From eedce01997b3b38e45bbd0949c2bfe1b082ed4b7 Mon Sep 17 00:00:00 2001 From: Michael Katsoulis Date: Mon, 14 Oct 2024 10:04:38 +0300 Subject: [PATCH] [Kubernetes] Add kustomize template for hints auto discover (#5643) * Add template for hints * Create fragment * fixing comments for provider * removing container_logs * Remove root capabilites from initcontainer * Update kustomize patches for hints * Update changelog fragment * Update configmap for standalone agent --------- Co-authored-by: Andrew Gizas --- ...790202-kustomize-templates-with-hints.yaml | 32 + deploy/kubernetes/Makefile | 10 + .../elastic-agent-kustomize/default/README.md | 2 +- .../elastic-agent-standalone-daemonset.yaml | 16 +- .../elastic-agent-standalone-daemonset.yaml | 16 +- .../elastic-agent-standalone-statefulset.yaml | 16 +- ...-agent-standalone-daemonset-configmap.yaml | 640 ++++++++++++++++++ .../kustomization.yaml | 40 ++ .../kustomization.yaml.original | 40 ++ .../elastic-agent-standalone-kubernetes.yaml | 16 +- .../elastic-agent-standalone-daemonset.yaml | 16 +- 11 files changed, 813 insertions(+), 31 deletions(-) create mode 100644 changelog/fragments/1727790202-kustomize-templates-with-hints.yaml create mode 100644 deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml create mode 100644 deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml create mode 100644 deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml.original diff --git a/changelog/fragments/1727790202-kustomize-templates-with-hints.yaml b/changelog/fragments/1727790202-kustomize-templates-with-hints.yaml new file mode 100644 index 00000000000..44ba5c3c81f --- /dev/null +++ b/changelog/fragments/1727790202-kustomize-templates-with-hints.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: feature + +# Change summary; a 80ish characters long description of the change. +summary: Kustomize template to enables hints based autodiscovery by default when deploying standalone elastic-agent into a Kubernetes cluster. Remove root privileges of init container. + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: elastic-agent + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/elastic-agent/pull/5643 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index bd67fa7b6b2..460395ee9ed 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -15,6 +15,7 @@ ELASTIC_AGENT_BRANCH=update-k8s-templates-$(shell date "+%Y%m%d%H%M%S") KUSTOMIZE=elastic-agent-kustomize KUSTOMIZE_DEFAULT=elastic-agent-kustomize/default KUSTOMIZE_KSM_AUTOSHARDING=elastic-agent-kustomize/ksm-autosharding +KUSTOMIZE_KSM_HINTS=elastic-agent-kustomize/ksm-hints # variable for processor for elastic-agent-standalone define ELASTIC_PROCESSOR @@ -117,6 +118,15 @@ $(ALL): @for f in $(shell ls $@/*.yaml | grep -v elastic-agent-standalone-daemonset-configmap); do \ cp -r $$f $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/base; \ done + + @echo "Generating $@ kustomize-ksm-hints files" + @for f in $(shell ls elastic-agent-standalone/*.yaml | grep elastic-agent-standalone-daemonset-configmap.yaml); do \ + cp -r $$f $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone; \ + done + sed -i.bak -e "s/#hints.enabled/hints.enabled/g" -e "s/#hints.default_container_logs/hints.default_container_logs/g" $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml + sed -i.bak -e "/- id: container-log/,/- \/var\/log\/containers/d" $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml + rm $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml.bak + sed -e "s/%VERSION%/${BEAT_VERSION}/g" -e "s/%BRANCH%/${BRANCH_VERSION}/g" $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone/kustomization.yaml.original > $(KUSTOMIZE_KSM_HINTS)/elastic-agent-standalone/kustomization.yaml mkdir -p $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/extra/ sed -e "s/%VERSION%/${BEAT_VERSION}/g" -e "s/%BRANCH%/${BRANCH_VERSION}/g" -e "/name: elastic-agent-state/,+1 s/^/#/" -e "/path: \/var\/lib\/$@\/kube-system\/state/,+1 s/^/#/" $@/$@-daemonset.yaml > $(KUSTOMIZE_KSM_AUTOSHARDING)/$@/base/$@-daemonset.yaml diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/README.md b/deploy/kubernetes/elastic-agent-kustomize/default/README.md index 3bcab021ef0..7f9a04aa66e 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/README.md +++ b/deploy/kubernetes/elastic-agent-kustomize/default/README.md @@ -39,7 +39,7 @@ Users can use following commands: Managed Elastic Agent: ```bash -❯ kubectl https://github.com/elastic/elastic-agent/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-maanged\?ref\=main | sed -e "s/JUVOUk9MTE1FTlRfVE9LRU4l/base64_ENCODED_ENROLLMENT_TOKEN/g" -e "s/%FLEET_URL%/https:\/\/localhost:9200/g" | kubectl apply -f- +❯ kubectl kustomize https://github.com/elastic/elastic-agent/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-maanged\?ref\=main | sed -e "s/JUVOUk9MTE1FTlRfVE9LRU4l/base64_ENCODED_ENROLLMENT_TOKEN/g" -e "s/%FLEET_URL%/https:\/\/localhost:9200/g" | kubectl apply -f- ``` diff --git a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml index 4446a485d13..684fffa2ef0 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/default/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml @@ -33,13 +33,11 @@ spec: # args: # - -c # - >- - # mkdir -p /usr/share/elastic-agent/state/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" - # securityContext: - # runAsUser: 0 + # mkdir -p /etc/elastic-agent/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: - # - name: elastic-agent-state - # mountPath: /usr/share/elastic-agent/state + # - name: external-inputs + # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent-standalone image: docker.elastic.co/beats/elastic-agent:9.0.0 @@ -113,6 +111,9 @@ spec: mountPath: /sys/kernel/debug - name: elastic-agent-state mountPath: /usr/share/elastic-agent/state + # Uncomment if using hints feature + # - name: external-inputs + # mountPath: /usr/share/elastic-agent/state/inputs.d volumes: - name: datastreams configMap: @@ -151,3 +152,6 @@ spec: hostPath: path: /var/lib/elastic-agent-standalone/kube-system/state type: DirectoryOrCreate + # Uncomment if using hints feature + # - name: external-inputs + # emptyDir: {} diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml index e834ffa8688..0573903543c 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/base/elastic-agent-standalone-daemonset.yaml @@ -33,13 +33,11 @@ spec: # args: # - -c # - >- - # mkdir -p /usr/share/elastic-agent/state/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" - # securityContext: - # runAsUser: 0 + # mkdir -p /etc/elastic-agent/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: -# # - name: elastic-agent-state -# # mountPath: /usr/share/elastic-agent/state + # - name: external-inputs + # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent-standalone image: docker.elastic.co/beats/elastic-agent:9.0.0 @@ -113,6 +111,9 @@ spec: mountPath: /sys/kernel/debug # - name: elastic-agent-state # mountPath: /usr/share/elastic-agent/state + # Uncomment if using hints feature + # - name: external-inputs + # mountPath: /usr/share/elastic-agent/state/inputs.d volumes: - name: datastreams configMap: @@ -151,3 +152,6 @@ spec: # hostPath: # path: /var/lib/elastic-agent-standalone/kube-system/state # type: DirectoryOrCreate + # Uncomment if using hints feature + # - name: external-inputs + # emptyDir: {} diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml index 5fbdb9709ab..324ed435986 100644 --- a/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-autosharding/elastic-agent-standalone/extra/elastic-agent-standalone-statefulset.yaml @@ -33,13 +33,11 @@ spec: # args: # - -c # - >- - # mkdir -p /usr/share/elastic-agent/state/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" - # securityContext: - # runAsUser: 0 + # mkdir -p /etc/elastic-agent/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: -# # - name: elastic-agent-state -# # mountPath: /usr/share/elastic-agent/state + # - name: external-inputs + # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent-standalone image: docker.elastic.co/beats/elastic-agent:9.0.0 @@ -113,6 +111,9 @@ spec: mountPath: /sys/kernel/debug # - name: elastic-agent-state # mountPath: /usr/share/elastic-agent/state + # Uncomment if using hints feature + # - name: external-inputs + # mountPath: /usr/share/elastic-agent/state/inputs.d volumes: - name: datastreams configMap: @@ -151,3 +152,6 @@ spec: # hostPath: # path: /var/lib/elastic-agent-standalone/kube-system/state # type: DirectoryOrCreate + # Uncomment if using hints feature + # - name: external-inputs + # emptyDir: {} diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml new file mode 100644 index 00000000000..46cc127268a --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/elastic-agent-standalone-daemonset-configmap.yaml @@ -0,0 +1,640 @@ +# For more information https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html +apiVersion: v1 +kind: ConfigMap +metadata: + name: agent-node-datastreams + namespace: kube-system + labels: + app.kubernetes.io/name: elastic-agent-standalone +data: + agent.yml: |- + outputs: + default: + type: elasticsearch + hosts: + - >- + ${ES_HOST} + api_key: ${API_KEY} + ssl.ca_trusted_fingerprint: ${CA_TRUSTED} + # Uncomment username/password and remove api_key if you want to use alternative authentication method + # username: ${ES_USERNAME} + # password: ${ES_PASSWORD} + agent: + monitoring: + enabled: true + use_output: default + logs: true + metrics: true + providers.kubernetes: + node: ${NODE_NAME} + scope: node + #Uncomment to enable hints' support - https://www.elastic.co/guide/en/fleet/current/hints-annotations-autodiscovery.html + hints.enabled: true + hints.default_container_logs: true + inputs: + - id: kubernetes-cluster-metrics + condition: ${kubernetes_leaderelection.leader} == true + type: kubernetes/metrics + use_output: default + meta: + package: + name: kubernetes + version: 1.52.0 + data_stream: + namespace: default + streams: + - data_stream: + dataset: kubernetes.apiserver + type: metrics + metricsets: + - apiserver + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT}' + period: 30s + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - data_stream: + dataset: kubernetes.event + type: metrics + metricsets: + - event + period: 10s + add_metadata: true + - data_stream: + dataset: kubernetes.state_container + type: metrics + metricsets: + - state_container + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_cronjob + type: metrics + metricsets: + - state_cronjob + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_daemonset + type: metrics + metricsets: + - state_daemonset + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_deployment + type: metrics + metricsets: + - state_deployment + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_job + type: metrics + metricsets: + - state_job + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_namespace + type: metrics + metricsets: + - state_namespace + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_node + type: metrics + metricsets: + - state_node + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_persistentvolume + type: metrics + metricsets: + - state_persistentvolume + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_persistentvolumeclaim + type: metrics + metricsets: + - state_persistentvolumeclaim + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_pod + type: metrics + metricsets: + - state_pod + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_replicaset + type: metrics + metricsets: + - state_replicaset + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_resourcequota + type: metrics + metricsets: + - state_resourcequota + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_service + type: metrics + metricsets: + - state_service + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_statefulset + type: metrics + metricsets: + - state_statefulset + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - data_stream: + dataset: kubernetes.state_storageclass + type: metrics + metricsets: + - state_storageclass + add_metadata: true + hosts: + - 'kube-state-metrics:8080' + period: 10s + # Openshift: + # if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization + # and/or tls termination, then configuration below should be considered: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + - id: system-logs + type: logfile + use_output: default + meta: + package: + name: system + version: 1.20.4 + data_stream: + namespace: default + streams: + - data_stream: + dataset: system.auth + type: logs + paths: + - /var/log/auth.log* + - /var/log/secure* + exclude_files: + - .gz$ + multiline: + pattern: ^\s + match: after + processors: + - add_locale: null + ignore_older: 72h + - data_stream: + dataset: system.syslog + type: logs + paths: + - /var/log/messages* + - /var/log/syslog* + exclude_files: + - .gz$ + multiline: + pattern: ^\s + match: after + processors: + - add_locale: null + ignore_older: 72h + - id: windows-event-log + type: winlog + use_output: default + meta: + package: + name: system + version: 1.20.4 + data_stream: + namespace: default + streams: + - data_stream: + type: logs + dataset: system.application + condition: '${host.platform} == ''windows''' + ignore_older: 72h + - data_stream: + type: logs + dataset: system.security + condition: '${host.platform} == ''windows''' + ignore_older: 72h + - data_stream: + type: logs + dataset: system.system + condition: '${host.platform} == ''windows''' + ignore_older: 72h + # Input ID allowing Elastic Agent to track the state of this input. Must be unique. + - id: audit-log + type: filestream + use_output: default + meta: + package: + name: kubernetes + version: 1.52.0 + data_stream: + namespace: default + streams: + - data_stream: + dataset: kubernetes.audit_logs + type: logs + exclude_files: + - .gz$ + parsers: + - ndjson: + add_error_key: true + target: kubernetes_audit + paths: + - /var/log/kubernetes/kube-apiserver-audit.log + # The default path of audit logs on Openshift: + # - /var/log/kube-apiserver/audit.log + processors: + - rename: + fields: + - from: kubernetes_audit + to: kubernetes.audit + - script: + id: dedot_annotations + lang: javascript + source: | + function process(event) { + var audit = event.Get("kubernetes.audit"); + for (var annotation in audit["annotations"]) { + var annotation_dedoted = annotation.replace(/\./g,'_') + event.Rename("kubernetes.audit.annotations."+annotation, "kubernetes.audit.annotations."+annotation_dedoted) + } + return event; + } function test() { + var event = process(new Event({ "kubernetes": { "audit": { "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\"" } } } })); + if (event.Get("kubernetes.audit.annotations.authorization_k8s_io/decision") !== "allow") { + throw "expected kubernetes.audit.annotations.authorization_k8s_io/decision === allow"; + } + } + - id: system-metrics + type: system/metrics + use_output: default + meta: + package: + name: system + version: 1.20.4 + data_stream: + namespace: default + streams: + - data_stream: + dataset: system.cpu + type: metrics + period: 10s + cpu.metrics: + - percentages + - normalized_percentages + metricsets: + - cpu + - data_stream: + dataset: system.diskio + type: metrics + period: 10s + diskio.include_devices: null + metricsets: + - diskio + - data_stream: + dataset: system.filesystem + type: metrics + period: 1m + metricsets: + - filesystem + processors: + - drop_event.when.regexp: + system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) + - data_stream: + dataset: system.fsstat + type: metrics + period: 1m + metricsets: + - fsstat + processors: + - drop_event.when.regexp: + system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/) + - data_stream: + dataset: system.load + type: metrics + condition: '${host.platform} != ''windows''' + period: 10s + metricsets: + - load + - data_stream: + dataset: system.memory + type: metrics + period: 10s + metricsets: + - memory + - data_stream: + dataset: system.network + type: metrics + period: 10s + network.interfaces: null + metricsets: + - network + - data_stream: + dataset: system.process + type: metrics + period: 10s + processes: + - .