diff --git a/x-pack/platform/plugins/shared/fleet/server/services/elastic_agent_manifest.ts b/x-pack/platform/plugins/shared/fleet/server/services/elastic_agent_manifest.ts index 58df3ea649ffb..8302afd1ac9e9 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/elastic_agent_manifest.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/elastic_agent_manifest.ts @@ -31,7 +31,14 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: elastic-agent + # The following setting is needed for Universal Profiling to observe all processes on the host + # and produce userspace frames. + # If you are using the Universal Profiling integration, please uncomment the following line before applying. + # hostPID: true hostNetwork: true + # The following setting is needed for Universal Profiling to allow to set procMount to "Unmasked". + # If you are using the Universal Profiling integration, please uncomment the following line before applying. + # hostUsers: false dnsPolicy: ClusterFirstWithHostNet # Uncomment if using hints feature #initContainers: @@ -42,7 +49,7 @@ spec: # - -c # - >- # mkdir -p /etc/elastic-agent/inputs.d && - # curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d" + # curl -sL https://github.com/elastic/elastic-agent/archive/9.4.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.4/deploy/kubernetes/elastic-agent-standalone/templates.d" # volumeMounts: # - name: external-inputs # mountPath: /etc/elastic-agent/inputs.d @@ -60,6 +67,9 @@ spec: # The basic authentication password used to connect to Elasticsearch - name: ES_PASSWORD value: "changeme" + # The fingerprint of a root CA certificate used to sign + # Elasticsearch's TLS certificate + - name: CA_TRUSTED - name: NODE_NAME valueFrom: fieldRef: @@ -74,6 +84,14 @@ spec: value: "false" securityContext: runAsUser: 0 + # The following capabilities are needed for 'Defend for containers' integration (cloud-defend) + # If you are using this integration, please uncomment these lines before applying. + #capabilities: + # add: + # - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. + # - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. + # - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock' + ######################################################################################## # The following capabilities are needed for Universal Profiling. # More fine graded capabilities are only available for newer Linux kernels. # If you are using the Universal Profiling integration, please uncomment these lines before applying. @@ -84,7 +102,7 @@ spec: # - SYS_ADMIN resources: limits: - memory: 1Gi + memory: 1200Mi requests: cpu: 100m memory: 500Mi @@ -144,8 +162,8 @@ spec: - name: var-lib hostPath: path: /var/lib - # Needed for Universal Profiling - # If you are not using this integration, then these volumes and the corresponding + # Needed for 'Defend for containers' integration (cloud-defend) and Universal Profiling + # If you are not using one of these integrations, then these volumes and the corresponding # mounts can be removed. - name: sys-kernel-debug hostPath: @@ -337,7 +355,14 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: elastic-agent + # The following setting is needed for Universal Profiling to observe all processes on the host + # and produce userspace frames. + # If you are using the Universal Profiling integration, please uncomment the following line before applying. + # hostPID: true hostNetwork: true + # The following setting is needed for Universal Profiling to allow to set procMount to "Unmasked". + # If you are using the Universal Profiling integration, please uncomment the following line before applying. + # hostUsers: false dnsPolicy: ClusterFirstWithHostNet containers: - name: elastic-agent @@ -379,6 +404,14 @@ spec: value: "false" securityContext: runAsUser: 0 + # The following capabilities are needed for 'Defend for containers' integration (cloud-defend) + # If you are using this integration, please uncomment these lines before applying. + #capabilities: + # add: + # - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. + # - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. + # - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock' + ######################################################################################## # The following capabilities are needed for Universal Profiling. # More fine graded capabilities are only available for newer Linux kernels. # If you are using the Universal Profiling integration, please uncomment these lines before applying. @@ -389,7 +422,7 @@ spec: # - SYS_ADMIN resources: limits: - memory: 1Gi + memory: 1200Mi requests: cpu: 100m memory: 500Mi @@ -447,8 +480,8 @@ spec: hostPath: path: /etc/machine-id type: File - # Needed for Universal Profiling - # If you are not using this integration, then these volumes and the corresponding + # Needed for 'Defend for containers' integration (cloud-defend) and Universal Profiling + # If you are not using one of these integrations, then these volumes and the corresponding # mounts can be removed. - name: sys-kernel-debug hostPath: