Update kubernetes templates for elastic-agent

x-pack/platform/plugins/shared/fleet/server/services/elastic_agent_manifest.ts

@@ -31,7 +31,14 @@ spec:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
       serviceAccountName: elastic-agent
+      # The following setting is needed for Universal Profiling to observe all processes on the host
+      # and produce userspace frames.
+      # If you are using the Universal Profiling integration, please uncomment the following line before applying.
+      # hostPID: true
       hostNetwork: true
+      # The following setting is needed for Universal Profiling to allow to set procMount to "Unmasked".
+      # If you are using the Universal Profiling integration, please uncomment the following line before applying.
+      # hostUsers: false
       dnsPolicy: ClusterFirstWithHostNet
       # Uncomment if using hints feature
       #initContainers:
@@ -42,7 +49,7 @@ spec:
       #      - -c
       #      - >-
       #        mkdir -p /etc/elastic-agent/inputs.d &&
-      #        curl -sL https://github.com/elastic/elastic-agent/archive/9.0.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.0/deploy/kubernetes/elastic-agent-standalone/templates.d"
+      #        curl -sL https://github.com/elastic/elastic-agent/archive/9.4.tar.gz | tar xz -C /etc/elastic-agent/inputs.d --strip=5 "elastic-agent-9.4/deploy/kubernetes/elastic-agent-standalone/templates.d"
       #    volumeMounts:
       #      - name: external-inputs
       #        mountPath: /etc/elastic-agent/inputs.d
@@ -60,6 +67,9 @@ spec:
             # The basic authentication password used to connect to Elasticsearch
             - name: ES_PASSWORD
               value: "changeme"
+            # The fingerprint of a root CA certificate used to sign
+            # Elasticsearch's TLS certificate
+            - name: CA_TRUSTED
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
@@ -74,6 +84,14 @@ spec:
               value: "false"
           securityContext:
             runAsUser: 0
+            # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
+            # If you are using this integration, please uncomment these lines before applying.
+            #capabilities:
+            #  add:
+            #    - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
+            #    - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
+            #    - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
+            ########################################################################################
             # The following capabilities are needed for Universal Profiling.
             # More fine graded capabilities are only available for newer Linux kernels.
             # If you are using the Universal Profiling integration, please uncomment these lines before applying.
@@ -84,7 +102,7 @@ spec:
             #    - SYS_ADMIN
           resources:
             limits:
-              memory: 1Gi
+              memory: 1200Mi
             requests:
               cpu: 100m
               memory: 500Mi
@@ -144,8 +162,8 @@ spec:
         - name: var-lib
           hostPath:
             path: /var/lib
-        # Needed for Universal Profiling
-        # If you are not using this integration, then these volumes and the corresponding
+        # Needed for 'Defend for containers' integration (cloud-defend) and Universal Profiling
+        # If you are not using one of these integrations, then these volumes and the corresponding
         # mounts can be removed.
         - name: sys-kernel-debug
           hostPath:
@@ -337,7 +355,14 @@ spec:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
       serviceAccountName: elastic-agent
+      # The following setting is needed for Universal Profiling to observe all processes on the host
+      # and produce userspace frames.
+      # If you are using the Universal Profiling integration, please uncomment the following line before applying.
+      # hostPID: true
       hostNetwork: true
+      # The following setting is needed for Universal Profiling to allow to set procMount to "Unmasked".
+      # If you are using the Universal Profiling integration, please uncomment the following line before applying.
+      # hostUsers: false
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: elastic-agent
@@ -379,6 +404,14 @@ spec:
               value: "false"
           securityContext:
             runAsUser: 0
+            # The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
+            # If you are using this integration, please uncomment these lines before applying.
+            #capabilities:
+            #  add:
+            #    - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
+            #    - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
+            #    - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
+            ########################################################################################
             # The following capabilities are needed for Universal Profiling.
             # More fine graded capabilities are only available for newer Linux kernels.
             # If you are using the Universal Profiling integration, please uncomment these lines before applying.
@@ -389,7 +422,7 @@ spec:
             #    - SYS_ADMIN
           resources:
             limits:
-              memory: 1Gi
+              memory: 1200Mi
             requests:
               cpu: 100m
               memory: 500Mi
@@ -447,8 +480,8 @@ spec:
           hostPath:
             path: /etc/machine-id
             type: File
-        # Needed for Universal Profiling
-        # If you are not using this integration, then these volumes and the corresponding
+        # Needed for 'Defend for containers' integration (cloud-defend) and Universal Profiling
+        # If you are not using one of these integrations, then these volumes and the corresponding
         # mounts can be removed.
         - name: sys-kernel-debug
           hostPath: