[Ingest Manager] Hosted Agents cannot be upgraded, unenrolled or reassigned to a different config

[ruflin]

Hosted Agent are agent managed outside of Fleet and Kibana, one of the use case is to spin up an Agent on Cloud and have it managed by the Fleet application.

AC

• Define hosted Agent Policy concept in Fleet.
  • Flag in policy?
  • Should not built only for cloud, an admin should be able to set theses restrictions.
  • We should have an API to configure it
  • Integration should be editable, we expect integration author to do the right thing and limit what can be edited.
• Research if we can ensure the right behavior of Hosted Agent policy and restrict the super user.
• Capabilities restrictions
  • [Fleet] Upgrade-related restrictions for agents in managed policies #90434 An Agent enrolled in a managed Agent policy cannot be upgraded.
  • [Fleet] Upgrade-related restrictions for agents in managed policies #90434 Agents in a managed policy aren't listed as upgrade available, even if the version is lower
  • An Agent enrolled in an Hosted Agent policy cannot be unenrolled.
  • [Fleet] Agents cannot enroll in managed policies #90435 No Agents can be enrolled into this policy by the user.
    • Need to figure out the workflow
    • Hide the enrollment key? will check agent policy same as other actions
    • [Fleet] Agents cannot enroll in managed policies #90435 ? The install & enroll commands should print an error to the console if the enroll command fails (due to being a managed policy or any other reason)
  • Agents cannot be moved into this policy.
  • Agents cannot be added to this policy from Fleet
  • An Agent enrolled in a managed Agent policy cannot be reassigned to a different configuration.
  • [Fleet] Cannot add / remove integrations from managed policy  #90445 Integrations cannot be added, unless with a force flag
  • [Fleet] Cannot add / remove integrations from managed policy  #90445 Integrations cannot be removed, unless with a force flag
  • [Fleet] Don't allow a managed policy to be deleted #90448 Managed policy cannot be deleted, unless with a force flag
• As a user I should be prevented to do these actions. They'll be hidden and/or show errors from API
• As an API user I should receive error messages. Except for those places where a force flag is mentioned
• [Fleet] [Managed Policies] Bulk actions changes #90437 Bulk API actions (/agents/bulk_{reassign,unenroll,upgrade}) will error if any item is invalid/forbidden
• If making a single "flag" is easier/faster let's do it.

implementation steps to understand the initial problem:

• Add managed true to the policy and see if we can block unenrolled.
• Implement an agent should not be able to be reassigned to a different configuration when enrolled into a managed policy.
• Initially we do not need to exposed to the managed to the user.

Out of scope

• Restriction on integration configuration.
• Restriction on input.
• Cloud specific error messaging.
• ECK/ESS specific error message.

Questions:

• What is the user experience when an agent is not upgradable.
• How the managed experience is handled in the UI?
  • How errors are reported, can we use something we already have?
  • How a user is expected to configure the Managed state of an Agent Policy? @mostlyjason

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[ph]

@ruflin Can you clarify, the enforce would be at the Agent policy not on the Agent itself?

[ruflin]

I expect this to be set during enrollment time on the Elastic Agent side. An Elastic Agent defines if it can accept a different policy or not, not the policy.

[ph]

@jfsiii Can you take a look at this and we can build the AC together?
@mostlyjason This is mostly to limit the actions that we have today, but some AC could be driven by product.

[mostlyjason]

When a user attempts to take an action, a generic error message could say something like:

This agent is hosted by Elastic Cloud and cannot be <removed/upgraded/reassigned> through Fleet.

I'm hoping Elastic Cloud is generic enough to include ESS/ECE/ECK? If not, what is a better term?

It'd be nicer if we had some metadata available in Fleet that allowed us to offer a more specific/helpful message based on which service is hosting the agent. Even better if we could link to the appropriate cloud console URL and deployment ID.

This agent is hosted by <Elastic Cloud/ECE/ECK>. Please <remove/upgrade/reassign> it through <the Elastic Cloud Console/Kubernetes>(link) instead.

What do we think is possible given our technical capabilities and timeline?

[mostlyjason]

Also, I just realized that Elastic Cloud is not the only use case for preventing changes. For example, users on self-managed Kubernetes clusters may want to put these restrictions in place too. To support this, we'd need to expose some kind of setting or metadata on the agent. Perhaps something like agent.metadata.orchestrated = true. Would this be a lot more work compared to hard coding a condition based on the agent policy being "Hosted agent"? The advantage is that it would be more flexible and extensible.

