-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
elastic-agent manifests: add comments; add cloudnative team as a codeowner for the k8s manifests #708
elastic-agent manifests: add comments; add cloudnative team as a codeowner for the k8s manifests #708
Changes from 8 commits
4789e0b
d941ec7
bbc5d39
df21c4c
2e15372
4e32b60
1b78786
d9c4344
677d5dd
abec343
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
# Team responsable for Fleet Server | ||
# Team responsible for Fleet Server | ||
* @elastic/elastic-agent-control-plane | ||
|
||
/deploy/kubernetes @elastic/obs-cloudnative-monitoring | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,34 +14,41 @@ spec: | |
labels: | ||
app: elastic-agent | ||
spec: | ||
# Tolerations are needed to run Elastic Agent on Kubernetes master nodes. | ||
# Agents running on master nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes | ||
tolerations: | ||
- key: node-role.kubernetes.io/master | ||
effect: NoSchedule | ||
serviceAccountName: elastic-agent | ||
hostNetwork: true | ||
# 'hostPID: true' enables the Elastic Security integration to observe all process exec events on the host. | ||
# Sharing the host process ID namespace gives visibility of all processes running on the same host. | ||
# This enables the Elastic Security integration to observe all process exec events on the host. | ||
hostPID: true | ||
dnsPolicy: ClusterFirstWithHostNet | ||
containers: | ||
- name: elastic-agent | ||
image: docker.elastic.co/beats/elastic-agent:8.3.0 | ||
env: | ||
# Set to 1 for enrollment into Fleet server. If not set, Elastic Agent is run in standalone mode | ||
- name: FLEET_ENROLL | ||
value: "1" | ||
# Set to true in case of insecure or unverified HTTP | ||
# Set to true to communicate with Fleet with either insecure HTTP or unverified HTTPS | ||
- name: FLEET_INSECURE | ||
value: "true" | ||
# The ip:port pair of fleet server | ||
# Fleet Server URL to enroll the Elastic Agent into | ||
# FLEET_URL can be found in Kibana, go to Management > Fleet > Settings | ||
- name: FLEET_URL | ||
value: "https://fleet-server:8220" | ||
# If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed | ||
# If FLEET_ENROLLMENT_TOKEN is empty then KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed | ||
# More detail on enrollment tokens - https://www.elastic.co/guide/en/fleet/current/fleet-enrollment-tokens.html | ||
- name: FLEET_ENROLLMENT_TOKEN | ||
value: "" | ||
- name: KIBANA_HOST | ||
value: "http://kibana:5601" | ||
# The basic authentication username used to connect to Kibana and retrieve a service_token to enable Fleet | ||
- name: KIBANA_FLEET_USERNAME | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need a link to direct users where to find those values? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If you mean the service_token to enable Fleet, agent gets them automatically from Kibana when connected There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In managed yes. Maybe was not the best place to put the comment. But you get my point, that all of this values are somewhere in the portal and user needs point of reference. If makes sense. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've added info for FLEET_URL and enrollment token - d9c4344. Regarding KIBANA_*: it depends on the setup - elastic cloud or self-managed and I couldn't find a generic documentation |
||
value: "elastic" | ||
# The basic authentication password used to connect to Kibana and retrieve a service_token to enable Fleet | ||
- name: KIBANA_FLEET_PASSWORD | ||
value: "changeme" | ||
- name: NODE_NAME | ||
|
@@ -104,21 +111,28 @@ spec: | |
- name: varlog | ||
hostPath: | ||
path: /var/log | ||
# Needed for cloudbeat | ||
- name: etc-kubernetes | ||
hostPath: | ||
path: /etc/kubernetes | ||
# Needed for cloudbeat | ||
- name: var-lib | ||
hostPath: | ||
path: /var/lib | ||
# Needed for cloudbeat | ||
- name: passwd | ||
hostPath: | ||
path: /etc/passwd | ||
# Needed for cloudbeat | ||
- name: group | ||
hostPath: | ||
path: /etc/group | ||
# Needed for cloudbeat | ||
- name: etcsysmd | ||
hostPath: | ||
path: /etc/systemd | ||
# Mount /etc/machine-id from the host to determine host ID | ||
# Needed for Elastic Security integration | ||
- name: etc-mid | ||
hostPath: | ||
path: /etc/machine-id | ||
|
@@ -180,6 +194,7 @@ rules: | |
- pods | ||
- services | ||
- configmaps | ||
# Needed for cloudbeat | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Either keep Needed or Required to have all lines aligned There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. done df21c4c |
||
- serviceaccounts | ||
- persistentvolumes | ||
- persistentvolumeclaims | ||
|
@@ -211,18 +226,20 @@ rules: | |
- jobs | ||
- cronjobs | ||
verbs: [ "get", "list", "watch" ] | ||
# required for apiserver | ||
# Needed for apiserver | ||
- nonResourceURLs: | ||
- "/metrics" | ||
verbs: | ||
- get | ||
# Needed for cloudbeat | ||
- apiGroups: ["rbac.authorization.k8s.io"] | ||
resources: | ||
- clusterrolebindings | ||
- clusterroles | ||
- rolebindings | ||
- roles | ||
verbs: ["get", "list", "watch"] | ||
# Needed for cloudbeat | ||
- apiGroups: ["policy"] | ||
resources: | ||
- podsecuritypolicies | ||
|
@@ -232,7 +249,7 @@ apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | ||
metadata: | ||
name: elastic-agent | ||
# should be the namespace where elastic-agent is running | ||
# Should be the namespace where elastic-agent is running | ||
namespace: kube-system | ||
labels: | ||
k8s-app: elastic-agent | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/elastic-agent-control-plane I am getting error:
who could help me to get write access to this repo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andresrc this is the one talking about. Is there any docs mentioning the process to change this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gizas @tetianakravchenko All employees are have write access to this repository, but probably in order to add the group to
CODEOWNERS
the group itself need to be explicitly added. I have just done that. Please let me know if it works.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it works, now getting:
This CODEOWNERS file is valid.