deploy/kubernetes/elastic-agent-standalone-kubernetes.yaml (767 lines of code) (raw):
# For more information https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html
apiVersion: v1
kind: ConfigMap
metadata:
name: agent-node-datastreams
namespace: kube-system
labels:
app.kubernetes.io/name: elastic-agent-standalone
data:
agent.yml: |-
outputs:
default:
type: elasticsearch
hosts:
- >-
${ES_HOST}
api_key: ${API_KEY}
ssl.ca_trusted_fingerprint: ${CA_TRUSTED}
# Uncomment username/password and remove api_key if you want to use alternative authentication method
# username: ${ES_USERNAME}
# password: ${ES_PASSWORD}
agent:
monitoring:
enabled: true
use_output: default
logs: true
metrics: true
providers.kubernetes:
node: ${NODE_NAME}
scope: node
#Uncomment to enable hints' support - https://www.elastic.co/guide/en/fleet/current/hints-annotations-autodiscovery.html
#hints.enabled: true
#hints.default_container_logs: true
inputs:
- id: kubernetes-cluster-metrics
condition: ${kubernetes_leaderelection.leader} == true
type: kubernetes/metrics
use_output: default
meta:
package:
name: kubernetes
version: 1.52.0
data_stream:
namespace: default
streams:
- data_stream:
dataset: kubernetes.apiserver
type: metrics
metricsets:
- apiserver
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.KUBERNETES_SERVICE_HOST}:${env.KUBERNETES_SERVICE_PORT}'
period: 30s
ssl.certificate_authorities:
- /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- data_stream:
dataset: kubernetes.event
type: metrics
metricsets:
- event
period: 10s
add_metadata: true
- data_stream:
dataset: kubernetes.state_container
type: metrics
metricsets:
- state_container
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_cronjob
type: metrics
metricsets:
- state_cronjob
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_daemonset
type: metrics
metricsets:
- state_daemonset
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_deployment
type: metrics
metricsets:
- state_deployment
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_job
type: metrics
metricsets:
- state_job
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_namespace
type: metrics
metricsets:
- state_namespace
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_node
type: metrics
metricsets:
- state_node
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_persistentvolume
type: metrics
metricsets:
- state_persistentvolume
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_persistentvolumeclaim
type: metrics
metricsets:
- state_persistentvolumeclaim
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_pod
type: metrics
metricsets:
- state_pod
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
#<processors_placeholder>
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_replicaset
type: metrics
metricsets:
- state_replicaset
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_resourcequota
type: metrics
metricsets:
- state_resourcequota
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_service
type: metrics
metricsets:
- state_service
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_statefulset
type: metrics
metricsets:
- state_statefulset
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- data_stream:
dataset: kubernetes.state_storageclass
type: metrics
metricsets:
- state_storageclass
add_metadata: true
hosts:
- 'kube-state-metrics:8080'
period: 10s
# Openshift:
# if to access 'kube-state-metrics' are used third party tools, like kube-rbac-proxy or similar, that perform RBAC authorization
# and/or tls termination, then configuration below should be considered:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- id: system-logs
type: logfile
use_output: default
meta:
package:
name: system
version: 1.20.4
data_stream:
namespace: default
streams:
- data_stream:
dataset: system.auth
type: logs
paths:
- /var/log/auth.log*
- /var/log/secure*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
ignore_older: 72h
- data_stream:
dataset: system.syslog
type: logs
paths:
- /var/log/messages*
- /var/log/syslog*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
ignore_older: 72h
- id: windows-event-log
type: winlog
use_output: default
meta:
package:
name: system
version: 1.20.4
data_stream:
namespace: default
streams:
- data_stream:
type: logs
dataset: system.application
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- data_stream:
type: logs
dataset: system.security
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- data_stream:
type: logs
dataset: system.system
condition: '${host.platform} == ''windows'''
ignore_older: 72h
# Input ID allowing Elastic Agent to track the state of this input. Must be unique.
- id: container-log-${kubernetes.pod.name}-${kubernetes.container.id}
type: filestream
use_output: default
meta:
package:
name: kubernetes
version: 1.52.0
data_stream:
namespace: default
streams:
# Stream ID for this data stream allowing Filebeat to track the state of the ingested files. Must be unique.
# Each filestream data stream creates a separate instance of the Filebeat filestream input.
- id: container-log-${kubernetes.pod.name}-${kubernetes.container.id}
data_stream:
dataset: kubernetes.container_logs
type: logs
prospector.scanner.symlinks: true
parsers:
- container: ~
# - ndjson:
# target: json
# - multiline:
# type: pattern
# pattern: '^\['
# negate: true
# match: after
paths:
- /var/log/containers/*${kubernetes.container.id}.log
- id: audit-log
type: filestream
use_output: default
meta:
package:
name: kubernetes
version: 1.52.0
data_stream:
namespace: default
streams:
- data_stream:
dataset: kubernetes.audit_logs
type: logs
exclude_files:
- .gz$
parsers:
- ndjson:
add_error_key: true
target: kubernetes_audit
paths:
- /var/log/kubernetes/kube-apiserver-audit.log
# The default path of audit logs on Openshift:
# - /var/log/kube-apiserver/audit.log
processors:
- rename:
fields:
- from: kubernetes_audit
to: kubernetes.audit
- script:
id: dedot_annotations
lang: javascript
source: |
function process(event) {
var audit = event.Get("kubernetes.audit");
for (var annotation in audit["annotations"]) {
var annotation_dedoted = annotation.replace(/\./g,'_')
event.Rename("kubernetes.audit.annotations."+annotation, "kubernetes.audit.annotations."+annotation_dedoted)
}
return event;
} function test() {
var event = process(new Event({ "kubernetes": { "audit": { "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:kube-scheduler\" of ClusterRole \"system:kube-scheduler\" to User \"system:kube-scheduler\"" } } } }));
if (event.Get("kubernetes.audit.annotations.authorization_k8s_io/decision") !== "allow") {
throw "expected kubernetes.audit.annotations.authorization_k8s_io/decision === allow";
}
}
- id: system-metrics
type: system/metrics
use_output: default
meta:
package:
name: system
version: 1.20.4
data_stream:
namespace: default
streams:
- data_stream:
dataset: system.cpu
type: metrics
period: 10s
cpu.metrics:
- percentages
- normalized_percentages
metricsets:
- cpu
system.hostfs: '/hostfs'
- data_stream:
dataset: system.diskio
type: metrics
period: 10s
diskio.include_devices: null
metricsets:
- diskio
system.hostfs: '/hostfs'
- data_stream:
dataset: system.filesystem
type: metrics
period: 1m
metricsets:
- filesystem
system.hostfs: '/hostfs'
processors:
- drop_event.when.regexp:
system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- data_stream:
dataset: system.fsstat
type: metrics
period: 1m
metricsets:
- fsstat
system.hostfs: '/hostfs'
processors:
- drop_event.when.regexp:
system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- data_stream:
dataset: system.load
type: metrics
condition: '${host.platform} != ''windows'''
period: 10s
metricsets:
- load
- data_stream:
dataset: system.memory
type: metrics
period: 10s
metricsets:
- memory
system.hostfs: '/hostfs'
- data_stream:
dataset: system.network
type: metrics
period: 10s
network.interfaces: null
metricsets:
- network
- data_stream:
dataset: system.process
type: metrics
period: 10s
processes:
- .*
process.include_top_n.by_cpu: 5
process.include_top_n.by_memory: 5
process.cmdline.cache.enabled: true
process.cgroups.enabled: false
process.include_cpu_ticks: false
metricsets:
- process
system.hostfs: '/hostfs'
- data_stream:
dataset: system.process_summary
type: metrics
period: 10s
metricsets:
- process_summary
system.hostfs: '/hostfs'
- data_stream:
dataset: system.socket_summary
type: metrics
period: 10s
metricsets:
- socket_summary
system.hostfs: '/hostfs'
- data_stream:
type: metrics
dataset: system.uptime
metricsets:
- uptime
period: 10s
- id: kubernetes-node-metrics
type: kubernetes/metrics
use_output: default
meta:
package:
name: kubernetes
version: 1.52.0
data_stream:
namespace: default
streams:
- data_stream:
dataset: kubernetes.controllermanager
type: metrics
metricsets:
- controllermanager
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${kubernetes.pod.ip}:10257'
period: 10s
ssl.verification_mode: none
condition: ${kubernetes.labels.component} == 'kube-controller-manager'
# On Openshift condition should be adjusted:
# condition: ${kubernetes.labels.app} == 'kube-controller-manager'
- data_stream:
dataset: kubernetes.scheduler
type: metrics
metricsets:
- scheduler
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${kubernetes.pod.ip}:10259'
period: 10s
ssl.verification_mode: none
condition: ${kubernetes.labels.component} == 'kube-scheduler'
# On Openshift condition should be adjusted:
# condition: ${kubernetes.labels.app} == 'openshift-kube-scheduler'
- data_stream:
dataset: kubernetes.proxy
type: metrics
metricsets:
- proxy
hosts:
- 'localhost:10249'
# On Openshift port should be adjusted:
# - 'localhost:29101'
period: 10s
- data_stream:
dataset: kubernetes.container
type: metrics
metricsets:
- container
add_metadata: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.NODE_NAME}:10250'
period: 10s
ssl.verification_mode: none
# On Openshift ssl configuration must be replaced:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /path/to/ca-bundle.crt
- data_stream:
dataset: kubernetes.node
type: metrics
metricsets:
- node
add_metadata: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.NODE_NAME}:10250'
period: 10s
ssl.verification_mode: none
# On Openshift ssl configuration must be replaced:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /path/to/ca-bundle.crt
- data_stream:
dataset: kubernetes.pod
type: metrics
metricsets:
- pod
add_metadata: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.NODE_NAME}:10250'
period: 10s
ssl.verification_mode: none
# On Openshift ssl configuration must be replaced:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /path/to/ca-bundle.crt
- data_stream:
dataset: kubernetes.system
type: metrics
metricsets:
- system
add_metadata: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.NODE_NAME}:10250'
period: 10s
ssl.verification_mode: none
# On Openshift ssl configuration must be replaced:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /path/to/ca-bundle.crt
- data_stream:
dataset: kubernetes.volume
type: metrics
metricsets:
- volume
add_metadata: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
hosts:
- 'https://${env.NODE_NAME}:10250'
period: 10s
ssl.verification_mode: none
# On Openshift ssl configuration must be replaced:
# bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# ssl.certificate_authorities:
# - /path/to/ca-bundle.crt
# Add extra input blocks here, based on conditions
# so as to automatically identify targeted Pods and start monitoring them
# using a predefined integration. For instance:
#- id: redis-metrics
# type: redis/metrics
# use_output: default
# meta:
# package:
# name: redis
# version: 0.3.6
# data_stream:
# namespace: default
# streams:
# - data_stream:
# dataset: redis.info
# type: metrics
# metricsets:
# - info
# hosts:
# - '${kubernetes.pod.ip}:6379'
# idle_timeout: 20s
# maxconn: 10
# network: tcp
# period: 10s
# condition: ${kubernetes.labels.app} == 'redis'
---
# For more information refer https://www.elastic.co/guide/en/fleet/current/running-on-kubernetes-standalone.html
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: elastic-agent-standalone
namespace: kube-system
labels:
app.kubernetes.io/name: elastic-agent-standalone
spec:
selector:
matchLabels:
app.kubernetes.io/name: elastic-agent-standalone
template:
metadata:
labels:
app.kubernetes.io/name: elastic-agent-standalone
spec:
# Tolerations are needed to run Elastic Agent on Kubernetes control-plane nodes.
# Agents running on control-plane nodes collect metrics from the control plane components (scheduler, controller manager) of Kubernetes
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: elastic-agent-standalone
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
# Uncomment if using hints feature
#initContainers:
# - name: k8s-templates-downloader
# image: docker.elastic.co/elastic-agent/elastic-agent:9.1.0
# command: ['bash']
# args:
# - -c
# - >-
# mkdir -p /etc/elastic-agent/inputs.d &&
# curl -sL https://github.com/elastic/elastic-agent/archive/9.1.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.1/deploy/kubernetes/elastic-agent-standalone/templates.d"
# volumeMounts:
# - name: external-inputs
# mountPath: /etc/elastic-agent/inputs.d
containers:
- name: elastic-agent-standalone
image: docker.elastic.co/elastic-agent/elastic-agent:9.1.0
args: ["-c", "/etc/elastic-agent/agent.yml", "-e"]
env:
# The API Key with access privilleges to connect to Elasticsearch. https://www.elastic.co/guide/en/fleet/current/grant-access-to-elasticsearch.html#create-api-key-standalone-agent
- name: API_KEY
value: ""
# The basic authentication username used to connect to Elasticsearch. Alternative to API_KEY access.
# This user needs the privileges required to publish events to Elasticsearch.
- name: ES_USERNAME
value: "elastic"
# The basic authentication password used to connect to Elasticsearch
- name: ES_PASSWORD
value: "changeme"
# The Elasticsearch host to communicate with
- name: ES_HOST
value: ""
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
# The following ELASTIC_NETINFO:false variable will disable the netinfo.enabled option of add-host-metadata processor. This will remove fields host.ip and host.mac.
# For more info: https://www.elastic.co/guide/en/beats/metricbeat/current/add-host-metadata.html
- name: ELASTIC_NETINFO
value: "false"
securityContext:
runAsUser: 0
# The following capabilities are needed for Universal Profiling.
# More fine graded capabilities are only available for newer Linux kernels.
# If you are using the Universal Profiling integration, please uncomment these lines before applying.
#procMount: "Unmasked"
#privileged: true
#capabilities:
# add:
# - SYS_ADMIN
resources:
limits:
memory: 1Gi
requests:
cpu: 100m
memory: 500Mi
volumeMounts:
- name: datastreams
mountPath: /etc/elastic-agent/agent.yml
readOnly: true
subPath: agent.yml
- name: proc
mountPath: /hostfs/proc
readOnly: true
- name: cgroup
mountPath: /hostfs/sys/fs/cgroup
readOnly: true
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: varlog
mountPath: /var/log
readOnly: true
- name: etc-full
mountPath: /hostfs/etc
readOnly: true
- name: var-lib
mountPath: /hostfs/var/lib
readOnly: true
- name: sys-kernel-debug
mountPath: /sys/kernel/debug
- name: elastic-agent-state
mountPath: /usr/share/elastic-agent/state
# Uncomment if using hints feature
# - name: external-inputs
# mountPath: /usr/share/elastic-agent/state/inputs.d
volumes:
- name: datastreams
configMap:
defaultMode: 0644
name: agent-node-datastreams
- name: proc
hostPath:
path: /proc
- name: cgroup
hostPath:
path: /sys/fs/cgroup
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: varlog
hostPath:
path: /var/log
# The following volumes are needed for Cloud Security Posture integration (cloudbeat)
# If you are not using this integration, then these volumes and the corresponding
# mounts can be removed.
- name: etc-full
hostPath:
path: /etc
- name: var-lib
hostPath:
path: /var/lib
# Needed for Universal Profiling
# If you are not using this integration, then these volumes and the corresponding
# mounts can be removed.
- name: sys-kernel-debug
hostPath:
path: /sys/kernel/debug
# Mount /var/lib/elastic-agent-managed/kube-system/state to store elastic-agent state
# Update 'kube-system' with the namespace of your agent installation
- name: elastic-agent-state
hostPath:
path: /var/lib/elastic-agent-standalone/kube-system/state
type: DirectoryOrCreate
# Uncomment if using hints feature
# - name: external-inputs
# emptyDir: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: elastic-agent-standalone
subjects:
- kind: ServiceAccount
name: elastic-agent-standalone
namespace: kube-system
roleRef:
kind: ClusterRole
name: elastic-agent-standalone
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: kube-system
name: elastic-agent-standalone
subjects:
- kind: ServiceAccount
name: elastic-agent-standalone
namespace: kube-system
roleRef:
kind: Role
name: elastic-agent-standalone
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: elastic-agent-standalone-kubeadm-config
namespace: kube-system
subjects:
- kind: ServiceAccount
name: elastic-agent-standalone
namespace: kube-system
roleRef:
kind: Role
name: elastic-agent-standalone-kubeadm-config
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elastic-agent-standalone
labels:
app.kubernetes.io/name: elastic-agent-standalone
rules:
- apiGroups: [""]
resources:
- nodes
- namespaces
- events
- pods
- services
- configmaps
# Needed for cloudbeat
- serviceaccounts
- persistentvolumes
- persistentvolumeclaims
verbs: ["get", "list", "watch"]
# Enable this rule only if planing to use kubernetes_secrets provider
#- apiGroups: [""]
# resources:
# - secrets
# verbs: ["get"]
- apiGroups: ["extensions"]
resources:
- replicasets
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- statefulsets
- deployments
- replicasets
- daemonsets
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["get", "list", "watch"]
- apiGroups:
- ""
resources:
- nodes/stats
verbs:
- get
# Needed for apiserver
- nonResourceURLs:
- "/metrics"
verbs:
- get
# Needed for cloudbeat
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs: ["get", "list", "watch"]
# Needed for cloudbeat
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: ["get", "list", "watch"]
- apiGroups: [ "storage.k8s.io" ]
resources:
- storageclasses
verbs: [ "get", "list", "watch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elastic-agent-standalone
# Should be the namespace where elastic-agent is running
namespace: kube-system
labels:
app.kubernetes.io/name: elastic-agent-standalone
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs: ["get", "create", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elastic-agent-standalone-kubeadm-config
namespace: kube-system
labels:
app.kubernetes.io/name: elastic-agent-standalone
rules:
- apiGroups: [""]
resources:
- configmaps
resourceNames:
- kubeadm-config
verbs: ["get"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: elastic-agent-standalone
namespace: kube-system
labels:
app.kubernetes.io/name: elastic-agent-standalone
---