Fleet-managed Elastic Agents must connect to Fleet Server to receive their configurations. You can deploy Fleet Server instances using ECKs Agent CRD with the appropriate configuration, as shown in Fleet mode and Fleet Server.
To know more about Fleet architecture and related components, check the Fleet documentation.
To run both Fleet Server and Elastic Agent in Fleet-managed mode, set the
mode configuration element to
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: elastic-agent-sample spec: mode: fleet
To run Fleet Server, set the
fleetServerEnabled configuration element to
true, as shown in this example:
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: fleet-server-sample spec: mode: fleet fleetServerEnabled: true
You can leave the default value
false for any other case.
To have Fleet running properly, the following settings must be correctly set in the Kibana configuration:
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: kibana-sample spec: config: xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch-sample-es-http.default.svc:9200"] xpack.fleet.agents.fleet_server.hosts: ["https://fleet-server-sample-agent-http.default.svc:8220"] xpack.fleet.packages: - name: system version: latest - name: elastic_agent version: latest - name: fleet_server version: latest xpack.fleet.agentPolicies: - name: Fleet Server on ECK policy id: eck-fleet-server namespace: default monitoring_enabled: - logs - metrics unenroll_timeout: 900 package_policies: - name: fleet_server-1 id: fleet_server-1 package: name: fleet_server - name: Elastic Agent on ECK policy id: eck-agent namespace: default monitoring_enabled: - logs - metrics unenroll_timeout: 900 is_default: true package_policies: - name: system-1 id: system-1 package: name: system
xpack.fleet.agents.elasticsearch.hostsmust point to the Elasticsearch cluster that Elastic Agents should send data to. For ECK-managed Elasticsearch clusters, ECK creates a Service accessible through
ES_RESOURCE_NAMEis the name of Elasticsearch resource and
ES_RESOURCE_NAMESPACEis the namespace it was deployed in.
xpack.fleet.agents.fleet_server.hostsmust point to Fleet Server that Elastic Agents should connect to. For ECK-managed Fleet Server instances, ECK creates a Service accessible through
FS_RESOURCE_NAMEis the name of Elastic Agent resource with Fleet Server enabled and
FS_RESOURCE_NAMESPACEis the namespace it was deployed in.
xpack.fleet.packagesare required packages to enable Fleet Server and Elastic Agents to enroll.
xpack.fleet.agentPoliciespolicies are needed for Fleet Server and Elastic Agents to enroll to, check https://www.elastic.co/guide/en/fleet/current/agent-policy.html for more information.
Both Fleet Server and Elastic Agent in Fleet mode can be automatically set up with Fleet by ECK. The ECK operator can set up Fleet in Kibana (which otherwise requires manual steps) and enroll Fleet Server in the default Fleet Server policy. Elastic Agent can be automatically enrolled in the default Elastic Agent policy. To allow ECK to set this up, provide a reference to a ECK-managed Kibana through the
kibanaRef configuration element.
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: fleet-server-sample spec: kibanaRef: name: kibana
ECK can also facilitate the connection between Elastic Agents and a ECK-managed Fleet Server. To allow ECK to set this up, provide a reference to Fleet Server through the
fleetServerRef configuration element.
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: elastic-agent-sample spec: fleetServerRef: name: fleet-server-sample
elasticsearchRefs element in your Fleet Server to point to the Elasticsearch cluster that will manage Fleet. Leave
elasticsearchRefs empty or unset it for any Elastic Agent running in Fleet mode as the Elasticsearch cluster to target will come from Kibana’s
xpack.fleet.agents.elasticsearch.hosts configuration element.
Currently, Elastic Agent in Fleet mode supports only a single output, so only a single Elasticsearch cluster can be referenced.
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: fleet-server-sample spec: elasticsearchRefs: - name: elasticsearch-sample
By default, every reference targets all instances in your Elasticsearch, Kibana and Fleet Server deployments, respectively. If you want to direct traffic to specific instances, refer to Traffic Splitting for more information and examples.
In contrast to Elastic Agents in standalone mode, the configuration is managed through Fleet, and it cannot be defined through
You can upgrade the Elastic Agent version or change settings by editing the YAML specification file. ECK applies the changes by performing a rolling restart of the Agent’s Pods. Depending on the settings that you used, ECK will set up Fleet in Kibana, enrolls the agent in Fleet, or restarts Elastic Agent on certificate rollover.
Depending on the use case, Elastic Agent may need to be deployed as a Deployment or a DaemonSet. To choose how to deploy your Elastic Agents, provide a
podTemplate element under the
deployment or the
daemonSet element in the specification. If you choose the
deployment option, you can additionally specify the strategy used to replace old Pods with new ones.
Similarly, you can set the update strategy when deploying as a DaemonSet. This allows you to control the rollout speed for new configuration by modifying the
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: elastic-agent-sample spec: version: 8.10.2 daemonSet: strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 3 ...
Refer to Set compute resources for Beats and Elastic Agent for more information on how to use the Pod template to adjust the resources given to Elastic Agent.
Some Elastic Agent features, such as the Kubernetes integration, require that Agent Pods interact with Kubernetes APIs. This functionality requires specific permissions. Standard Kubernetes RBAC rules apply. For example, to allow API interactions:
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: elastic-agent-sample spec: version: 8.10.2 elasticsearchRefs: - name: elasticsearch-sample daemonSet: podTemplate: spec: automountServiceAccountToken: true serviceAccountName: elastic-agent ... --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elastic-agent rules: - apiGroups: [""] # "" indicates the core API group resources: - namespaces - pods - nodes - nodes/metrics - nodes/proxy - nodes/stats - events verbs: - get - watch - list - nonResourceURLs: - /metrics verbs: - get - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: elastic-agent namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: elastic-agent subjects: - kind: ServiceAccount name: elastic-agent namespace: default roleRef: kind: ClusterRole name: elastic-agent apiGroup: rbac.authorization.k8s.io
To deploy Elastic Agent in clusters with the Pod Security Policy admission controller enabled, or in OpenShift clusters, you might need to grant additional permissions to the Service Account used by the Elastic Agent Pods. Those Service Accounts must be bound to a Role or ClusterRole that has
use permission for the required Pod Security Policy or Security Context Constraints. Different Elastic Agent integrations might require different settings set in their PSP/SCC.
By default, ECK creates a Service for Fleet Server that Elastic Agents can connect through. You can customize it using the
http configuration element. Check more information on how to make changes to the Service and customize the TLS configuration.
ECK uses the default policy to enroll Elastic Agents in Fleet and the default Fleet Server policy to enroll Fleet Server. A different policy can be chosen by using the
policyID attribute in the Elastic Agent resource:
apiVersion: agent.k8s.elastic.co/v1alpha1 kind: Agent metadata: name: fleet-server-sample spec: policyID: my-custom-policy ...
Please note that the environment variables related to policy selection mentioned in the Elastic Agent docs like
FLEET_SERVER_POLICY_ID will be managed by the ECK operator.