[Change Proposal] Define requirements for agentless support #684
Comments
|
We need to provide integration developers with a way to explicitly "hide" sections of their integrations settings. for a pull integration as an example, when the integration is hosted by Elastic, integration developer may want to allow the user to change the polling interval. Certainly they would need the user to provide the credentials. However they may need to restrict changes to namespace or datastream. |
|
@eyalkraft @olegsu @tinnytintin10 I wanted to explore whether it would be prudent for the package to convey other information that we should cater for as part of this work. Right now it's pretty much just a boolean (managed or not). From CSPM perspective do you see a need to carry other information? for example details about the container sizing? etc |
|
Thanks @nimarezainia !
You're on-spot with your question - with our future plans for agentless + agent k8s runtime, I think it would be valuable for us to be able to configure per-integration package resource requirements (like container sizing), and possibly even things like persistent volumes for keeping state, horizontal scaling options, deployment method (for example, maybe CSPM can be a K8s Job that runs every x hours rather than a deployment). @andrewkroh @aleksmaus might have additional input. Some thoughts on the questions from @jsoriano:
I think it can't be on the package since for example within our single
Integrations that only work on agentless? We don't have any in mind right now but it's a good question. |
Making As far as I understand, some of the k8s runtime constraints such as minimum cpu/memory requirements would be specific to the actual beat containers, and might be tied to the beat specific build. Potentially there are three pieces of configuration that might need to come together:
Thoughts? |
|
Hi all, I've started catching up here and I want to add a bit of my thinking so far. So far it seems like we've identified a few requirements here
A few things I'd like to add:
Perhaps the "capabilities" implementation is a future thought, though - I think what's in front of us to build today is essentially a mapping of deployment modes to UIs. Imagine this as a "tabs" component where each tab's title is a deployment mode, and the tab's contents are the particular instructions for that deployment mode. Our current default/agent deployment mode uses a Fleet policy for deployment, agentless will use a "managed" policy, and a Helm chart or K8's native deployment mode will have different instructions. Let's build this mapping first and foremost, and think about more nuanced behaviors like capabilities once the mapping is fleshed out. One thing I'm not 100% sure on is whether agentless integrations can only be deployed in agentless environments. For example, if an environment does not support agentless, should agentless policy templates even show up? |
I think this is key. Some thoughts on how to model this: Today Fleet manages agent policies, which are sent directly to individual agents and describe 100% of the information needed to run the installed integrations. The agent is already installed and deployed, and we only need to configure the agent. With Agentless, instead of targeting individual agents we are now targeting the agent controller first. The controller needs additional information beyond just the agent policy for how to deploy an agent to run an integration. This is very similar to a Helm chart or Kubernetes YAML, where in addition to an agent policy we must tell the Kubernetes API how we would like it to run the agent. All this to say I don't think we should try to jam all of the agentless configuration into the existing agent policy. We should consider introducing something like a deployment policy, or deployment type, and have that be a separate piece of configuration that contains or is associated with an agent policy. The way the agent policy itself is generated may depend on the deployment type it is associated with. The agent can know and report which deployment policy it is running under to allow us determine capabilities as described by Kyle above. This would allow us to add additional deployment types in the future, with their own constraints and capabilities. |
|
I like the idea of creating a new Some quick scratchpad diagrams about how things are structured today, and what we could move to:
In this what we'd be building would be something like:
|
In the case of agentless, the deployment policy configuration itself would have to be made available to the agentless controller along with the agent policy. |
|
Small note about agentless-controller and it's role as we imagine it currently: agentless-controller is multi-tenanted, and takes care of spinning up single-tenanted elastic agents, enrolled to fleet, on the serverless platform (MKI). Our current plan for how deploy integrations/beats in separate containers/pods/deployments is to (roughly) follow the plan for agent k8s runtime, which for us basically says - the agent has k8s API access, and it creates deployments rather than executes binaries. To conclude, In this approach it's the agent that cares about the deployment-policy, not the agentless-controller. |
|
To protect the agent from running undesired integrations we use the capabilities feature and we define allowed inputs and outputs. Today its statically configured for all the agents. To properly support agentless integration this approach also needs to be revisited. |
|
Hello all, I'm revisiting our technical definition around agentless support in Fleet + Integrations, and I wanted to bump this issue with a few things I'm thinking of. For one: the deployment policy model is a good long term direction here, but I'm concerned about the level of effort required to enable it. I think modeling deployments mode as a distinct data model in Fleet is the right solution for the eventual state we're seeking here, but I think we should move forward with some more short term solutions that more immediately patch some holes in our current implementation of agentless support, namely supporting more than one integration. To this end, I am proposing we move forward on two things in the package spec:
e.g. format_version: "3.0.2"
name: nginx
title: My package
version: "1.0.0"
description: Lorem ipsum.
type: integration
categories:
- web
conditions:
kibana:
version: "^8.12.0"
elastic:
subscription: basic
agentless: # <---
enabled: true
e.g. streams:
- input: logfile
vars:
- name: paths
type: text
title: Paths
multi: true
required: true
show_user: true
default:
- /var/log/my-package/*.log
- name: agentless_only
type: text
title: Agentless only variable
multi: false
required: false
show_user: true
hide_in_deployment_modes: # <---
- default
- name: hidden_in_agentless
type: text
title: Hidden in agentless variable
multi: false
required: false
show_user: true
hide_in_deployment_modes: # <---
- agentlessWith both of these changes, I'm thinking towards the future. I don't want to limit our technical options if we move towards the deployment policy model proposed above, so I'm proposing these as an extensible foundation. Curious to see if folks have some thoughts on the specifics here, I'm certainly open to suggestions or alternatives. |
|
++ @kpollich I think that soon enough we would want a standard way of providing our users with a clouformation/ARM template/gcloud shell way of installing/authenticating the integration with their cloud account, but as you propose this could be a later extension. |
|
@kpollich plan about having a general toggle, and another one per variable sounds good to me. Only thing I would recommend is to add the agentless enablement flag at the Maybe we could also consider to have a section about deployment modes, to follow the naming used in |
|
Thanks @kpollich |
|
I slightly prefer |
|
@kpollich is this one ready to be worked on now? I do see it is still under a |
|
Whoops yes this is ready to go. Changed the status. |
Closes #180375 ## Summary Expand support for Agentless in Fleet UI. Implemented on this PR: - Agent policies created with `supports_agentless` (added in #182709) are now marked as `is_managed` - Added support for `deployment_modes.agentless.enabled` and `hide_in_deployment_modes` introduced with elastic/package-spec#684: - `hide_in_deployment_modes` shows/hides variables in agentless/default UI - `deployment_modes.agentless.enabled: true` determines an integration as enabled for agentless ## Notes - In this PR, an integration enabled for serverless is still added to the default `agentless` policy. - Integrations enabled for agentless don't display any specific "agentless" form yet. That part is TBD ### Testing - Run local env for [agentless](https://docs.elastic.dev/security-solution/cloud-security/agentless) ### Verify that new settings are honoured in integration policy - Use the compiled package with new properties defined in elastic/package-spec#738 `agentless_test_package-1.0.1-rc1.zip` (Packages in this [comment](#183045 (comment))) - Upload it to Kibana: ```sh curl -k -XPOST -H 'content-type: application/zip' -H 'kbn-xsrf: true' https://localhost:5601/api/fleet/epm/packages -u elastic_serverless:changeme --data-binary @agentless_test_package-0.0.1.zip ``` - Check that the variable marked with `hide_in_deployment_modes: "agentless"` are not visible - Check that the agent policies selector is not visible  ### Verify that agent policies with `supports_agentless` are marked as managed - Create a new policy with `supports_agentless` ``` POST kbn:/api/fleet/agent_policies { "name": "Test - Agentless policy", "namespace": "default", "supports_agentless": true } ``` - Check that the created policy has `is_managed = true` - Try to change the value to false - an error is thrown ``` PUT kbn:/api/fleet/agent_policies/<policy_id> { "name": "Test - Agentless policy", "namespace": "default", "supports_agentless": false } ``` ### Checklist - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <[email protected]>
There are integrations that could be deployed on fully managed agents. These integrations are going to be called "agentless". We need to define the mechanisms required for packages that include such integrations.
The main proposal would be to have a
supports_agentlessflag that packages that support serverless should set totrue.There are some open questions:
Document to facilitate the discussion on what needs to be filtered and where in the Fleet/Integrations UI: https://docs.google.com/document/d/1ccAswS94hr6qNnzQ_HKsmygQch2wgSQYMkMoQHo21Ds/edit?usp=sharing
cc: @kpollich
Implementation
deployment_modesproperty to the policy template schema that contains an object withdefaultandagentlessproperties. Each property in this object should have a single nestedenabledboolean property for now, but should be extensible to support additional configuration in the future.defaultandagentlessstrings.Example policy template declaration:
Example variable declaration:
The text was updated successfully, but these errors were encountered: