state_replicaset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_resourcequota + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_resourcequota + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_resourcequota + metricsets: + - state_resourcequota + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_service + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_service + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_service + metricsets: + - state_service + period: 10s + use_output: default + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_statefulset + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_statefulset + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_statefulset + metricsets: + - state_statefulset + period: 10s + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.state_storageclass + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.state_storageclass + type: metrics + hosts: + - localhost:8080 + id: kubernetes/metrics-kubernetes.state_storageclass + metricsets: + - state_storageclass + period: 10s + type: kubernetes/metrics + use_output: default + providers: + kubernetes: + enabled: false + kubernetes_leaderelection: + enabled: false + leader_lease: example-ksmsharded +--- +# Source: elastic-agent/templates/agent/k8s/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: agent-pernode-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +stringData: + + agent.yml: |- + id: agent-pernode-example + outputs: + default: + hosts: + - http://elasticsearch:9200 + password: changeme + type: elasticsearch + username: elastic + secret_references: [] + agent: + monitoring: + enabled: true + logs: true + metrics: true + namespace: default + use_output: default + inputs: + - data_stream: + namespace: default + id: filestream-container-logs + streams: + - data_stream: + dataset: kubernetes.container_logs + type: logs + id: kubernetes-container-logs-${kubernetes.pod.name}-${kubernetes.container.id} + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.container.id}.log + processors: + - add_fields: + fields: + annotations.elastic_co/dataset: ${kubernetes.annotations.elastic.co/dataset|""} + annotations.elastic_co/namespace: ${kubernetes.annotations.elastic.co/namespace|""} + annotations.elastic_co/preserve_original_event: ${kubernetes.annotations.elastic.co/preserve_original_event|""} + target: kubernetes + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/dataset + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/dataset: "" + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/namespace + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/namespace: "" + - drop_fields: + fields: + - kubernetes.annotations.elastic_co/preserve_original_event + ignore_missing: true + when: + equals: + kubernetes.annotations.elastic_co/preserve_original_event: "" + - add_tags: + tags: + - preserve_original_event + when: + and: + - has_fields: + - kubernetes.annotations.elastic_co/preserve_original_event + - regexp: + kubernetes.annotations.elastic_co/preserve_original_event: ^(?i)true$ + prospector.scanner.symlinks: true + type: filestream + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.container + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.container + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.container + metricsets: + - container + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.node + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.node + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.node + metricsets: + - node + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.pod + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.pod + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.pod + metricsets: + - pod + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.system + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.system + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.system + metricsets: + - system + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + - data_stream: + namespace: default + id: kubernetes/metrics-kubernetes.volume + streams: + - add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + data_stream: + dataset: kubernetes.volume + type: metrics + hosts: + - https://${env.NODE_NAME}:10250 + id: kubernetes/metrics-kubernetes.volume + metricsets: + - volume + period: 10s + ssl.verification_mode: none + type: kubernetes/metrics + use_output: default + providers: + kubernetes: + node: ${NODE_NAME} + scope: node + kubernetes_leaderelection: + enabled: false + leader_lease: example-pernode +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-clusterWide-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/cr: nginx +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ksmSharded-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/cr: nginx +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + - pods + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes + - nodes/metrics + - nodes/proxy + - nodes/stats + - services + - events + - configmaps + - secrets + - nodes + - pods + - services + - serviceaccounts + - resourcequotas + - replicationcontrollers + - limitranges + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - get + - watch + - list + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingressclasses + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - get + - list + - watch +--- +# Source: elastic-agent/templates/agent/cluster-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-perNode-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm + annotations: + elastic-agent.k8s.elastic.co/cr: nginx +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: + - nodes + - namespaces + - events + - pods + - services + - configmaps + - persistentvolumes + - persistentvolumeclaims + - persistentvolumeclaims/status + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - get + - watch + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - nonResourceURLs: + - /metrics + verbs: + - get + - watch + - list + - apiGroups: [ "coordination.k8s.io" ] + resources: + - leases + verbs: + - get + - create + - update + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - apiGroups: [ "apps" ] + resources: + - replicasets + - deployments + - daemonsets + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: [ "batch" ] + resources: + - jobs + - cronjobs + verbs: + - get + - list + - watch +--- +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-clusterWide-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: user-sa-clusterWide + namespace: "default" +roleRef: + kind: ClusterRole + name: agent-clusterWide-example-default + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ksmSharded-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: user-sa-ksmSharded + namespace: "default" +roleRef: + kind: ClusterRole + name: agent-ksmSharded-example-default + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-perNode-example-default + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +subjects: + - kind: ServiceAccount + name: user-sa-perNode + namespace: "default" +roleRef: + kind: ClusterRole + name: agent-perNode-example-default + apiGroup: rbac.authorization.k8s.io +--- +# Source: elastic-agent/templates/agent/k8s/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-pernode-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-pernode-example + template: + metadata: + labels: + name: agent-pernode-example + annotations: + checksum/config: 233affcd72143e637a130b5f099c30e194d90042eb00a26512f51c844c65a821 + spec: + automountServiceAccountToken: true + containers: + - args: + - -c + - /etc/elastic-agent/agent.yml + - -e + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: /usr/share/elastic-agent/state + - name: ELASTIC_NETINFO + value: "false" + image: docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT + imagePullPolicy: IfNotPresent + name: agent + resources: + limits: + memory: 1000Mi + requests: + cpu: 100m + memory: 400Mi + securityContext: + capabilities: + add: + - DAC_READ_SEARCH + - CHOWN + - SETPCAP + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + volumeMounts: + - mountPath: /hostfs/proc + name: proc + readOnly: true + - mountPath: /hostfs/sys/fs/cgroup + name: cgroup + readOnly: true + - mountPath: /var/lib/docker/containers + name: varlibdockercontainers + readOnly: true + - mountPath: /var/log + name: varlog + readOnly: true + - mountPath: /hostfs/etc + name: etc-full + readOnly: true + - mountPath: /hostfs/var/lib + name: var-lib + readOnly: true + - mountPath: /usr/share/elastic-agent/state + name: agent-data + - mountPath: /etc/elastic-agent/agent.yml + name: config + readOnly: true + subPath: agent.yml + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-perNode + volumes: + - hostPath: + path: /proc + name: proc + - hostPath: + path: /sys/fs/cgroup + name: cgroup + - hostPath: + path: /var/lib/docker/containers + name: varlibdockercontainers + - hostPath: + path: /var/log + name: varlog + - hostPath: + path: /etc + name: etc-full + - hostPath: + path: /var/lib + name: var-lib + - hostPath: + path: /etc/elastic-agent/default/agent-pernode-example/state + type: DirectoryOrCreate + name: agent-data + - name: config + secret: + defaultMode: 292 + secretName: agent-pernode-example +--- +# Source: elastic-agent/templates/agent/k8s/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-clusterwide-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-clusterwide-example + template: + metadata: + labels: + name: agent-clusterwide-example + annotations: + checksum/config: 97e62ed0d731dea2ecadf31b0a7b4160db1b8a253589b7324f3a381af2519591 + spec: + automountServiceAccountToken: true + containers: + - args: + - -c + - /etc/elastic-agent/agent.yml + - -e + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: /usr/share/elastic-agent/state + - name: ELASTIC_NETINFO + value: "false" + image: docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT + imagePullPolicy: IfNotPresent + name: agent + resources: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 400Mi + securityContext: + capabilities: + add: + - CHOWN + - SETPCAP + - DAC_READ_SEARCH + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + volumeMounts: + - mountPath: /usr/share/elastic-agent/state + name: agent-data + - mountPath: /etc/elastic-agent/agent.yml + name: config + readOnly: true + subPath: agent.yml + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-clusterWide + volumes: + - emptyDir: {} + name: agent-data + - name: config + secret: + defaultMode: 292 + secretName: agent-clusterwide-example +--- +# Source: elastic-agent/templates/agent/k8s/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: agent-ksmsharded-example + namespace: "default" + labels: + helm.sh/chart: elastic-agent-0.0.1 + app.kubernetes.io/name: elastic-agent + app.kubernetes.io/instance: example + app.kubernetes.io/version: 9.0.0 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + name: agent-ksmsharded-example + template: + metadata: + labels: + name: agent-ksmsharded-example + annotations: + checksum/config: 3b64edf7317419b11b0aef4cd10cad04037b7bc0b6866da25871b47b41c04490 + spec: + automountServiceAccountToken: true + containers: + - args: + - --pod=$(POD_NAME) + - --pod-namespace=$(POD_NAMESPACE) + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.12.0 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + name: kube-state-metrics + ports: + - containerPort: 8080 + name: http-metrics + - containerPort: 8081 + name: telemetry + readinessProbe: + httpGet: + path: / + port: 8081 + initialDelaySeconds: 5 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + - args: + - -c + - /etc/elastic-agent/agent.yml + - -e + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: STATE_PATH + value: /usr/share/elastic-agent/state + - name: ELASTIC_NETINFO + value: "false" + image: docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT + imagePullPolicy: IfNotPresent + name: agent + resources: + limits: + memory: 800Mi + requests: + cpu: 100m + memory: 400Mi + securityContext: + capabilities: + add: + - CHOWN + - SETPCAP + - DAC_READ_SEARCH + - SYS_PTRACE + drop: + - ALL + privileged: false + runAsGroup: 1000 + runAsUser: 1000 + volumeMounts: + - mountPath: /usr/share/elastic-agent/state + name: agent-data + - mountPath: /etc/elastic-agent/agent.yml + name: config + readOnly: true + subPath: agent.yml + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: user-sa-ksmSharded + volumes: + - emptyDir: {} + name: agent-data + - name: config + secret: + defaultMode: 292 + secretName: agent-ksmsharded-example diff --git a/deploy/helm/elastic-agent/templates/agent/_helpers.tpl b/deploy/helm/elastic-agent/templates/agent/_helpers.tpl index e2eba441277..368a31c7e5a 100644 --- a/deploy/helm/elastic-agent/templates/agent/_helpers.tpl +++ b/deploy/helm/elastic-agent/templates/agent/_helpers.tpl @@ -284,10 +284,12 @@ app.kubernetes.io/version: {{ .Values.agent.version}} {{- $ := index . 0 -}} {{- $preset := index . 1 -}} {{- $templateName := index . 2 -}} -{{- $presetRules := dig "rules" (list) $preset -}} +{{- if eq ($preset).clusterRole.create true -}} +{{- $presetClusterRoleRules := dig "rules" (list) ($preset).clusterRole -}} {{- $rulesToAdd := get (include $templateName $ | fromYaml) "rules" -}} -{{- $presetRules = uniq (concat $presetRules $rulesToAdd) -}} -{{- $_ := set $preset "rules" $presetRules -}} +{{- $presetClusterRoleRules = uniq (concat $presetClusterRoleRules $rulesToAdd) -}} +{{- $_ := set ($preset).clusterRole "rules" $presetClusterRoleRules -}} +{{- end -}} {{- end -}} {{- define "elasticagent.preset.mutate.annotations" -}} diff --git a/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml b/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml index 3181f9d529f..2b6521a1765 100644 --- a/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml +++ b/deploy/helm/elastic-agent/templates/agent/cluster-role-binding.yaml @@ -1,6 +1,6 @@ {{- include "elasticagent.init" $ -}} {{- range $presetName, $presetVal := $.Values.agent.presets -}} -{{- $serviceAccountName := include "elasticagent.preset.fullname" (list $ $presetName) -}} +{{- if or (eq $presetVal.clusterRole.create true) (eq $presetVal.serviceAccount.create true) -}} {{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}} {{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -18,11 +18,20 @@ metadata: {{- end }} subjects: - kind: ServiceAccount - name: {{ $serviceAccountName }} + {{- if eq $presetVal.serviceAccount.create true }} + name: {{ include "elasticagent.preset.fullname" (list $ $presetName) }} + {{- else }} + name: {{ $presetVal.serviceAccount.name }} + {{- end }} namespace: {{ $.Release.Namespace | quote }} roleRef: kind: ClusterRole + {{- if eq $presetVal.clusterRole.create true }} name: {{ $clusterRoleName }} + {{- else }} + name: {{ $presetVal.clusterRole.name }} + {{- end }} apiGroup: rbac.authorization.k8s.io --- {{- end }} +{{- end }} diff --git a/deploy/helm/elastic-agent/templates/agent/cluster-role.yaml b/deploy/helm/elastic-agent/templates/agent/cluster-role.yaml index 5ee94e1cb63..187d96f79d6 100644 --- a/deploy/helm/elastic-agent/templates/agent/cluster-role.yaml +++ b/deploy/helm/elastic-agent/templates/agent/cluster-role.yaml @@ -1,5 +1,6 @@ {{- include "elasticagent.init" $ -}} {{- range $presetName, $presetVal := $.Values.agent.presets -}} +{{- if eq $presetVal.clusterRole.create true -}} {{/* cluster role binding is not namespace bound so let's try to give it a unique enough name */}} {{- $clusterRoleName := printf "agent-%s-%s-%s" $presetName $.Release.Name $.Release.Namespace -}} apiVersion: rbac.authorization.k8s.io/v1 @@ -11,7 +12,9 @@ metadata: {{- with ($presetVal).labels -}} {{ toYaml . | nindent 4 }} {{- end }} - {{- with ($presetVal).annotations }} + {{- $presetValAnnotations := ($presetVal).annotations | default dict }} + {{- $clusterRoleAnnotations := ($presetVal).clusterRole.annotations | default dict }} + {{- with (merge dict $presetValAnnotations $clusterRoleAnnotations) }} annotations: {{- toYaml . | nindent 4 }} {{- end }} @@ -84,8 +87,9 @@ rules: - get - list - watch - {{- with ($presetVal).rules }} + {{- with ($presetVal).clusterRole.rules }} {{- toYaml . | nindent 2 }} {{- end }} --- {{- end }} +{{- end }} diff --git a/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml b/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml index 7272a9417ff..38dd07a7f54 100644 --- a/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml +++ b/deploy/helm/elastic-agent/templates/agent/eck/_pod_template.yaml @@ -13,12 +13,20 @@ template: {{- with ($presetVal).hostPID }} hostPID: {{ . }} {{- end }} + {{- if eq (dig "automountServiceAccountToken" true $presetVal) true }} automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{- end }} {{- with ($presetVal).nodeSelector }} nodeSelector: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if eq ($presetVal).serviceAccount.create true }} serviceAccountName: {{ $agentName }} + {{- else }} + serviceAccountName: {{ ($presetVal).serviceAccount.name }} + {{- end }} {{- with ($presetVal).affinity }} affinity: {{- . | toYaml | nindent 6 }} diff --git a/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml b/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml index ade4aacf672..ea666ffd0c1 100644 --- a/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml +++ b/deploy/helm/elastic-agent/templates/agent/k8s/_pod_template.yaml @@ -13,12 +13,20 @@ template: {{- with ($presetVal).hostPID }} hostPID: {{ . }} {{- end }} + {{- if eq (dig "automountServiceAccountToken" true $presetVal) true }} automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{- end }} {{- with ($presetVal).nodeSelector }} nodeSelector: {{- . | toYaml | nindent 6 }} {{- end }} + {{- if eq ($presetVal).serviceAccount.create true }} serviceAccountName: {{ $agentName }} + {{- else }} + serviceAccountName: {{ ($presetVal).serviceAccount.name }} + {{- end }} {{- with ($presetVal).affinity }} affinity: {{- . | toYaml | nindent 6 }} diff --git a/deploy/helm/elastic-agent/templates/agent/service-account.yaml b/deploy/helm/elastic-agent/templates/agent/service-account.yaml index 832ceccb55c..890fa719446 100644 --- a/deploy/helm/elastic-agent/templates/agent/service-account.yaml +++ b/deploy/helm/elastic-agent/templates/agent/service-account.yaml @@ -1,5 +1,6 @@ {{- include "elasticagent.init" $ -}} {{- range $presetName, $presetVal := $.Values.agent.presets -}} +{{- if eq $presetVal.serviceAccount.create true -}} {{- $agentName := include "elasticagent.preset.fullname" (list $ $presetName) -}} apiVersion: v1 kind: ServiceAccount @@ -11,9 +12,12 @@ metadata: {{- with ($presetVal).labels -}} {{ toYaml . | nindent 4 }} {{- end }} - {{- with ($presetVal).annotations }} + {{- $presetValAnnotations := ($presetVal).annotations | default dict }} + {{- $serviceAccountAnnotations := ($presetVal).serviceAccount.annotations | default dict }} + {{- with merge dict $presetValAnnotations $serviceAccountAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} --- {{- end }} +{{- end }} diff --git a/deploy/helm/elastic-agent/values.schema.json b/deploy/helm/elastic-agent/values.schema.json index 05fa9281af7..694b922ea52 100644 --- a/deploy/helm/elastic-agent/values.schema.json +++ b/deploy/helm/elastic-agent/values.schema.json @@ -1003,6 +1003,14 @@ ] ] }, + "automountServiceAccountToken": { + "type": "boolean", + "description": "Automount service account token for the deployment.", + "examples": [ + true + ], + "default": true + }, "hostNetwork": { "type": "boolean", "description": "Enable host networking for the deployment.", @@ -1044,29 +1052,11 @@ } ] }, - "rules": { - "type": "array", - "items": { - "type": "object" - }, - "description": "Rules for the deployment.", - "examples": [ - [ - { - "apiGroups": [ - "" - ], - "resources": [ - "pods" - ], - "verbs": [ - "get", - "watch", - "list" - ] - } - ] - ] + "serviceAccount": { + "$ref": "#/definitions/AgentPresetServiceAccount" + }, + "clusterRole": { + "$ref": "#/definitions/AgentPresetClusterRole" }, "nodeSelector": { "type": "object", @@ -1247,7 +1237,173 @@ } }, "required": [ - "mode" + "mode", + "serviceAccount", + "clusterRole" + ] + }, + "AgentPresetClusterRole": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "Create the cluster role.", + "default": true + }, + "name": { + "type": "string", + "description": "Name of the cluster role to use if create is set to false." + }, + "annotations": { + "type": "object", + "description": "Annotations for the cluster role if create is set to true." + }, + "rules": { + "type": "array", + "items": { + "type": "object" + }, + "description": "Rules for the cluster role to create if create is set to true.", + "examples": [ + [ + { + "apiGroups": [ + "" + ], + "resources": [ + "pods" + ], + "verbs": [ + "get", + "watch", + "list" + ] + } + ] + ] + } + }, + "examples": [ + { + "create": true, + "name": "" + } + ], + "required": [ + "create" + ], + "allOf": [ + { + "if": { + "properties": { + "create": { + "const": false + } + } + }, + "then": { + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "create", + "name" + ] + } + }, + { + "if": { + "properties": { + "create": { + "const": true + } + } + }, + "then": { + "properties": { + "name": { + "type": "string", + "maxLength": 0 + } + }, + "required": [ + "create" + ] + } + } + ] + }, + "AgentPresetServiceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean", + "description": "Create the service account.", + "default": true + }, + "name": { + "type": "string", + "description": "Name of the service account to use if create is set to false." + }, + "annotations": { + "type": "object", + "description": "Annotations for the service account if create is set to true." + } + }, + "examples": [ + { + "create": true, + "name": "" + } + ], + "required": [ + "create" + ], + "allOf": [ + { + "if": { + "properties": { + "create": { + "const": false + } + } + }, + "then": { + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "create", + "name" + ] + } + }, + { + "if": { + "properties": { + "create": { + "const": true + } + } + }, + "then": { + "properties": { + "name": { + "type": "string", + "maxLength": 0 + } + }, + "required": [ + "create" + ] + } + } ] }, "SystemLogsStreamVars": { diff --git a/deploy/helm/elastic-agent/values.yaml b/deploy/helm/elastic-agent/values.yaml index 2a97bd9595a..ba625c8c48e 100644 --- a/deploy/helm/elastic-agent/values.yaml +++ b/deploy/helm/elastic-agent/values.yaml @@ -385,7 +385,6 @@ agent: # extraContainers: [] # resources: {} # securityContext: {} - # rules: [] # nodeSelector: {} # tolerations: [] # topologySpreadConstraints: [] @@ -400,6 +399,10 @@ agent: # clusterWide preset is required by the built-in kubernetes integration clusterWide: mode: deployment + serviceAccount: + create: true + clusterRole: + create: true resources: limits: memory: 800Mi @@ -431,6 +434,10 @@ agent: perNode: ## required by the built-in kubernetes integration mode: daemonset + serviceAccount: + create: true + clusterRole: + create: true resources: limits: memory: 1000Mi @@ -456,6 +463,10 @@ agent: ksmSharded: ## required by the built-in kubernetes integration mode: statefulset + serviceAccount: + create: true + clusterRole: + create: true resources: limits: memory: 800Mi