elastic-agent manifests: add comments; add cloudnative team as a codeowner for the k8s manifests #708
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,4 @@ | ||
| # Team responsible for Fleet Server | ||
| * @elastic/elastic-agent-control-plane | ||
|
|
||
| /deploy/kubernetes @elastic/obs-cloudnative-monitoring | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,34 +14,40 @@ spec: | |
| labels: | ||
| app: elastic-agent | ||
| spec: | ||
| # To run Elastic Agent on Kubernetes master nodes | ||
tetianakravchenko marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes | ||
| tolerations: | ||
| - key: node-role.kubernetes.io/master | ||
| effect: NoSchedule | ||
| serviceAccountName: elastic-agent | ||
| hostNetwork: true | ||
| # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. | ||
| # Sharing the host process ID namespace gives visibility of all processes running on the same host. | ||
| hostPID: true | ||
| dnsPolicy: ClusterFirstWithHostNet | ||
| containers: | ||
| - name: elastic-agent | ||
| image: docker.elastic.co/beats/elastic-agent:8.3.0 | ||
| env: | ||
| # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode | ||
| - name: FLEET_ENROLL | ||
| value: "1" | ||
| # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS | ||
| - name: FLEET_INSECURE | ||
| value: "true" | ||
| # URL to enroll the Fleet Server into | ||
tetianakravchenko marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - name: FLEET_URL | ||
| value: "https://fleet-server:8220" | ||
| # The token to use for Fleet enrollment | ||
|
There was a problem hiding this comment. Dont think that line 41 is needed There was a problem hiding this comment. done df21c4c There was a problem hiding this comment. Sorry to jump a bit late here, but why is this not needed? I think we need one sentence of what this token is. @gizas ? There was a problem hiding this comment. Sorry seems missed that yesterday. I think we can add this link for the token There was a problem hiding this comment. Why not something like this ? There was a problem hiding this comment. @tetianakravchenko can you add this back before merging and in elastic/kibana#136394 (comment) as well? There was a problem hiding this comment. @MichaelKatsoulis done abec343 |
||
| # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed | ||
tetianakravchenko marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - name: FLEET_ENROLLMENT_TOKEN | ||
| value: "" | ||
| - name: KIBANA_HOST | ||
| value: "http://kibana:5601" | ||
| # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet | ||
| - name: KIBANA_FLEET_USERNAME | ||
|
There was a problem hiding this comment. Do we need a link to direct users where to find those values? There was a problem hiding this comment. If you mean the service_token to enable Fleet, agent gets them automatically from Kibana when connected There was a problem hiding this comment. In managed yes. Maybe was not the best place to put the comment. But you get my point, that all of this values are somewhere in the portal and user needs point of reference. If makes sense. There was a problem hiding this comment. I've added info for FLEET_URL and enrollment token - d9c4344. Regarding KIBANA_*: it depends on the setup - elastic cloud or self-managed and I couldn't find a generic documentation |
||
| value: "elastic" | ||
| # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet | ||
| - name: KIBANA_FLEET_PASSWORD | ||
| value: "changeme" | ||
| - name: NODE_NAME | ||
|
|
@@ -104,21 +110,28 @@ spec: | |
| - name: varlog | ||
| hostPath: | ||
| path: /var/log | ||
| # Needed for cloudbeat | ||
| - name: etc-kubernetes | ||
| hostPath: | ||
| path: /etc/kubernetes | ||
| # Needed for cloudbeat | ||
| - name: var-lib | ||
| hostPath: | ||
| path: /var/lib | ||
| # Needed for cloudbeat | ||
| - name: passwd | ||
| hostPath: | ||
| path: /etc/passwd | ||
| # Needed for cloudbeat | ||
| - name: group | ||
| hostPath: | ||
| path: /etc/group | ||
| # Needed for cloudbeat | ||
| - name: etcsysmd | ||
| hostPath: | ||
| path: /etc/systemd | ||
| # Mount /etc/machine-id from the host to determine host ID | ||
| # Needed for Elastic Security integration | ||
| - name: etc-mid | ||
| hostPath: | ||
| path: /etc/machine-id | ||
|
|
@@ -180,6 +193,7 @@ rules: | |
| - pods | ||
| - services | ||
| - configmaps | ||
| # Needed for cloudbeat | ||
|
There was a problem hiding this comment. Either keep Needed or Required to have all lines aligned There was a problem hiding this comment. done df21c4c |
||
| - serviceaccounts | ||
| - persistentvolumes | ||
| - persistentvolumeclaims | ||
|
|
@@ -211,18 +225,20 @@ rules: | |
| - jobs | ||
| - cronjobs | ||
| verbs: [ "get", "list", "watch" ] | ||
| # Required for apiserver | ||
| - nonResourceURLs: | ||
| - "/metrics" | ||
| verbs: | ||
| - get | ||
| # Needed for cloudbeat | ||
| - apiGroups: ["rbac.authorization.k8s.io"] | ||
| resources: | ||
| - clusterrolebindings | ||
| - clusterroles | ||
| - rolebindings | ||
| - roles | ||
| verbs: ["get", "list", "watch"] | ||
| # Needed for cloudbeat | ||
| - apiGroups: ["policy"] | ||
| resources: | ||
| - podsecuritypolicies | ||
|
|
@@ -232,7 +248,7 @@ apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | ||
| metadata: | ||
| name: elastic-agent | ||
| # Should be the namespace where elastic-agent is running | ||
| namespace: kube-system | ||
| labels: | ||
| k8s-app: elastic-agent | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/elastic-agent-control-plane I am getting error:
who could help me to get write access to this repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andresrc this is the one talking about. Is there any docs mentioning the process to change this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gizas @tetianakravchenko All employees are have write access to this repository, but probably in order to add the group to
CODEOWNERSthe group itself need to be explicitly added. I have just done that. Please let me know if it works.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it works, now getting:
This CODEOWNERS file is valid.