updating managed agent manifest needed resources for cloudbeat (#130886)

elastic · May 4, 2022 · a1f8cd4 · a1f8cd4
1 parent 13c928d
commit a1f8cd4
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 7 deletions.
diff --git a/x-pack/plugins/fleet/common/constants/epm.ts b/x-pack/plugins/fleet/common/constants/epm.ts
@@ -16,6 +16,7 @@ export const FLEET_ENDPOINT_PACKAGE = 'endpoint';
 export const FLEET_APM_PACKAGE = 'apm';
 export const FLEET_SYNTHETICS_PACKAGE = 'synthetics';
 export const FLEET_KUBERNETES_PACKAGE = 'kubernetes';
+export const FLEET_CLOUD_SECURITY_POSTURE_PACKAGE = 'cloud_security_posture';
 
 export const FLEET_ELASTIC_AGENT_DETAILS_DASHBOARD_ID =
   'elastic_agent-f47f18cc-9c7d-4278-b2ea-a6dee816d395';

diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/hooks.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/hooks.tsx
@@ -9,11 +9,13 @@ import { i18n } from '@kbn/i18n';
 
 import type { PackagePolicy, AgentPolicy } from '../../types';
 import { sendGetOneAgentPolicy, useStartServices } from '../../hooks';
-
-import { FLEET_KUBERNETES_PACKAGE } from '../../../common';
+import { FLEET_KUBERNETES_PACKAGE, FLEET_CLOUD_SECURITY_POSTURE_PACKAGE } from '../../../common';
 
 import type { K8sMode } from './types';
 
+// Packages that requires custom elastic-agent manifest
+const K8S_PACKAGES = new Set([FLEET_KUBERNETES_PACKAGE, FLEET_CLOUD_SECURITY_POSTURE_PACKAGE]);
+
 export function useAgentPolicyWithPackagePolicies(policyId?: string) {
   const [agentPolicyWithPackagePolicies, setAgentPolicy] = useState<AgentPolicy | null>(null);
   const core = useStartServices();
@@ -64,4 +66,4 @@ export function useIsK8sPolicy(agentPolicy?: AgentPolicy) {
   return { isK8s };
 }
 
-const isK8sPackage = (pkg: PackagePolicy) => pkg.package?.name === FLEET_KUBERNETES_PACKAGE;
+const isK8sPackage = (pkg: PackagePolicy) => K8S_PACKAGES.has(pkg.package?.name as string);
diff --git a/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts b/x-pack/plugins/fleet/server/services/elastic_agent_manifest.ts
@@ -5,8 +5,7 @@
  * 2.0.
  */
 
-export const elasticAgentStandaloneManifest = `
----
+export const elasticAgentStandaloneManifest = `---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -66,6 +65,11 @@ spec:
             - name: proc
               mountPath: /hostfs/proc
               readOnly: true
+            - name: etc-kubernetes
+              mountPath: /hostfs/etc/kubernetes
+            - name: var-lib
+              mountPath: /hostfs/var/lib
+              readOnly: true
             - name: cgroup
               mountPath: /hostfs/sys/fs/cgroup
               readOnly: true
@@ -75,6 +79,15 @@ spec:
             - name: varlog
               mountPath: /var/log
               readOnly: true
+            - name: passwd
+              mountPath: /hostfs/etc/passwd
+              readOnly: true
+            - name: group
+              mountPath: /hostfs/etc/group
+              readOnly: true
+            - name: systemd
+              mountPath: /hostfs/etc/systemd
+              readOnly: true
       volumes:
         - name: datastreams
           configMap:
@@ -83,6 +96,18 @@ spec:
         - name: proc
           hostPath:
             path: /proc
+        - name: etc-kubernetes
+          hostPath:
+            path: /etc/kubernetes
+        - name: var-lib
+          hostPath:
+            path: /var/lib
+        - name: passwd
+          hostPath:
+            path: /etc/passwd
+        - name: group
+          hostPath:
+            path: /etc/group
         - name: cgroup
           hostPath:
             path: /sys/fs/cgroup
@@ -92,6 +117,9 @@ spec:
         - name: varlog
           hostPath:
             path: /var/log
+        - name: systemd
+          hostPath:
+            path: /etc/systemd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -149,6 +177,7 @@ rules:
       - pods
       - services
       - configmaps
+      - serviceaccounts
     verbs: ["get", "list", "watch"]
   # Enable this rule only if planing to use kubernetes_secrets provider
   #- apiGroups: [""]
@@ -181,6 +210,23 @@ rules:
       - "/metrics"
     verbs:
       - get
+  # required for cloudbeat
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - rolebindings
+      - roles
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["policy"]
+    resources:
+      - podsecuritypolicies
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -222,7 +268,8 @@ metadata:
 ---
 `;
 
-export const elasticAgentManagedManifest = `apiVersion: apps/v1
+export const elasticAgentManagedManifest = `---
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: elastic-agent
@@ -285,6 +332,11 @@ spec:
             - name: proc
               mountPath: /hostfs/proc
               readOnly: true
+            - name: etc-kubernetes
+              mountPath: /hostfs/etc/kubernetes
+            - name: var-lib
+              mountPath: /hostfs/var/lib
+              readOnly: true
             - name: cgroup
               mountPath: /hostfs/sys/fs/cgroup
               readOnly: true
@@ -294,10 +346,31 @@ spec:
             - name: varlog
               mountPath: /var/log
               readOnly: true
+            - name: passwd
+              mountPath: /hostfs/etc/passwd
+              readOnly: true
+            - name: group
+              mountPath: /hostfs/etc/group
+              readOnly: true
+            - name: systemd
+              mountPath: /hostfs/etc/systemd
+              readOnly: true
       volumes:
         - name: proc
           hostPath:
             path: /proc
+        - name: etc-kubernetes
+          hostPath:
+            path: /etc/kubernetes
+        - name: var-lib
+          hostPath:
+            path: /var/lib
+        - name: passwd
+          hostPath:
+            path: /etc/passwd
+        - name: group
+          hostPath:
+            path: /etc/group
         - name: cgroup
           hostPath:
             path: /sys/fs/cgroup
@@ -307,6 +380,9 @@ spec:
         - name: varlog
           hostPath:
             path: /var/log
+        - name: systemd
+          hostPath:
+            path: /etc/systemd
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -364,6 +440,7 @@ rules:
       - pods
       - services
       - configmaps
+      - serviceaccounts
     verbs: ["get", "list", "watch"]
   # Enable this rule only if planing to use kubernetes_secrets provider
   #- apiGroups: [""]
@@ -396,6 +473,23 @@ rules:
       - "/metrics"
     verbs:
       - get
+  # required for cloudbeat
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - rolebindings
+      - roles
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["policy"]
+    resources:
+      - podsecuritypolicies
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -435,5 +529,4 @@ metadata:
   labels:
     k8s-app: elastic-agent
 ---
-
 `;