Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elastic Agent Kubernetes Integration missing default permissions #8168

Open
kaykhan opened this issue Oct 31, 2024 · 0 comments
Open

Elastic Agent Kubernetes Integration missing default permissions #8168

kaykhan opened this issue Oct 31, 2024 · 0 comments
Labels
triage

Comments

@kaykhan
Copy link

kaykhan commented Oct 31, 2024

We are using ECK with Elastic Agents Managed by Fleet and have installed the Kubernetes Integration.

We have noticed a number of errors relating to permissions;

The first two i believe can be resolved by updating the cluster role: https://github.com/elastic/cloud-on-k8s/blob/main/deploy/eck-stack/charts/eck-agent/values.yaml#L127-L183

{"log.level":"error","@timestamp":"2024-10-31T10:18:59.704Z","message":"E1031 10:18:59.703948 1125 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.DaemonSet: failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "daemonsets" in API group "apps" at the cluster scope","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"kubernetes/metrics-default","type":"kubernetes/metrics"},"log":{"source":"kubernetes/metrics-default"},"ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2024-10-31T09:26:58.580Z","message":"E1031 09:26:58.580250 1036 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.PersistentVolume: failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "persistentvolumes" in API group "" at the cluster scope","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"kubernetes/metrics-default","type":"kubernetes/metrics"},"log":{"source":"kubernetes/metrics-default"},"ecs.version":"1.6.0"}

We are unsure why we are receiving the below 401 errors.

{"log.level":"error","@timestamp":"2024-10-31T09:30:20.489Z","message":"add_cloud_metadata: received error failed with http status code 401","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"add_cloud_metadata","log.origin":{"file.line":190,"file.name":"add_cloud_metadata/providers.go","function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata"},"ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2024-10-31T09:30:15.788Z","message":"add_cloud_metadata: received error failed with http status code 401","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":190,"file.name":"add_cloud_metadata/providers.go","function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"add_cloud_metadata","ecs.version":"1.6.0"}
@botelastic botelastic bot added the triage label Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kaykhan