apiVersion: apps/v1 kind: DaemonSet metadata: name: elastic-agent namespace: kube-system labels: app: elastic-agent spec: selector: matchLabels: app: elastic-agent template: metadata: labels: app: elastic-agent spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: elastic-agent hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - name: elastic-agent image: docker.elastic.co/beats/elastic-agent:7.15.2 env: - name: FLEET_ENROLL value: "1" # Set to true in case of insecure or unverified HTTP - name: FLEET_INSECURE value: "true" # The ip:port pair of fleet server - name: FLEET_URL value: "https://fleet-server:8220" # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed - name: FLEET_ENROLLMENT_TOKEN value: "" - name: KIBANA_HOST value: "http://kibana:5601" - name: KIBANA_FLEET_USERNAME value: "elastic" - name: KIBANA_FLEET_PASSWORD value: "changeme" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name securityContext: runAsUser: 0 resources: limits: memory: 500Mi requests: cpu: 100m memory: 200Mi volumeMounts: - name: proc mountPath: /hostfs/proc readOnly: true - name: cgroup mountPath: /hostfs/sys/fs/cgroup readOnly: true - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true - name: varlog mountPath: /var/log readOnly: true volumes: - name: proc hostPath: path: /proc - name: cgroup hostPath: path: /sys/fs/cgroup - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: varlog hostPath: path: /var/log --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: elastic-agent subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: ClusterRole name: elastic-agent apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: kube-system name: elastic-agent subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: Role name: elastic-agent apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: elastic-agent-kubeadm-config namespace: kube-system subjects: - kind: ServiceAccount name: elastic-agent namespace: kube-system roleRef: kind: Role name: elastic-agent-kubeadm-config apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elastic-agent labels: k8s-app: elastic-agent rules: - apiGroups: [""] resources: - nodes - namespaces - events - pods - services - configmaps verbs: ["get", "list", "watch"] # Enable this rule only if planing to use kubernetes_secrets provider #- apiGroups: [""] # resources: # - secrets # verbs: ["get"] - apiGroups: ["extensions"] resources: - replicasets verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: - statefulsets - deployments - replicasets verbs: ["get", "list", "watch"] - apiGroups: - "" resources: - nodes/stats verbs: - get - apiGroups: [ "batch" ] resources: - jobs verbs: [ "get", "list", "watch" ] # required for apiserver - nonResourceURLs: - "/metrics" verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elastic-agent # should be the namespace where elastic-agent is running namespace: kube-system labels: k8s-app: elastic-agent rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: ["get", "create", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elastic-agent-kubeadm-config namespace: kube-system labels: k8s-app: elastic-agent rules: - apiGroups: [""] resources: - configmaps resourceNames: - kubeadm-config verbs: ["get"] --- apiVersion: v1 kind: ServiceAccount metadata: name: elastic-agent namespace: kube-system labels: k8s-app: elastic-agent ---