apiVersion: v1 kind: ConfigMap metadata: name: agent-node-datastreams namespace: kube-system labels: k8s-app: elastic-agent data: agent.yml: |- id: 8d2c1d00-1984-11ee-b0e7-bfc367df2ac6 outputs: default: type: elasticsearch hosts: - 'https://elasticsearch:9200' ssl.verification_mode: none allow_older_versions: true username: '${ES_USERNAME}' password: '${ES_PASSWORD}' providers.kubernetes: node: ${NODE_NAME} scope: node hints: enabled: true default_container_logs: false # inputs: # - name: hints-filestream-container-logs # id: hints-filestream-container-logs-${kubernetes.hints.container_id} # type: filestream # use_output: default # streams: # - condition: ${kubernetes.hints.container_logs.enabled} == true # data_stream: # dataset: kubernetes.container_logs # type: logs # parsers: # - container: # format: auto # stream: ${kubernetes.hints.container_logs.stream|'all'} # paths: # - /var/log/containers/*${kubernetes.hints.container_id}.log # prospector: # scanner: # symlinks: true # data_stream.namespace: default agent: download: sourceURI: 'https://artifacts.elastic.co/downloads/' monitoring: namespace: default use_output: default enabled: true logs: true metrics: true #logging.level: debug --- # For more information refer https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html apiVersion: apps/v1 kind: DaemonSet metadata: name: elastic-agent namespace: kube-system labels: app: elastic-agent spec: selector: matchLabels: app: elastic-agent template: metadata: labels: app: elastic-agent spec: # Tolerations are needed to run Elastic Agent on Kubernetes control-plane nodes. # Agents running on control-plane nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes tolerations: - key: node-role.kubernetes.io/control-plane effect: NoSchedule - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: elastic-agent hostNetwork: true dnsPolicy: ClusterFirstWithHostNet # Uncomment if using hints feature # initContainers: # - name: k8s-templates-downloader # image: busybox:1.28 # command: ['sh'] # args: # - -c # - >- # mkdir -p /etc/elastic-agent/inputs.d && # wget -O - https://github.com/elastic/elastic-agent/archive/main.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-main/deploy/kubernetes/elastic-agent-standalone/templ # volumeMounts: # - name: external-inputs # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent #image: docker.elastic.co/beats/elastic-agent:8.10.0-SNAPSHOT-debug image: custom-agent-image:latest imagePullPolicy: Never args: ["-c", "/etc/elastic-agent/agent.yml", "-e"] env: # The basic authentication username used to connect to Elasticsearch # This user needs the privileges required to publish events to Elasticsearch. - name: ES_USERNAME value: "elastic" # The basic authentication password used to connect to Elasticsearch - name: ES_PASSWORD value: "changeme" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: STATE_PATH value: "/etc/elastic-agent" securityContext: runAsUser: 0 # The following capabilities are needed for 'Defend for containers' integration (cloud-defend) # If you are using this integration, please uncomment these lines before applying. #capabilities: # add: # - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. # - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. # - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock' resources: limits: memory: 700Mi requests: cpu: 100m memory: 400Mi volumeMounts: - name: datastreams mountPath: /etc/elastic-agent/agent.yml readOnly: true subPath: agent.yml #Uncomment if using hints feature - name: external-inputs mountPath: /etc/elastic-agent/inputs.d/container_logs.yml - name: proc mountPath: /hostfs/proc readOnly: true - name: cgroup mountPath: /hostfs/sys/fs/cgroup readOnly: true - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true - name: varlog mountPath: /var/log readOnly: true - name: etc-full mountPath: /hostfs/etc readOnly: true - name: var-lib mountPath: /hostfs/var/lib readOnly: true - name: sys-kernel-debug mountPath: /sys/kernel/debug volumes: - name: datastreams configMap: defaultMode: 0640 name: agent-node-datastreams # Uncomment if using hints feature - name: external-inputs hostPath: path: /var/log/test/container_logs.yml - name: proc hostPath: path: /proc - name: cgroup hostPath: path: /sys/fs/cgroup - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: varlog hostPath: path: /var/log # The following volumes are needed for Cloud Security Posture integration (cloudbeat) # If you are not using this integration, then these volumes and the corresponding # mounts can be removed. - name: etc-full hostPath: path: /etc - name: var-lib hostPath: path: /var/lib # Needed for 'Defend for containers' integration (cloud-defend) # If you are not using this integration, then these volumes and the corresponding # mounts can be removed. - name: sys-kernel-debug hostPath: path: /sys/kernel/debug --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: elastic-agent subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: ClusterRole name: elastic-agent apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: kube-system name: elastic-agent subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: Role name: elastic-agent apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: elastic-agent-kubeadm-config namespace: kube-system subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: Role name: elastic-agent-kubeadm-config apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elastic-agent labels: k8s-app: elastic-agent rules: - apiGroups: [""] resources: - nodes - namespaces - events - pods - services - configmaps # Needed for cloudbeat - serviceaccounts - persistentvolumes - persistentvolumeclaims verbs: ["get", "list", "watch"] # Enable this rule only if planing to use kubernetes_secrets provider #- apiGroups: [""] # resources: # - secrets # verbs: ["get"] - apiGroups: ["extensions"] resources: - replicasets verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: - statefulsets - deployments - replicasets - daemonsets verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["get", "list", "watch"] - apiGroups: - "" resources: - nodes/stats verbs: - get # Needed for apiserver - nonResourceURLs: - "/metrics" verbs: - get # Needed for cloudbeat - apiGroups: ["rbac.authorization.k8s.io"] resources: - clusterrolebindings - clusterroles - rolebindings - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - apiGroups: ["policy"] resources: - podsecuritypolicies verbs: ["get", "list", "watch"] - apiGroups: [ "storage.k8s.io" ] resources: - storageclasses verbs: [ "get", "list", "watch" ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elastic-agent # Should be the namespace where elastic-agent is running namespace: kube-system labels: k8s-app: elastic-agent rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: ["get", "create", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elastic-agent-kubeadm-config namespace: kube-system labels: k8s-app: elastic-agent rules: - apiGroups: [""] resources: - configmaps resourceNames: - kubeadm-config verbs: ["get"] --- apiVersion: v1 kind: ServiceAccount metadata: name: elastic-agent namespace: kube-system labels: k8s-app: elastic-agent ---