Native vs DaemonSet Deployment for Integrations Defend, Kubernetes, KSPM

Hi everyone,

I have a question regarding deployment of the Agent on Kubernetes environment.

I want to use the following Integrations for monitoring our clusters:

  • Elastic Defend for Cloud Workloads
  • Kubernetes
  • Kubernetes Security Posture Management

The Elastic Agent is deployed as DaemonSet and both Kubernetes Integrations work fine. However, the Elastic Defend integration doesn't seem to work when deployed as DaemonSet.

I assume that Elastic Defend requires the Agent to be deployed natively on the Cluster nodes (although I wasn't able to find any documentation stating this limitation).

Now I could install the Elastic Agent natively on the Kubernetes Nodes. But the defaults of the Kubernetes integrations use environment variables only available within containers. So apparently those are meant to run from within a container.

So whats the strategy to run both normal Kubernetes Integrations and Defend? Have Agents running within containers AND natively on the host? Seems wasteful to me.

My understanding is that Elastic Defend's yaml config is the Elastic Agent's config with Elastic Defend added to it.

Is it possible that running the Elastic Agent DaemonSet alongside the Elastic Defend DaemonSet is causing issues?

Our documentation regarding this is not great, gonna fix it.

Ah, I think I already see the problem.

I created the DaemonSet from the manifest provided on the fleet UI under "Add Agent" -> Kubernetes. The manifest from the UI differs from the one in the Documentation you provided.

The manifest I used seems to lack some volumeMounts that will probably be needed for Defend.

So maybe the manifest provided the UI should include these mounts as well. At least some unmissable note would be nice to make clear that there are different manifests available.

I'll try the manifest from the docs and will let you know whether that fixed the issue.

Ok, that actually was the problem. Using the Defend yaml config you posted I can successfully deploy the Defend integration.

Thanks so far!

Unfortunately, many of the policies within the integration seem to fail and the output on the dashboard is therefore very limited. But thats a different problem to investigate.