elastic-agent manifests: add comments; add cloudnative team as a code…

…owner for the k8s manifests (#708) * managed elastic-agent: add comments; add cloudnative team as a codeowner for the k8s manifests Signed-off-by: Tetiana Kravchenko <[email protected]> * add comments to the standalone elastic-agent, similar to the documentation we have https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html Signed-off-by: Tetiana Kravchenko <[email protected]> * Apply suggestions from code review Co-authored-by: Michael Katsoulis <[email protected]> Co-authored-by: Andrew Gizas <[email protected]> * remove comment for FLEET_ENROLLMENT_TOKEN; use Needed everywhere instead of Required Signed-off-by: Tetiana Kravchenko <[email protected]> * rephrase regarding accessing kube-state-metrics when used third party tools, like kube-rbac-proxy Signed-off-by: Tetiana Kravchenko <[email protected]> * run make check Signed-off-by: Tetiana Kravchenko <[email protected]> * keep manifests in sync to pass ci check Signed-off-by: Tetiana Kravchenko <[email protected]> * add info on where to find FLEET_URL and FLEET_ENROLLMENT_TOKEN Signed-off-by: Tetiana Kravchenko <[email protected]> * add links to elastic-agent documentation Signed-off-by: Tetiana Kravchenko <[email protected]> * update comment on FLEET_ENROLLMENT_TOKEN Signed-off-by: Tetiana Kravchenko <[email protected]> Co-authored-by: Michael Katsoulis <[email protected]> Co-authored-by: Andrew Gizas <[email protected]>
elastic · Jul 25, 2022 · 623fe82 · 623fe82
1 parent c05ce63
commit 623fe82
Show file tree

Hide file tree

Showing 8 changed files with 253 additions and 25 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,4 @@
-# Team responsable for Fleet Server
+# Team responsible for Fleet Server
 * @elastic/elastic-agent-control-plane
+
+/deploy/kubernetes @elastic/obs-cloudnative-monitoring
diff --git a/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml b/deploy/kubernetes/elastic-agent-managed-kubernetes.yaml
@@ -1,3 +1,4 @@
+# For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -14,34 +15,41 @@ spec:
       labels:
         app: elastic-agent
     spec:
+      # Tolerations are needed to run Elastic Agent on Kubernetes master nodes.
+      # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
       tolerations:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
       serviceAccountName: elastic-agent
       hostNetwork: true
+      # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host.
       # Sharing the host process ID namespace gives visibility of all processes running on the same host.
-      # This enables the Elastic Security integration to observe all process exec events on the host.
       hostPID: true
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: elastic-agent
           image: docker.elastic.co/beats/elastic-agent:8.3.0
           env:
+            # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode
             - name: FLEET_ENROLL
               value: "1"
-            # Set to true in case of insecure or unverified HTTP
+            # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS
             - name: FLEET_INSECURE
               value: "true"
-              # The ip:port pair of fleet server
+            # Fleet Server URL to enroll the Elastic Agent into
+            # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings
             - name: FLEET_URL
               value: "https://fleet-server:8220"
-              # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
+            # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens)
+            # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
             - name: FLEET_ENROLLMENT_TOKEN
               value: ""
             - name: KIBANA_HOST
               value: "http://kibana:5601"
+            # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet
             - name: KIBANA_FLEET_USERNAME
               value: "elastic"
+            # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet
             - name: KIBANA_FLEET_PASSWORD
               value: "changeme"
             - name: NODE_NAME
@@ -104,21 +112,28 @@ spec:
         - name: varlog
           hostPath:
             path: /var/log
+        # Needed for cloudbeat
         - name: etc-kubernetes
           hostPath:
             path: /etc/kubernetes
+        # Needed for cloudbeat
         - name: var-lib
           hostPath:
             path: /var/lib
+        # Needed for cloudbeat
         - name: passwd
           hostPath:
             path: /etc/passwd
+        # Needed for cloudbeat
         - name: group
           hostPath:
             path: /etc/group
+        # Needed for cloudbeat
         - name: etcsysmd
           hostPath:
             path: /etc/systemd
+        # Mount /etc/machine-id from the host to determine host ID
+        # Needed for Elastic Security integration
         - name: etc-mid
           hostPath:
             path: /etc/machine-id
@@ -180,6 +195,7 @@ rules:
       - pods
       - services
       - configmaps
+      # Needed for cloudbeat
       - serviceaccounts
       - persistentvolumes
       - persistentvolumeclaims
@@ -211,18 +227,20 @@ rules:
       - jobs
       - cronjobs
     verbs: [ "get", "list", "watch" ]
-  # required for apiserver
+  # Needed for apiserver
   - nonResourceURLs:
       - "/metrics"
     verbs:
       - get
+  # Needed for cloudbeat
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources:
       - clusterrolebindings
       - clusterroles
       - rolebindings
       - roles
     verbs: ["get", "list", "watch"]
+  # Needed for cloudbeat
   - apiGroups: ["policy"]
     resources:
       - podsecuritypolicies
@@ -232,7 +250,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: elastic-agent
-  # should be the namespace where elastic-agent is running
+  # Should be the namespace where elastic-agent is running
   namespace: kube-system
   labels:
     k8s-app: elastic-agent

diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml
@@ -1,3 +1,4 @@
+# For more information refer to https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-managed-by-fleet.html
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -14,34 +15,41 @@ spec:
       labels:
         app: elastic-agent
     spec:
+      # Tolerations are needed to run Elastic Agent on Kubernetes master nodes.
+      # Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
       tolerations:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
       serviceAccountName: elastic-agent
       hostNetwork: true
+      # 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host.
       # Sharing the host process ID namespace gives visibility of all processes running on the same host.
-      # This enables the Elastic Security integration to observe all process exec events on the host.
       hostPID: true
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: elastic-agent
           image: docker.elastic.co/beats/elastic-agent:%VERSION%
           env:
+            # Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode
             - name: FLEET_ENROLL
               value: "1"
-            # Set to true in case of insecure or unverified HTTP
+            # Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS
             - name: FLEET_INSECURE
               value: "true"
-              # The ip:port pair of fleet server
+            # Fleet Server URL to enroll the Elastic Agent into
+            # FLEET_URL can be found in Kibana, go to Management > Fleet > Settings
             - name: FLEET_URL
               value: "https://fleet-server:8220"
-              # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
+            # Elasticsearch API key used to enroll Elastic Agents in Fleet (https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html#fleet-enrollment-tokens)
+            # If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
             - name: FLEET_ENROLLMENT_TOKEN
               value: ""
             - name: KIBANA_HOST
               value: "http://kibana:5601"
+            # The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet
             - name: KIBANA_FLEET_USERNAME
               value: "elastic"
+            # The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet
             - name: KIBANA_FLEET_PASSWORD
               value: "changeme"
             - name: NODE_NAME
@@ -104,21 +112,28 @@ spec:
         - name: varlog
           hostPath:
             path: /var/log
+        # Needed for cloudbeat
         - name: etc-kubernetes
           hostPath:
             path: /etc/kubernetes
+        # Needed for cloudbeat
         - name: var-lib
           hostPath:
             path: /var/lib
+        # Needed for cloudbeat
         - name: passwd
           hostPath:
             path: /etc/passwd
+        # Needed for cloudbeat
         - name: group
           hostPath:
             path: /etc/group
+        # Needed for cloudbeat
         - name: etcsysmd
           hostPath:
             path: /etc/systemd
+        # Mount /etc/machine-id from the host to determine host ID
+        # Needed for Elastic Security integration
         - name: etc-mid
           hostPath:
             path: /etc/machine-id

diff --git a/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml b/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-role.yaml
@@ -13,6 +13,7 @@ rules:
       - pods
       - services
       - configmaps
+      # Needed for cloudbeat
       - serviceaccounts
       - persistentvolumes
       - persistentvolumeclaims
@@ -44,18 +45,20 @@ rules:
       - jobs
       - cronjobs
     verbs: [ "get", "list", "watch" ]
-  # required for apiserver
+  # Needed for apiserver
   - nonResourceURLs:
       - "/metrics"
     verbs:
       - get
+  # Needed for cloudbeat
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources:
       - clusterrolebindings
       - clusterroles
       - rolebindings
       - roles
     verbs: ["get", "list", "watch"]
+  # Needed for cloudbeat
   - apiGroups: ["policy"]
     resources:
       - podsecuritypolicies
@@ -65,7 +68,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: elastic-agent
-  # should be the namespace where elastic-agent is running
+  # Should be the namespace where elastic-agent is running
   namespace: kube-system
   labels:
     k8s-app: elastic-agent