* + process.include_top_n.by_cpu: 5 + process.include_top_n.by_memory: 5 + process.cmdline.cache.enabled: true + process.cgroups.enabled: false + process.include_cpu_ticks: false + metricsets: + - process + process.include_cpu_ticks: false + - data_stream: + dataset: system.process_summary + type: metrics + period: 10s + metricsets: + - process_summary + - data_stream: + dataset: system.socket_summary + type: metrics + period: 10s + metricsets: + - socket_summary + - data_stream: + type: metrics + dataset: system.uptime + metricsets: + - uptime + period: 10s + - id: kubernetes-node-metrics + type: kubernetes/metrics + use_output: default + meta: + package: + name: kubernetes + version: 1.52.0 + data_stream: + namespace: default + streams: + - data_stream: + dataset: kubernetes.controllermanager + type: metrics + metricsets: + - controllermanager + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${kubernetes.pod.ip}:10257' + period: 10s + ssl.verification_mode: none + condition: ${kubernetes.labels.component} == 'kube-controller-manager' + # On Openshift condition should be adjusted: + # condition: ${kubernetes.labels.app} == 'kube-controller-manager' + - data_stream: + dataset: kubernetes.scheduler + type: metrics + metricsets: + - scheduler + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${kubernetes.pod.ip}:10259' + period: 10s + ssl.verification_mode: none + condition: ${kubernetes.labels.component} == 'kube-scheduler' + # On Openshift condition should be adjusted: + # condition: ${kubernetes.labels.app} == 'openshift-kube-scheduler' + - data_stream: + dataset: kubernetes.proxy + type: metrics + metricsets: + - proxy + hosts: + - 'localhost:10249' + # On Openshift port should be adjusted: + # - 'localhost:29101' + period: 10s + - data_stream: + dataset: kubernetes.container + type: metrics + metricsets: + - container + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + # On Openshift ssl configuration must be replaced: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /path/to/ca-bundle.crt + - data_stream: + dataset: kubernetes.node + type: metrics + metricsets: + - node + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + # On Openshift ssl configuration must be replaced: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /path/to/ca-bundle.crt + - data_stream: + dataset: kubernetes.pod + type: metrics + metricsets: + - pod + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + # On Openshift ssl configuration must be replaced: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /path/to/ca-bundle.crt + - data_stream: + dataset: kubernetes.system + type: metrics + metricsets: + - system + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + # On Openshift ssl configuration must be replaced: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /path/to/ca-bundle.crt + - data_stream: + dataset: kubernetes.volume + type: metrics + metricsets: + - volume + add_metadata: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + hosts: + - 'https://${env.NODE_NAME}:10250' + period: 10s + ssl.verification_mode: none + # On Openshift ssl configuration must be replaced: + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /path/to/ca-bundle.crt + # Add extra input blocks here, based on conditions + # so as to automatically identify targeted Pods and start monitoring them + # using a predefined integration. For instance: + #- id: redis-metrics + # type: redis/metrics + # use_output: default + # meta: + # package: + # name: redis + # version: 0.3.6 + # data_stream: + # namespace: default + # streams: + # - data_stream: + # dataset: redis.info + # type: metrics + # metricsets: + # - info + # hosts: + # - '${kubernetes.pod.ip}:6379' + # idle_timeout: 20s + # maxconn: 10 + # network: tcp + # period: 10s + # condition: ${kubernetes.labels.app} == 'redis' diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml new file mode 100644 index 00000000000..f479c3ff2bd --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml @@ -0,0 +1,40 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../default/elastic-agent-standalone + +patches: +- path: elastic-agent-standalone-daemonset-configmap.yaml +- patch: |- + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: elastic-agent-standalone + namespace: kube-system + labels: + app: elastic-agent-standalone + spec: + template: + spec: + initContainers: + - name: k8s-templates-downloader + image: docker.elastic.co/beats/elastic-agent:9.0.0 + command: ['bash'] + args: + - -c + - >- + mkdir -p /etc/elastic-agent/inputs.d && + curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" + volumeMounts: + - mountPath: /etc/elastic-agent/inputs.d + name: external-inputs + containers: + - name: elastic-agent-standalone + volumeMounts: + - name: external-inputs + mountPath: /usr/share/elastic-agent/state/inputs.d + volumes: + - name: external-inputs + emptyDir: {} + \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml.original b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml.original new file mode 100644 index 00000000000..8d5ac86e75f --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kustomize/ksm-hints/elastic-agent-standalone/kustomization.yaml.original @@ -0,0 +1,40 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../default/elastic-agent-standalone + +patches: +- path: elastic-agent-standalone-daemonset-configmap.yaml +- patch: |- + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: elastic-agent-standalone + namespace: kube-system + labels: + app: elastic-agent-standalone + spec: + template: + spec: + initContainers: + - name: k8s-templates-downloader + image: docker.elastic.co/beats/elastic-agent:%VERSION% + command: ['bash'] + args: + - -c + - >- + mkdir -p /etc/elastic-agent/inputs.d && + curl -sL https://github.com/elastic/elastic-agent/archive/%BRANCH%.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-%BRANCH%/deploy/kubernetes/elastic-agent-standalone/templates.d" + volumeMounts: + - mountPath: /etc/elastic-agent/inputs.d + name: external-inputs + containers: + - name: elastic-agent-standalone + volumeMounts: + - name: external-inputs + mountPath: /usr/share/elastic-agent/state/inputs.d + volumes: + - name: external-inputs + emptyDir: {} + \ No newline at end of file diff --git a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml index a4968599751..7c0a2fa2d21 100644 --- a/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml +++ b/deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml @@ -702,13 +702,11 @@ spec: # args: # - -c # - >- - # mkdir -p /usr/share/elastic-agent/state/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" - # securityContext: - # runAsUser: 0 + # mkdir -p /etc/elastic-agent/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: - # - name: elastic-agent-state - # mountPath: /usr/share/elastic-agent/state + # - name: external-inputs + # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent-standalone image: docker.elastic.co/beats/elastic-agent:9.0.0 @@ -782,6 +780,9 @@ spec: mountPath: /sys/kernel/debug - name: elastic-agent-state mountPath: /usr/share/elastic-agent/state + # Uncomment if using hints feature + # - name: external-inputs + # mountPath: /usr/share/elastic-agent/state/inputs.d volumes: - name: datastreams configMap: @@ -820,6 +821,9 @@ spec: hostPath: path: /var/lib/elastic-agent-standalone/kube-system/state type: DirectoryOrCreate + # Uncomment if using hints feature + # - name: external-inputs + # emptyDir: {} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml index 2848b297399..2fe3237227d 100644 --- a/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml +++ b/deploy/kubernetes/elastic-agent-standalone/elastic-agent-standalone-daemonset.yaml @@ -33,13 +33,11 @@ spec: # args: # - -c # - >- - # mkdir -p /usr/share/elastic-agent/state/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/%BRANCH%.tar.gz | tar xz -C /usr/share/elastic-agent/state/inputs.d --strip=5 "elastic-agent-%BRANCH%/deploy/kubernetes/elastic-agent-standalone/templates.d" - # securityContext: - # runAsUser: 0 + # mkdir -p /etc/elastic-agent/inputs.d && + # curl -sL https://github.com/elastic/elastic-agent/archive/%BRANCH%.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-%BRANCH%/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: - # - name: elastic-agent-state - # mountPath: /usr/share/elastic-agent/state + # - name: external-inputs + # mountPath: /etc/elastic-agent/inputs.d containers: - name: elastic-agent-standalone image: docker.elastic.co/beats/elastic-agent:%VERSION% @@ -113,6 +111,9 @@ spec: mountPath: /sys/kernel/debug - name: elastic-agent-state mountPath: /usr/share/elastic-agent/state + # Uncomment if using hints feature + # - name: external-inputs + # mountPath: /usr/share/elastic-agent/state/inputs.d volumes: - name: datastreams configMap: @@ -151,3 +152,6 @@ spec: hostPath: path: /var/lib/elastic-agent-standalone/kube-system/state type: DirectoryOrCreate + # Uncomment if using hints feature + # - name: external-inputs + # emptyDir: {}