-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support running Agent as a non-root #6700
Conversation
…rmissions. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
…naging hostpath permissions. Adding e2e test for running Agent+Fleet as non-root with Daemonset. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8 |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8 |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.7.0,s=7.17.8 |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
config/recipes/elastic-agent/fleet-kubernetes-integration-noroot.yaml.tpl
Outdated
Show resolved
Hide resolved
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Use tweakConfigLiterals to properly adjust output map. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Check type assertions properly. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost LGTM. Overall it feels complicated and hacky (especially runningAsRoot
) but I'm not sure there is a good alternative.
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
config/recipes/elastic-agent/fleet-kubernetes-integration-noroot.yaml
Outdated
Show resolved
Hide resolved
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
…t's only functional from 2.10.0+. Remove is_default and is_default_fleet_server from fleet-kubernetes-integration-noroot.yaml as they're deprecated. Reword the sentence about certificate_authorities.ssl in xpack.fleet.outputs within the Kibana resource. Modify the note about the daemonset needing to run as root. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
I don't disagree here. This has been a complicated issue since it's inception. We initially tried to "just make it work" within the eck controller, but thought that the permissions needed were a bit too much from a security standpoint, so decided to try and document how this could be done. Unfortunately this was the only solution found when working with the Fleet team. Honestly I'm not sure at this point if leaving the root requirement in place is a simpler solution than documenting the complexities of this non-root solution, but I'd love others input into this question. |
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8 Testing a final time after removing |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8 Hopefully last one after reverting the addition of a |
Somehow the last change to remove The es output isn't being propagated agent => metricbeat
Something to do with this:
I'll investigate and resolve and update. |
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,t=TestFleetKubernetesNonRootIntegrationRecipe -m s=8.9.0,s=7.17.8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM just a few more nits.
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
docs/orchestrating-elastic-stack-applications/agent-fleet.asciidoc
Outdated
Show resolved
Hide resolved
Remove bold font. Use full wording for SCC. Sets up, not maintains. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hello Elastic team, |
relates #6599
This adds documentation to allow a user to run a
DaemonSet
to automatically adjust AgenthostPath
permissions and allow the user to not run the Agent asrunAsUser: 0
.This also only updates the CA store in Agent if version is < 7.14.0, which also removes the need to run Agent+fleet as root, which was verified locally.The minimum version of Agent+Fleet we allow is7.14.0
.Changes
TODO
update-ca-trust
requirement for running with Fleet.