[Cloud Security] Allow force install package policy to agentless agent policy #173553
Conversation
maxcold
added
release_note:skip
|
/ci |
maxcold
force-pushed
the
csp-agentless-force-install-to-agentless-policy
branch
from
22f2e6f to
65930c8
Compare
|
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
| @@ -298,12 +299,15 @@ export function useOnSubmit({ | |||
| } | |||
| } | |||
|
|
|||
| const agentPolicyIdToSave = createdPolicy?.id ?? packagePolicy.policy_id; | |||
| const forceInstall = force || agentPolicyIdToSave === AGENTLESS_POLICY_ID; | |||
There was a problem hiding this comment.
maybe worth checking we are in serverless too
There was a problem hiding this comment.
potentially there will be agentless on ESS, the work kicked off in parallel, but I agree that it makes sense to be on the safer side for now and check for serverless, or at least that it's not on-prem. will look into it
There was a problem hiding this comment.
@nchaulet updated the pr including the check for serverless env and agentless FF being enabled
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
| @@ -373,9 +377,11 @@ export function useOnSubmit({ | |||
| } else { | |||
| if (isVerificationError(error)) { | |||
| setFormState('VALID'); // don't show the add agent modal | |||
| const forceInstall = await confirmForceInstall(packagePolicy.package!); | |||
| const forceInstallUnverifiedIntegration = await confirmForceInstall( | |||
| packagePolicy.package! | |||
There was a problem hiding this comment.
wouldn't it be safer to add the packagePolicy.package to the if statement instead of using non null assertion?
There was a problem hiding this comment.
in this line only the variable name changed, the rest is the same as it was. As we are not the code owner, I wouldn't touch what is not broken :)
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
Summary
Right now every Security project in serverless is created with an Agentless policy (gated be the feature flag based on or org id) and in this policy
is_managedset tofalse. We in Cloud Security want to make the policy managed.This change is to allow us to do that and still be able to install integrations on the policy. In a nutshell, the logic is to force install integration if the agent policy id is
agentless. If we are not missing something, it should be safe, as when managed, the agentless agent policy won't be available in the list of Existing Hosts and the only way to pick it for installation in the UI is to implement the same logic we implemented in CSP integration inPart of:
Screencast
screencast-github.aaakk.us.kg-2023.12.06-17_55_27.webm
Checklist
Delete any items that are not applicable to this PR.