-
Notifications
You must be signed in to change notification settings - Fork 719
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Daemonset to manage Agent hostpath Permissions (#6700)
* Adding documentation for Agent + Fleet without root with Daemonset managing hostpath permissions. * Adding e2e test for running Agent+Fleet as non-root with Daemonset. * Only add CA to pod's OS keystore if running agent as root. --- Signed-off-by: Michael Montgomery <mmontg1@gmail.com> Co-authored-by: Michael Morello <michael.morello@gmail.com> Co-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
- Loading branch information
Showing
10 changed files
with
681 additions
and
58 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
295 changes: 295 additions & 0 deletions
295
config/recipes/elastic-agent/fleet-kubernetes-integration-noroot.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,295 @@ | ||
--- | ||
apiVersion: apps/v1 | ||
kind: DaemonSet | ||
metadata: | ||
name: manage-agent-hostpath-permissions | ||
spec: | ||
selector: | ||
matchLabels: | ||
name: manage-agent-hostpath-permissions | ||
template: | ||
metadata: | ||
labels: | ||
name: manage-agent-hostpath-permissions | ||
spec: | ||
# This is only required when running in an SELinux-enabled/OpenShift environment. | ||
# Ensure this user has been added to the privileged scc in the correct namespace. | ||
# oc adm policy add-scc-to-user privileged -z elastic-agent -n elastic-apps | ||
# serviceAccountName: elastic-agent | ||
volumes: | ||
- hostPath: | ||
path: /var/lib/elastic-agent | ||
type: DirectoryOrCreate | ||
name: "agent-data" | ||
initContainers: | ||
- name: manage-agent-hostpath-permissions | ||
# UBI is only required when needing the `chcon` binary when running | ||
# in an SELinux-enabled/OpenShift environment. If that | ||
# is not required then the following smaller image can be used instead: | ||
# image: registry.access.redhat.com/ubi8/ubi-minimal:latest | ||
image: docker.io/bash:5.2.15 | ||
resources: | ||
limits: | ||
cpu: 100m | ||
memory: 32Mi | ||
securityContext: | ||
# privileged is only required when running in an SELinux-enabled/OpenShift environment. | ||
# privileged: true | ||
runAsUser: 0 | ||
volumeMounts: | ||
- mountPath: /var/lib/elastic-agent | ||
name: agent-data | ||
command: | ||
- 'bash' | ||
- '-e' | ||
- '-c' | ||
- |- | ||
# Adjust this be /var/lib/elastic-agent/YOUR-NAMESPACE/YOUR-AGENT-NAME/state | ||
# Multiple directories are supported for the fleet-server + agent use case. | ||
dirs=( | ||
"/var/lib/elastic-agent/default/elastic-agent/state" | ||
"/var/lib/elastic-agent/default/fleet-server/state" | ||
) | ||
for dir in ${dirs[@]}; do | ||
mkdir -p "${dir}" | ||
# chcon is only required when running an SELinux-enabled/OpenShift environment. | ||
# chcon -Rt svirt_sandbox_file_t "${dir}" | ||
chmod g+rw "${dir}" | ||
chgrp 1000 "${dir}" | ||
if [ -n "$(ls -A ${dir} 2>/dev/null)" ] | ||
then | ||
chgrp 1000 "${dir}"/* | ||
chmod g+rw "${dir}"/* | ||
fi | ||
done | ||
containers: | ||
- name: pause | ||
image: gcr.io/google-containers/pause-amd64:3.1 | ||
--- | ||
apiVersion: kibana.k8s.elastic.co/v1 | ||
kind: Kibana | ||
metadata: | ||
name: kibana | ||
spec: | ||
version: 8.7.0 | ||
count: 1 | ||
elasticsearchRef: | ||
name: elasticsearch | ||
config: | ||
xpack.fleet.agents.fleet_server.hosts: ["https://fleet-server-agent-http.default.svc:8220"] | ||
xpack.fleet.outputs: | ||
- id: eck-fleet-agent-output-elasticsearch | ||
is_default: true | ||
name: eck-elasticsearch | ||
type: elasticsearch | ||
hosts: ["https://elasticsearch-es-http.default.svc:9200"] | ||
ssl: | ||
certificate_authorities: ["/mnt/elastic-internal/elasticsearch-association/default/elasticsearch/certs/ca.crt"] | ||
xpack.fleet.packages: | ||
- name: system | ||
version: latest | ||
- name: elastic_agent | ||
version: latest | ||
- name: fleet_server | ||
version: latest | ||
- name: kubernetes | ||
version: latest | ||
xpack.fleet.agentPolicies: | ||
- name: Fleet Server on ECK policy | ||
id: eck-fleet-server | ||
namespace: default | ||
monitoring_enabled: | ||
- logs | ||
- metrics | ||
unenroll_timeout: 900 | ||
package_policies: | ||
- name: fleet_server-1 | ||
id: fleet_server-1 | ||
package: | ||
name: fleet_server | ||
- name: Elastic Agent on ECK policy | ||
id: eck-agent | ||
namespace: default | ||
monitoring_enabled: | ||
- logs | ||
- metrics | ||
unenroll_timeout: 900 | ||
package_policies: | ||
- package: | ||
name: system | ||
name: system-1 | ||
- package: | ||
name: kubernetes | ||
name: kubernetes-1 | ||
--- | ||
apiVersion: elasticsearch.k8s.elastic.co/v1 | ||
kind: Elasticsearch | ||
metadata: | ||
name: elasticsearch | ||
spec: | ||
version: 8.7.0 | ||
nodeSets: | ||
- name: default | ||
count: 3 | ||
config: | ||
node.store.allow_mmap: false | ||
--- | ||
apiVersion: agent.k8s.elastic.co/v1alpha1 | ||
kind: Agent | ||
metadata: | ||
name: fleet-server | ||
spec: | ||
version: 8.7.0 | ||
kibanaRef: | ||
name: kibana | ||
elasticsearchRefs: | ||
- name: elasticsearch | ||
mode: fleet | ||
fleetServerEnabled: true | ||
policyID: eck-fleet-server | ||
deployment: | ||
replicas: 1 | ||
podTemplate: | ||
spec: | ||
serviceAccountName: fleet-server | ||
automountServiceAccountToken: true | ||
--- | ||
apiVersion: agent.k8s.elastic.co/v1alpha1 | ||
kind: Agent | ||
metadata: | ||
name: elastic-agent | ||
spec: | ||
version: 8.7.0 | ||
kibanaRef: | ||
name: kibana | ||
fleetServerRef: | ||
name: fleet-server | ||
mode: fleet | ||
policyID: eck-agent | ||
daemonSet: | ||
podTemplate: | ||
spec: | ||
hostNetwork: true | ||
dnsPolicy: ClusterFirstWithHostNet | ||
serviceAccountName: elastic-agent | ||
automountServiceAccountToken: true | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: fleet-server | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- pods | ||
- namespaces | ||
- nodes | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
- apiGroups: ["coordination.k8s.io"] | ||
resources: | ||
- leases | ||
verbs: | ||
- get | ||
- create | ||
- update | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: fleet-server | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: fleet-server | ||
subjects: | ||
- kind: ServiceAccount | ||
name: fleet-server | ||
namespace: e2e-mercury | ||
roleRef: | ||
kind: ClusterRole | ||
name: fleet-server | ||
apiGroup: rbac.authorization.k8s.io | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: elastic-agent | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- pods | ||
- nodes | ||
- namespaces | ||
- events | ||
- services | ||
- configmaps | ||
verbs: | ||
- get | ||
- watch | ||
- list | ||
- apiGroups: ["coordination.k8s.io"] | ||
resources: | ||
- leases | ||
verbs: | ||
- get | ||
- create | ||
- update | ||
- nonResourceURLs: | ||
- "/metrics" | ||
verbs: | ||
- get | ||
- apiGroups: ["extensions"] | ||
resources: | ||
- replicasets | ||
verbs: | ||
- "get" | ||
- "list" | ||
- "watch" | ||
- apiGroups: | ||
- "apps" | ||
resources: | ||
- statefulsets | ||
- deployments | ||
- replicasets | ||
verbs: | ||
- "get" | ||
- "list" | ||
- "watch" | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- nodes/stats | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "batch" | ||
resources: | ||
- jobs | ||
verbs: | ||
- "get" | ||
- "list" | ||
- "watch" | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: elastic-agent | ||
namespace: default | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: elastic-agent | ||
subjects: | ||
- kind: ServiceAccount | ||
name: elastic-agent | ||
namespace: default | ||
roleRef: | ||
kind: ClusterRole | ||
name: elastic-agent | ||
apiGroup: rbac.authorization.k8s.io | ||
... |
Oops, something went wrong.