-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the operator create enrolment tokens instead of configuring Agents to talk to Kibana #5779
Labels
Comments
We got some feedback from the Fleet team that enrolment tokens are indeed the preferred way. I think we should strive to refactor our Agent support accordingly before we remove the "experimental" flag. |
We could
Questions
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
The current implementation of Elastic Agent with the ECK operator configures Agents to enrol themselves in Fleet by providing them with connection information to talk to Kibana themselves:
https://www.elastic.co/guide/en/fleet/master/running-on-kubernetes-managed-by-fleet.html#_settings
That is not ideal as individual Agents have access to the Kibana API with more privileges than strictly necessary or more privileges than they would have if they were configured directly with an enrolment API key instead.
The question is whether we should change the implementation so that:
The Fleet API is not stable/internal but documented here:
https://raw.githubusercontent.com/elastic/kibana/master/x-pack/plugins/fleet/common/openapi/bundled.json
The text was updated successfully, but these errors were encountered: