Provides access to the Kubernetes Secrets API.
The provider needs a
kubeconfig file to establish connection to the Kubernetes API.
It can automatically reach the API if it’s run in an InCluster environment (Elastic Agent runs as pod).
providers.kubernetes_secrets: #kube_config: /Users/elastic-agent/.kube/config
Reference the Kubernetes Secrets variable as
default is the namespace of the Secret,
somesecret is the name of the Secret and
value the field
of the Secret to access.
If you run agent on Kubernetes, the proper rule in the
ClusterRole is required to provide access to the Elastic Agent pod in the Secrets API:
- apiGroups: [""] resources: - secrets verbs: ["get"]
The above rule will give permission to Elastic Agent pod to access Kubernetes Secrets API.
Anyone who has access to the Elastic Agent pod (
kubectl exec for example) will also have
access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to.
This option should be carefully considered.