Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[metricbeat] Adding custerRole permissions for leader election #1422

Merged
merged 20 commits into from
Mar 3, 2022

Conversation

framsouza
Copy link
Contributor

This PR adds permissions to metricbeat use leader election (auto discovery)

Fix #1415

@framsouza framsouza requested a review from jmlrt October 18, 2021 15:58
@framsouza framsouza self-assigned this Oct 18, 2021
@framsouza
Copy link
Contributor Author

jenkins test this please

jmlrt
jmlrt previously approved these changes Nov 10, 2021
Copy link
Member

@jmlrt jmlrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM⛴

Do you know if we may need this new rule for some other charts?

Copy link
Member

@jmlrt jmlrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at https://github.com/elastic/beats/blob/ac8275f72e55b699fb5ae41c68774280d7188bd3/deploy/kubernetes/metricbeat/metricbeat-role.yaml#L46-L59, we may need to add this to a simple role instead of a cluster role.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: metricbeat
  # should be the namespace where metricbeat is running
  namespace: kube-system
  labels:
    k8s-app: metricbeat
rules:
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs: ["get", "create", "update"]

Seems related to elastic/beats#24958

@jmlrt
Copy link
Member

jmlrt commented Nov 10, 2021

LGTM⛴

Do you know if we may need this new rule for some other charts?

We may also add it to Filebeat chart => https://github.com/elastic/beats/blob/ac8275f72e55b699fb5ae41c68774280d7188bd3/deploy/kubernetes/filebeat/filebeat-role.yaml#L22-L35

@framsouza
Copy link
Contributor Author

@jmlrt Just added a single role for filebeat and metricbeat, can you please have a look at it?

Comment on lines +262 to +265
- apiGroups: ["coordination.k8s.io"]
resources:
- leases
verbs: ["create", "get", "list", "update"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should also be added to

clusterRoleRules:
- apiGroups:
- ""
resources:
- namespaces
- nodes
- pods
verbs:
- get
- list
- watch

@jmlrt jmlrt added the enhancement New feature or request label Mar 3, 2022
@jmlrt jmlrt merged commit 7fbeaa7 into elastic:main Mar 3, 2022
jmlrt added a commit to jmlrt/helm-charts that referenced this pull request Mar 3, 2022
…ic#1422)

* Adding support to Ingress networking.k8s.io/v1

* Adjusting ES service name

* Removing ingress typo & adjusting python test

* Adjusting python tests to use the new ingress version

* fixing conflict

* Adding support to kubernetes ingress v1 & ClassName

* Adding reformatted files

* fixing conflict

* Adding ClassName & Pathtype on ingress settings

* Performing syntax adjustments and removing comments

* custerRole permissions for leader election in k8s 1.19+

* Adding fb & mb role

Co-authored-by: jmlrt <8582351+jmlrt@users.noreply.github.com>
jmlrt added a commit that referenced this pull request Mar 4, 2022
#1600)

* Adding support to Ingress networking.k8s.io/v1

* Adjusting ES service name

* Removing ingress typo & adjusting python test

* Adjusting python tests to use the new ingress version

* fixing conflict

* Adding support to kubernetes ingress v1 & ClassName

* Adding reformatted files

* fixing conflict

* Adding ClassName & Pathtype on ingress settings

* Performing syntax adjustments and removing comments

* custerRole permissions for leader election in k8s 1.19+

* Adding fb & mb role

Co-authored-by: jmlrt <8582351+jmlrt@users.noreply.github.com>

Co-authored-by: framsouza <francismara.souza@elastic.co>
jmlrt added a commit to jmlrt/helm-charts that referenced this pull request Mar 4, 2022
jmlrt added a commit that referenced this pull request Mar 7, 2022
jmlrt added a commit to jmlrt/helm-charts that referenced this pull request Mar 7, 2022
jmlrt added a commit that referenced this pull request Mar 8, 2022
@jmlrt jmlrt mentioned this pull request Mar 8, 2022
@jmlrt jmlrt added v7.17.1 and removed v7.17.0 labels Mar 8, 2022
@jmlrt jmlrt mentioned this pull request Mar 8, 2022
jmlrt added a commit to jmlrt/helm-charts that referenced this pull request Mar 8, 2022
* 7.17.1 as default version.

| PR                                                        | Author                                       | Title                                                                   |
|-----------------------------------------------------------|----------------------------------------------|-------------------------------------------------------------------------|
| [elastic#1604](elastic#1604) | [@jmlrt](https://github.com/jmlrt)           | [meta] update docker images                                             |
| [elastic#1603](elastic#1603) | [@jmlrt](https://github.com/jmlrt)           | [metricbeat] add missing rolebinding and cluster role rules             |
| [elastic#1602](elastic#1602) | [@jmlrt](https://github.com/jmlrt)           | [filebeat] add missing rolebinding and cluster role rules               |
| [elastic#1593](elastic#1593) | [@jmlrt](https://github.com/jmlrt)           | [meta] add support for k8s 1.22                                         |
| [elastic#1582](elastic#1582) | [@jmlrt](https://github.com/jmlrt)           | [kibana] fix extra values default values                                |
| [elastic#1581](elastic#1581) | [@jmlrt](https://github.com/jmlrt)           | [logstash] fix ServiceAccount inconsistencies                           |
| [elastic#1580](elastic#1580) | [@jmlrt](https://github.com/jmlrt)           | [elasticsearch] fix ServiceAccount inconsistencies                      |
| [elastic#1570](elastic#1570) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add externalTrafficPolicy support                            |
| [elastic#1569](elastic#1569) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add flexible ingress                                         |
| [elastic#1563](elastic#1563) | [@jmlrt](https://github.com/jmlrt)           | [meta] bump Helm version to 3.8.0                                       |
| [elastic#1538](elastic#1538) | [@chetanv-oi](https://github.com/chetanv-oi) | [elasticsearch] move the yaml separator inside the condition            |
| [elastic#1530](elastic#1530) | [@jmlrt](https://github.com/jmlrt)           | [kibana] use bash for readiness script                                  |
| [elastic#1527](elastic#1527) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] add pod labels                                             |
| [elastic#1524](elastic#1524) | [@beatkind](https://github.com/beatkind)     | [metricbeat] bump kube-state-metrics to version 4.7.0                   |
| [elastic#1521](elastic#1521) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] fix podLabels                                              |
| [elastic#1494](elastic#1494) | [@ebuildy](https://github.com/ebuildy)       | [elasticsearch] add keystore container securityContext                  |
| [elastic#1450](elastic#1450) | [@dmarcs](https://github.com/dmarcs)         | [logstash] allow array values for extra                                 |
| [elastic#1422](elastic#1422) | [@framsouza](https://github.com/framsouza)   | [metricbeat] adding custerRole permissions for leader election          |
| [elastic#1420](elastic#1420) | [@framsouza](https://github.com/framsouza)   | [elasticsearch] [logstash] add support to PodDisruptionBudget policy/v1 |
| [elastic#1417](elastic#1417) | [@framsouza](https://github.com/framsouza)   | [kibana] add annotations at deployment level                            |
jmlrt added a commit that referenced this pull request Mar 8, 2022
* 7.17.1 release changelog

* 7.17.1 as default version.

| PR                                                        | Author                                       | Title                                                                   |
|-----------------------------------------------------------|----------------------------------------------|-------------------------------------------------------------------------|
| [#1604](#1604) | [@jmlrt](https://github.com/jmlrt)           | [meta] update docker images                                             |
| [#1603](#1603) | [@jmlrt](https://github.com/jmlrt)           | [metricbeat] add missing rolebinding and cluster role rules             |
| [#1602](#1602) | [@jmlrt](https://github.com/jmlrt)           | [filebeat] add missing rolebinding and cluster role rules               |
| [#1593](#1593) | [@jmlrt](https://github.com/jmlrt)           | [meta] add support for k8s 1.22                                         |
| [#1582](#1582) | [@jmlrt](https://github.com/jmlrt)           | [kibana] fix extra values default values                                |
| [#1581](#1581) | [@jmlrt](https://github.com/jmlrt)           | [logstash] fix ServiceAccount inconsistencies                           |
| [#1580](#1580) | [@jmlrt](https://github.com/jmlrt)           | [elasticsearch] fix ServiceAccount inconsistencies                      |
| [#1570](#1570) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add externalTrafficPolicy support                            |
| [#1569](#1569) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add flexible ingress                                         |
| [#1563](#1563) | [@jmlrt](https://github.com/jmlrt)           | [meta] bump Helm version to 3.8.0                                       |
| [#1538](#1538) | [@chetanv-oi](https://github.com/chetanv-oi) | [elasticsearch] move the yaml separator inside the condition            |
| [#1530](#1530) | [@jmlrt](https://github.com/jmlrt)           | [kibana] use bash for readiness script                                  |
| [#1527](#1527) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] add pod labels                                             |
| [#1524](#1524) | [@beatkind](https://github.com/beatkind)     | [metricbeat] bump kube-state-metrics to version 4.7.0                   |
| [#1521](#1521) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] fix podLabels                                              |
| [#1494](#1494) | [@ebuildy](https://github.com/ebuildy)       | [elasticsearch] add keystore container securityContext                  |
| [#1450](#1450) | [@dmarcs](https://github.com/dmarcs)         | [logstash] allow array values for extra                                 |
| [#1422](#1422) | [@framsouza](https://github.com/framsouza)   | [metricbeat] adding custerRole permissions for leader election          |
| [#1420](#1420) | [@framsouza](https://github.com/framsouza)   | [elasticsearch] [logstash] add support to PodDisruptionBudget policy/v1 |
| [#1417](#1417) | [@framsouza](https://github.com/framsouza)   | [kibana] add annotations at deployment level                            |

* add breaking changes + update all toc instructions

* fix breaking change error
@jmlrt jmlrt mentioned this pull request Apr 21, 2022
This was referenced Sep 14, 2022
galina-tochilkin pushed a commit to mtp-devops/3d-party-helm that referenced this pull request Dec 20, 2022
* 7.17.1 release changelog

* 7.17.1 as default version.

| PR                                                        | Author                                       | Title                                                                   |
|-----------------------------------------------------------|----------------------------------------------|-------------------------------------------------------------------------|
| [#1604](elastic/helm-charts#1604) | [@jmlrt](https://github.com/jmlrt)           | [meta] update docker images                                             |
| [#1603](elastic/helm-charts#1603) | [@jmlrt](https://github.com/jmlrt)           | [metricbeat] add missing rolebinding and cluster role rules             |
| [#1602](elastic/helm-charts#1602) | [@jmlrt](https://github.com/jmlrt)           | [filebeat] add missing rolebinding and cluster role rules               |
| [#1593](elastic/helm-charts#1593) | [@jmlrt](https://github.com/jmlrt)           | [meta] add support for k8s 1.22                                         |
| [#1582](elastic/helm-charts#1582) | [@jmlrt](https://github.com/jmlrt)           | [kibana] fix extra values default values                                |
| [#1581](elastic/helm-charts#1581) | [@jmlrt](https://github.com/jmlrt)           | [logstash] fix ServiceAccount inconsistencies                           |
| [#1580](elastic/helm-charts#1580) | [@jmlrt](https://github.com/jmlrt)           | [elasticsearch] fix ServiceAccount inconsistencies                      |
| [#1570](elastic/helm-charts#1570) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add externalTrafficPolicy support                            |
| [#1569](elastic/helm-charts#1569) | [@jmlrt](https://github.com/jmlrt)           | [logstash] add flexible ingress                                         |
| [#1563](elastic/helm-charts#1563) | [@jmlrt](https://github.com/jmlrt)           | [meta] bump Helm version to 3.8.0                                       |
| [#1538](elastic/helm-charts#1538) | [@chetanv-oi](https://github.com/chetanv-oi) | [elasticsearch] move the yaml separator inside the condition            |
| [#1530](elastic/helm-charts#1530) | [@jmlrt](https://github.com/jmlrt)           | [kibana] use bash for readiness script                                  |
| [#1527](elastic/helm-charts#1527) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] add pod labels                                             |
| [#1524](elastic/helm-charts#1524) | [@beatkind](https://github.com/beatkind)     | [metricbeat] bump kube-state-metrics to version 4.7.0                   |
| [#1521](elastic/helm-charts#1521) | [@ebuildy](https://github.com/ebuildy)       | [apm-server] fix podLabels                                              |
| [#1494](elastic/helm-charts#1494) | [@ebuildy](https://github.com/ebuildy)       | [elasticsearch] add keystore container securityContext                  |
| [#1450](elastic/helm-charts#1450) | [@dmarcs](https://github.com/dmarcs)         | [logstash] allow array values for extra                                 |
| [#1422](elastic/helm-charts#1422) | [@framsouza](https://github.com/framsouza)   | [metricbeat] adding custerRole permissions for leader election          |
| [#1420](elastic/helm-charts#1420) | [@framsouza](https://github.com/framsouza)   | [elasticsearch] [logstash] add support to PodDisruptionBudget policy/v1 |
| [#1417](elastic/helm-charts#1417) | [@framsouza](https://github.com/framsouza)   | [kibana] add annotations at deployment level                            |

* add breaking changes + update all toc instructions

* fix breaking change error
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[metricbeat] Missing clusterRole permissions for leader election in k8s 1.19+
2 participants