Also, we'd either need a more generic message or more information about the orchestration solution they are using. I'm leaning towards starting with the generic message to keep things simple, and we can enhance it later.

This agent cannot be <removed/upgraded/reassigned> in Fleet because it is managed by an external orchestration solution, such as Elastic Cloud, Kubernetes, etc. Please make changes using your orchestration solution.

[ruflin]

I consider this a generic feature which is a fully managed policy. So it should work the same on Cloud but also the user on prem could setup this up if he wants.

On top of that, we can build additional logic to improve error messaging for certain environments.

[ph]

I agree with both of you, I have added specific cloud message to be out of scope for first iteration is that correct?

@mostlyjason we will initially develop this feature hidden in the UI, but we should see how we expose that feature to the end user in the UI. I am also assuming that we can reuse the current existing error reporting to reported blocked operation in the UI.

[mostlyjason]

For an individual agent action an error message would work fine, but what about bulk actions? Rather than showing individual errors for each agent that fill up the screen, it'd be nice to have a single error. Perhaps something like this?

One or more agents could not be <unenerolled/reassigned/upgraded> in Fleet because they are managed by an external orchestration solution, such as Elastic Cloud, Kubernetes, etc. Please make changes using your orchestration solution.

@ph I think these error messages would be exposed to users in the Fleet UI, right?

We can do something more sophisticated like showing which agents are affected, or have a specific message for Elastic Cloud, but we can do those as enhancements later. They will require extra data and business logic.

[mostlyjason]

As for exposing this in the UI beyond the error messages such as in the agent policy settings, can we track that on a separate issue? That allows us to prioritize/implement it separately.

[ruflin]

@mostlyjason Not sure I follow. I assume the Elastic Agents which can't be unenrolled would not even show this option. They could not be checked even for bulk actions.

++ on moving these discussions to separate issue(s).

[mostlyjason]

@ph My understanding when you said "we will initially develop this feature hidden in the UI" that meant we aren't making any changes to the UI. We are just showing error messages returned from the API using our current error reporting UI. This seems like the the minimal requirement to protect the agents on Elastic Cloud and communicate to the user. Is that what you had in mind?

@ruflin Writing special functionality in the UI to disable check boxes and menu items would enhance the UX but I assume it'd require extra effort. I figure its better to save our limited capacity for higher priority features. We could file another issue to enhance the UX with these features. What do you think?

[jfsiii]

@ph & @ruflin I started a branch on Friday. I just put it as a draft PR #88688 to get CI. We'll talk more in that issue and this week, but it's there if you want to follow along

[mostlyjason]

I added a new requirement "No agents can be added to this policy from Fleet"

[mostlyjason]

@ph can you confirm that you agree with the initial scope "we aren't making any changes to the UI. We are just showing error messages returned from the API using our current error reporting UI. "

[ruflin]

@mostlyjason Not sure I agree. I would expect if for example an Agent cannot be upgraded, the upgrade action is hidden / greyed out.

[jfsiii]

@mostlyjason Can you expand on "No agents can be added to this policy from Fleet"? Is that different from "No Agents can be moved into this policy" a few points up in the list?

In #88688, any calls to /api/fleet/agents/{id}/reassign will fail if the current or new agent policy are managed, but an agent can be linked to a managed policy by

• POST /api/fleet/agents/enroll to a managed policy (like from ./elastic-agent install -f --enrollment-token=from_managed_policy)
• PUT /api/fleet/agent_policies/1234 { is_managed: true } to update the linked agent policy to managed

Is that in line with what you meant? Should I add or remove anything in that list?

[ph]

@mostlyjason before I commit to that, I want @jfsiii to comment on it, #76843 (comment) for the complexity, not I am not considering this "new UI" work, the widget is there.

[mostlyjason]

After thinking about this some more I could go either way, and considering effort is a good approach. I believe this is not enforced on the agent itself, but on the agent policy in Fleet so Fleet already knows what should be allowed or not. Greying out some menu items seems like less work. What would require more effort potentially are bulk actions. There we'd want to differentiate what subset of agents the action can be performed on, and which it cannot. This allows the user to select all agents on the agents page and upgrade them all in bulk, minus the small number of hosted agents. I imagine we'd want to update the bulk action confirmation dialog with this information.

If we decided not to implement the confirmation message, we could perform the action on all agents and I imagine we'd get an error message on the subset that are not allowed. I imagine this is also how the bulk action API would work.

[mostlyjason]

So here is an easier idea for bulk actions: if any selected agent cannot be upgraded then block the entire bulk action, showing an error in the confirmation dialog and/or on execution. This could work because we have a filter for agents with an upgrade available #76842. If the user applies this filter, they can bulk upgrade the eligible agents. We'd probably want to double check that managed agents aren't listed as upgrade available, even if the version is lower.

[jfsiii]

if any selected agent cannot be upgraded then block the entire bulk action, showing an error in the confirmation dialog and/or on execution

@mostlyjason thanks for spelling this out. I'll update the PR to error if it the list includes a managed policy. It currently silently filters them before calling ES. I was hoping to return an array of success / failure results like the ES client does for other bulk operations, but since the logic is in Kibana and not ES, it's a little more complicated.

I think rejecting early is easiest and perhaps we can come back to allowing the actions on unmanaged policies to succeed while still returning details about why those on a managed policy failed.

[ruflin]

I added 3 checkmarks to the list above:

• Additional integrations can only be added with a force flag
• Integrations can only be removed with a force flag
• The managed policy can only be deleted with a force flag

[mostlyjason]

I added an item to the list above:

• The install & enroll commands should print an error to the console if the enroll command fails (due to being a managed policy or any other error)

[hbharding]

@ruflin should users be able to edit a hosted agent policy's settings such as:

• Name & description
• Default namespace
• Collect agent logs & metrics

Screenshot for Agent policy settings tab

[simitt]

IMO - the Name & Description should not be configurable; but the namespace and whether or not logs & metrics should be collected should be configurable.

[ruflin]

++ on @simitt comment.

[mostlyjason]

@hbharding can you file a separate issue for that? We could have a separate issue to discuss restrictions in integration policies.

[jfsiii]

@ruflin I know we cannot add integrations to, or remove them from, a hosted policy

#90445 Integrations cannot be added, unless with a force flag
#90445 Integrations cannot be removed, unless with a force flag

However, can the integrations that are associated with the hosted policy be updated?

For example, looking at this list of system integrations

Should we be able to click on one in a managed policy (Hosted policy in middle row)

and update the integration name, whether to collect logs, etc?

Another path to the same form is

The current behavior is to show an error about updating integrations of a managed policy

Should I update the API to allow this?

cc @hbharding @mostlyjason this is what we discussed Tuesday
fyi @simitt @ph

[ruflin]

In the case of the apm integration, users must be able to adjust the configs inside the integrations policy also in the managed case.

I wonder what we should do with the name and description. My initial instinct would be to not let users edit name / description as this should have been set on creation time.

[jfsiii]

In the case of the apm integration, users must be able to adjust the configs inside the integrations policy also in the managed case.

@ruflin there's no such exception now. Should this be added for 7.13? If so, let's sync ASAP since FF is ~5 work days away.

[simitt]

The apm integration won't be part of the 7.13 release;
but I am pretty certain that the fleet-server integration introduced config options (connection limits), that users should be able update, cc @scunningham @blakerouse

[ruflin]

@jfsiii Yes, would be great to have it. I don't it matters too much if name / description are editable or not but the configs itself should be.

[ruflin]

BTW this will likely partially overlap with #96319 where @Zacqary and @nchaulet work on.

[dikshachauhan-qasource]

Hi @EricDavisX ,

While converting all proposed scenarios in testcases, we have come up with below query.

Could you please confirm about what is expected from point ' Should not built only for cloud' mentioned in ticket summary AC.

 Define hosted Agent Policy concept in Fleet.
 Flag in policy?
 Should not built only for cloud, an admin should be able to set theses restrictions.

As we are unable to determine how its expected to behave in application.

Thanks
QAS

[dikshachauhan-qasource]

Hi @EricDavisX

We have created 13 testcases for above PR. testcases link is as follows for all linked tickets:

For #76843

• C76991
• C76992
• C76999
• C77000

For #90435

• C76997
• C76998

For #90434

• C76993
• C76994
• C76995

For #90437

• C76996

For #90445

• C77001
• C77002
• C77003

Please let us know if we have missed anything.

[EricDavisX]

@jfsiii and @hbharding would you want to take a look at the test cases created and see how they look?

[jfsiii]

@dikshachauhan-qasource re: #76843 (comment)

Should not built only for cloud, an admin should be able to set theses restrictions.

I believe this is tested & confirmed via the HTTP API for creating them:

curl \
  -X POST localhost:5601/api/fleet/agent_policies \
  -d'{ "name": "A hosted policy", "namespace": "default", "is_managed": true}' \
  -u elastic:changeme \
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: true'

There's nothing cloud-specific about it and it's subject to the same "must be superuser" requirement as all Fleet APIs