I have a question regarding deployment of the Agent on Kubernetes environment.
I want to use the following Integrations for monitoring our clusters:
Elastic Defend for Cloud Workloads
Kubernetes
Kubernetes Security Posture Management
The Elastic Agent is deployed as DaemonSet and both Kubernetes Integrations work fine. However, the Elastic Defend integration doesn't seem to work when deployed as DaemonSet.
I assume that Elastic Defend requires the Agent to be deployed natively on the Cluster nodes (although I wasn't able to find any documentation stating this limitation).
Now I could install the Elastic Agent natively on the Kubernetes Nodes. But the defaults of the Kubernetes integrations use environment variables only available within containers. So apparently those are meant to run from within a container.
So whats the strategy to run both normal Kubernetes Integrations and Defend? Have Agents running within containers AND natively on the host? Seems wasteful to me.
I created the DaemonSet from the manifest provided on the fleet UI under "Add Agent" -> Kubernetes. The manifest from the UI differs from the one in the Documentation you provided.
The manifest I used seems to lack some volumeMounts that will probably be needed for Defend.
So maybe the manifest provided the UI should include these mounts as well. At least some unmissable note would be nice to make clear that there are different manifests available.
I'll try the manifest from the docs and will let you know whether that fixed the issue.
Ok, that actually was the problem. Using the Defend yaml config you posted I can successfully deploy the Defend integration.
Thanks so far!
Unfortunately, many of the policies within the integration seem to fail and the output on the dashboard is therefore very limited. But thats a different problem to investigate.
This discussion highlights a beta functionality that was available when the thread began but is no longer supported as of version 8.10. Elastic Defend no longer supports deployment within an Elastic Agent DaemonSet in Kubernetes. Supported alternatives include installing the Agent with the Elastic Defend integration on the underlying Kubernetes host, or deploying Auditbeat as a DaemonSet for a visibility-only solution.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.