Skip to content

elastic-agent standalone on openshift documentation #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Feb 7, 2022
Merged

elastic-agent standalone on openshift documentation #1498

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1e37821
add documentation to run elastic-agent standalone on openshift
tetianakravchenko Jan 27, 2022
47483bb
try to fix formatting
tetianakravchenko Jan 27, 2022
17bbe8b
formatting
tetianakravchenko Jan 27, 2022
fbdb0fd
formatting
tetianakravchenko Jan 27, 2022
38d68c9
use open block; replace '-' -> '*'
tetianakravchenko Jan 28, 2022
7632494
Update docs/en/ingest-management/elastic-agent/running-on-kubernetes-…
tetianakravchenko Jan 28, 2022
1a048d1
update overriding of nofr sector
tetianakravchenko Jan 28, 2022
eca9498
address comments
tetianakravchenko Jan 31, 2022
9c2e853
Apply suggestions from code review
tetianakravchenko Feb 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 95 additions & 1 deletion docs/en/ingest-management/elastic-agent/running-on-kubernetes-standalone.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,100 @@ elastic-agent-fj2z9 1/1 Running 0 81m
elastic-agent-hs4pb 1/1 Running 0 81m
------------------------------------------------

[discrete]
== Red Hat OpenShift configuration

If you are using Red Hat OpenShift, you need to specify additional settings in
the manifest file and enable the container to run as privileged.

. In the manifest file, modify the `agent-node-datastreams` ConfigMap and adjust inputs:
+
--
* `kubernetes-cluster-metrics` input:
** If `https` is used to access `kube-state-metrics`, add the following settings to all `kubernetes.state_*` datasets:
+
[source,yaml]
------------------------------------------------
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
ssl.certificate_authorities:
- /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
------------------------------------------------
* `kubernetes-node-metrics` input:
** Change the `kubernetes.controllermanager` datastream condition to:
+
[source,yaml]
------------------------------------------------
condition: ${kubernetes.labels.app} == 'kube-controller-manager'
------------------------------------------------
** Change the `kubernetes.scheduler` datastream condition to:
+
[source,yaml]
------------------------------------------------
condition: ${kubernetes.labels.app} == 'openshift-kube-scheduler'
------------------------------------------------
** The `kubernetes.proxy` datastream configuration should look like:
+
[source,yaml]
------------------------------------------------
- data_stream:
dataset: kubernetes.proxy
type: metrics
metricsets:
- proxy
hosts:
- 'localhost:29101'
period: 10s
------------------------------------------------
** Add the following settings to all datastreams that connect to `https://${env.NODE_NAME}:10250`:
+
[source,yaml]
------------------------------------------------
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
ssl.certificate_authorities:
- /path/to/ca-bundle.crt
------------------------------------------------
NOTE: `ca-bundle.crt` can be any CA bundle that contains the issuer of the certificate used in the Kubelet API.
According to each specific installation of Openshift this can be found either in `secrets` or in `configmaps`.
In some installations it can be available as part of the service account secret, in
`/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt`.
When using the https://github.com/openshift/installer/blob/master/docs/user/gcp/install.md[Openshift installer]
for GCP, mount the following `configmap` in the elastic-agent pod and use `ca-bundle.crt`
in `ssl.certificate_authorities`:
+
[source,shell]
-----
Name: kubelet-serving-ca
Namespace: openshift-kube-apiserver
Labels: <none>
Annotations: <none>

Data
====
ca-bundle.crt:
-----
--
. Grant the `elastic-agent` service account access to the privileged SCC:
+
[source,shell]
-----
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:elastic-agent
-----
+
This command enables the container to be privileged as an administrator for
OpenShift.

. If the namespace where elastic-agent is running has the `"openshift.io/node-selector"` annotation set, elastic-agent
might not run on all nodes. In this case consider overriding the node selector for the namespace to allow scheduling
on any node:
+
[source,shell]
----
oc patch namespace kube-system -p \
'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
----
+
This command sets the node selector for the project to an empty string.

[discrete]
== Autodiscover targeted Pods

Expand Down Expand Up @@ -169,4 +263,4 @@ The size and the number of nodes in a Kubernetes cluster can be fairly large at
and in such cases the Pod that will be collecting cluster level metrics might face performance
issues due to resources limitations. In this case users might consider to avoid using the
leader election strategy and instead run a dedicated, standalone {agent} instance using
a Deployment in addition to the DaemonSet.
a Deployment in addition to the DaemonSet.