You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Autodiscover is a feature available in a number of Beats that enables driving configuration from Pod configuration (via annotations) as new Pods are appearing instead of driving it from Beats configuration directly. We want to support autodiscover out-of-the-box in Beat CRD.
To perform a discovery, Beat pod needs to have clusterwide permissions to get, list and watch pods and namespaces.
Similarly to #3133, we can leave it up to the user to configure, do it as a part of the installation or do it in the controller.
So far we agreed to do it in the controller (behind a flag) but it does have downsides:
it requires the operator to have additional permissions (to create clusterroles/clusterrolebindings)
delete story is not great as all our CRs are namespaced and cluster-wide resource can't have namespaced owner. This means that if someone creates and deletes Beat CR they will be left with these autodiscover role and binding. If someone applies and deletes all-in-one.yaml and create Beat CR in between it will be also left behind. To do it properly we would need to make sure that no other Beat is using it, ie. list all Beats and check if they are using the default service account.
I think I'd be for putting it in the manifest generation code. But if we decide otherwise, it seems to make sense to align this decision with the decision for #3133.
The text was updated successfully, but these errors were encountered:
david-kow
changed the title
Improve removal of default autodiscoverClusterRole and ClusterRoleBinding
Improve setup of ClusterRole and ClusterRoleBinding for autodiscover
May 25, 2020
Autodiscover is a feature available in a number of Beats that enables driving configuration from Pod configuration (via annotations) as new Pods are appearing instead of driving it from Beats configuration directly. We want to support autodiscover out-of-the-box in Beat CRD.
To perform a discovery, Beat pod needs to have clusterwide permissions to get, list and watch pods and namespaces.
Similarly to #3133, we can leave it up to the user to configure, do it as a part of the installation or do it in the controller.
So far we agreed to do it in the controller (behind a flag) but it does have downsides:
I think I'd be for putting it in the manifest generation code. But if we decide otherwise, it seems to make sense to align this decision with the decision for #3133.
The text was updated successfully, but these errors were encountered: