Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

elastic-agent manifests: add comments; add cloudnative team as a codeowner for the k8s manifests #708

Merged
merged 10 commits into from
Jul 25, 2022
Merged
4 changes: 3 additions & 1 deletion .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
# Team responsable for Fleet Server
# Team responsible for Fleet Server
* @elastic/elastic-agent-control-plane

/deploy/kubernetes @elastic/obs-cloudnative-monitoring
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/elastic-agent-control-plane I am getting error:

Unknown owner on line 4: make sure the team @elastic/obs-cloudnative-monitoring exists and has write access to the repository 

who could help me to get write access to this repo?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andresrc this is the one talking about. Is there any docs mentioning the process to change this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gizas @tetianakravchenko All employees are have write access to this repository, but probably in order to add the group to CODEOWNERS the group itself need to be explicitly added. I have just done that. Please let me know if it works.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it works, now getting: This CODEOWNERS file is valid.

28 changes: 22 additions & 6 deletions deploy/kubernetes/elastic-agent-managed-kubernetes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,34 +14,40 @@ spec:
labels:
app: elastic-agent
spec:
# To run Elastic Agent on master nodes
# Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: elastic-agent
hostNetwork: true
# 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host.
# Sharing the host process ID namespace gives visibility of all processes running on the same host.
# This enables the Elastic Security integration to observe all process exec events on the host.
hostPID: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: elastic-agent
image: docker.elastic.co/beats/elastic-agent:8.3.0
env:
# Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode
- name: FLEET_ENROLL
value: "1"
# Set to true in case of insecure or unverified HTTP
# Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS
- name: FLEET_INSECURE
value: "true"
# The ip:port pair of fleet server
# URL to enroll the Fleet Server into
tetianakravchenko marked this conversation as resolved.
Show resolved Hide resolved
- name: FLEET_URL
value: "https://fleet-server:8220"
# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
# The token to use for Fleet enrollment
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dont think that line 41 is needed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done df21c4c

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry to jump a bit late here, but why is this not needed? I think we need one sentence of what this token is. @gizas ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry seems missed that yesterday. I think we can add this link for the token

Copy link
Contributor

@MichaelKatsoulis MichaelKatsoulis Jul 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not something like this ?
"# Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens)"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tetianakravchenko can you add this back before merging and in elastic/kibana#136394 (comment) as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
tetianakravchenko marked this conversation as resolved.
Show resolved Hide resolved
- name: FLEET_ENROLLMENT_TOKEN
value: ""
- name: KIBANA_HOST
value: "http://kibana:5601"
# The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet
- name: KIBANA_FLEET_USERNAME
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a link to direct users where to find those values?
Afterall this is the comment for, if dont know where to search

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you mean the service_token to enable Fleet, agent gets them automatically from Kibana when connected

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In managed yes. Maybe was not the best place to put the comment.

But you get my point, that all of this values are somewhere in the portal and user needs point of reference. If makes sense.

Copy link
Contributor Author

@tetianakravchenko tetianakravchenko Jul 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added info for FLEET_URL and enrollment token - d9c4344. Regarding KIBANA_*: it depends on the setup - elastic cloud or self-managed and I couldn't find a generic documentation

value: "elastic"
# The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet
- name: KIBANA_FLEET_PASSWORD
value: "changeme"
- name: NODE_NAME
Expand Down Expand Up @@ -104,21 +110,28 @@ spec:
- name: varlog
hostPath:
path: /var/log
# Needed for cloudbeat
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
# Needed for cloudbeat
- name: var-lib
hostPath:
path: /var/lib
# Needed for cloudbeat
- name: passwd
hostPath:
path: /etc/passwd
# Needed for cloudbeat
- name: group
hostPath:
path: /etc/group
# Needed for cloudbeat
- name: etcsysmd
hostPath:
path: /etc/systemd
# Mount /etc/machine-id from the host to determine host ID
# Needed for Elastic Security integration
- name: etc-mid
hostPath:
path: /etc/machine-id
Expand Down Expand Up @@ -180,6 +193,7 @@ rules:
- pods
- services
- configmaps
# Needed for cloudbeat
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either keep Needed or Required to have all lines aligned

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done df21c4c

- serviceaccounts
- persistentvolumes
- persistentvolumeclaims
Expand Down Expand Up @@ -211,18 +225,20 @@ rules:
- jobs
- cronjobs
verbs: [ "get", "list", "watch" ]
# required for apiserver
# Required for apiserver
- nonResourceURLs:
- "/metrics"
verbs:
- get
# Needed for cloudbeat
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs: ["get", "list", "watch"]
# Needed for cloudbeat
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
Expand All @@ -232,7 +248,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elastic-agent
# should be the namespace where elastic-agent is running
# Should be the namespace where elastic-agent is running
namespace: kube-system
labels:
k8s-app: elastic-agent
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,34 +14,40 @@ spec:
labels:
app: elastic-agent
spec:
# To run Elastic Agent on master nodes
# Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: elastic-agent
hostNetwork: true
# 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host.
# Sharing the host process ID namespace gives visibility of all processes running on the same host.
# This enables the Elastic Security integration to observe all process exec events on the host.
hostPID: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: elastic-agent
image: docker.elastic.co/beats/elastic-agent:%VERSION%
env:
# Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode
- name: FLEET_ENROLL
value: "1"
# Set to true in case of insecure or unverified HTTP
# Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS
- name: FLEET_INSECURE
value: "true"
# The ip:port pair of fleet server
# URL to enroll the Fleet Server into
- name: FLEET_URL
value: "https://fleet-server:8220"
# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
# The token to use for Fleet enrollment
# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
- name: FLEET_ENROLLMENT_TOKEN
value: ""
- name: KIBANA_HOST
value: "http://kibana:5601"
# The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet
- name: KIBANA_FLEET_USERNAME
value: "elastic"
# The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet
- name: KIBANA_FLEET_PASSWORD
value: "changeme"
- name: NODE_NAME
Expand Down Expand Up @@ -104,21 +110,28 @@ spec:
- name: varlog
hostPath:
path: /var/log
# Needed for cloudbeat
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
# Needed for cloudbeat
- name: var-lib
hostPath:
path: /var/lib
# Needed for cloudbeat
- name: passwd
hostPath:
path: /etc/passwd
# Needed for cloudbeat
- name: group
hostPath:
path: /etc/group
# Needed for cloudbeat
- name: etcsysmd
hostPath:
path: /etc/systemd
# Mount /etc/machine-id from the host to determine host ID
# Needed for Elastic Security integration
- name: etc-mid
hostPath:
path: /etc/machine-id
Expand Down