If I understand correctly from the documentation. When specifying elasticsearchRefs.name: elasticsearch, filebeat should be created user and anauthorized automatically.
It works but when I try to write in a new index which is not the default I get an error:
action [indices:admin/auto_create] is unauthorized for user [elk-stack-filebeat-beat-user] with effective roles
[beats_admin,eck_beat_es_filebeat_role_v77,ingest_admin,kibana_admin,remote_monitoring_agent]
on indices [k8s-infra], this action is granted by the index
privileges [auto_configure,create_index,manage,all]\"}, dropping event!
I use eck-stack chart
There is my values.yaml:
---
# Default values for eck-stack.
# This is a YAML-formatted file.
# If enabled, will use the eck-elasticsearch chart and deploy an Elasticsearch resource.
#
eck-elasticsearch:
enabled: true
# This is adjusting the full name of the elasticsearch resource so that both the eck-elasticsearch
# and the eck-kibana chart work together by default in the eck-stack chart.
fullnameOverride: elasticsearch
nodeSets:
- config:
node.store.allow_mmap: false
count: 3
name: default
podTemplate:
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
elasticsearch.k8s.elastic.co/cluster-name: elasticsearch
topologyKey: "kubernetes.io/hostname"
containers:
- name: elasticsearch
resources:
limits:
memory: 2Gi
requests:
memory: 2Gi
volumeClaimTemplates:
- metadata:
name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
# If enabled, will use the eck-kibana chart and deploy a Kibana resource.
#
eck-kibana:
enabled: true
fullnameOverride: kibana
spec:
# This is also adjusting the kibana reference to the elasticsearch resource named previously so that
# both the eck-elasticsearch and the eck-kibana chart work together by default in the eck-stack chart.
elasticsearchRef:
name: elasticsearch
config:
# Note that these are specific to the namespace into which this example is installed, and are
# using `elastic-stack` as configured here and detailed in the README when installing:
#
# `helm install es-kb-quickstart elastic/eck-stack -n elastic-stack`
#
# If installed outside of the `elastic-stack` namespace, the following 2 lines need modification.
server.publicBaseUrl: "https://kibana.k8s.mydomain.dev/"
xpack.fleet.agents.elasticsearch.hosts: [ "https://elasticsearch-es-http.elk-stack.svc:9200" ]
xpack.fleet.agents.fleet_server.hosts: [ "https://fleet-server-agent-http.elk-stack.svc:8220" ]
xpack.fleet.packages:
- name: system
version: latest
- name: elastic_agent
version: latest
- name: fleet_server
version: latest
- name: kubernetes
version: latest
xpack.fleet.agentPolicies:
- name: Fleet Server on ECK policy
id: fleet-server
namespace: default
monitoring_enabled:
- logs
- metrics
package_policies:
- name: fleet_server-1
id: fleet_server-1
package:
name: fleet_server
- name: Elastic Agent on ECK policy
id: eck-agent
namespace: default
monitoring_enabled:
- logs
- metrics
unenroll_timeout: 900
package_policies:
- package:
name: system
name: system-1
- package:
name: kubernetes
name: kubernetes-1
# If enabled, will use the eck-agent chart and deploy an Elastic Agent instance.
#
eck-agent:
enabled: false
# If enabled, will use the eck-fleet-server chart and deploy a Fleet Server resource.
#
eck-fleet-server:
enabled: true
fullnameOverride: fleet-server
spec:
# This is also adjusting the kibana reference to the elasticsearch resource named previously so that
# both the eck-elasticsearch and the eck-kibana chart work together by default in the eck-stack chart.
elasticsearchRefs:
- name: elasticsearch
kibanaRef:
name: kibana
policyID: fleet-server
# If enabled, will use the eck-beats chart and deploy a Beats resource.
#
eck-beats:
enabled: true
fullnameOverride: filebeat
name: filebeat
spec:
elasticsearchRef:
name: elasticsearch
kibanaRef:
name: kibana
config:
output.elasticsearch:
index: k8s-infra
setup:
template:
index: k8s-infra
name: k8s-infra
pattern: k8s-infra
lifecycle:
enabled: true
data_retention: "90d"
settings:
index:
number_of_replicas: 2
filebeat:
autodiscover:
providers:
- type: kubernetes
node: ${NODE_NAME}
hints:
enabled: true
default_config:
type: container
paths:
- /var/log/containers/*${data.kubernetes.container.id}.log
processors:
- add_cloud_metadata: {}
- add_host_metadata: {}
type: filebeat
daemonSet:
podTemplate:
spec:
automountServiceAccountToken: true
serviceAccount: filebeat
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
terminationGracePeriodSeconds: 30
containers:
- name: filebeat
resources:
limits:
cpu: 1000m
memory: 300Mi
requests:
cpu: 1000m
memory: 300Mi
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
volumeMounts:
- name: varlogcontainers
mountPath: /var/log/containers
- name: varlogpods
mountPath: /var/log/pods
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumes:
- name: varlogcontainers
hostPath:
path: /var/log/containers
- name: varlogpods
hostPath:
path: /var/log/pods
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
clusterRole:
# permissions needed for metricbeat
# source: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kubernetes.html
name: filebeat
rules:
- apiGroups: [ "" ] # "" indicates the core API group
resources:
- namespaces
- pods
- nodes
verbs:
- get
- watch
- list
- apiGroups: [ "apps" ]
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups: [ "batch" ]
resources:
- jobs
verbs:
- get
- list
- watch
serviceAccount:
name: filebeat
clusterRoleBinding:
name: filebeat
subjects:
- kind: ServiceAccount
name: filebeat
roleRef:
kind: ClusterRole
name: filebeat
apiGroup: rbac.authorization.k8s.io
# If enabled, will use the eck-logstash chart and deploy a Logstash resource.
#
eck-logstash:
fullnameOverride: logstash
enabled: false
# If enabled, will use the eck-apm-server chart and deploy a standalone APM Server resource.
#
eck-apm-server:
enabled: false
I can fix it by adding manually role with permissions to create a new index in Kibana and attaching it in secret elk-stack-filebeat-beat-user, but it is a workaround.