# Source: eck-operator/templates/operator-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: elastic-system labels: name: elastic-system --- # Source: eck-operator/templates/service-account.yaml apiVersion: v1 kind: ServiceAccount metadata: name: elastic-operator namespace: elastic-system labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" --- # Source: eck-operator/templates/webhook.yaml apiVersion: v1 kind: Secret metadata: name: elastic-webhook-server-cert namespace: elastic-system labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" --- # Source: eck-operator/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: elastic-operator namespace: elastic-system labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" data: eck.yaml: |- log-verbosity: 0 metrics-port: 0 container-registry: docker.elastic.co max-concurrent-reconciles: 3 ca-cert-validity: 8760h ca-cert-rotate-before: 24h cert-validity: 8760h cert-rotate-before: 24h set-default-security-context: true kube-client-timeout: 60s elasticsearch-client-timeout: 180s disable-telemetry: false validate-storage-class: true enable-webhook: true webhook-name: elastic-webhook.k8s.elastic.co --- # Source: eck-operator/templates/cluster-roles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elastic-operator labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" rules: - apiGroups: - "authorization.k8s.io" resources: - subjectaccessreviews verbs: - create - apiGroups: - "" resources: - pods - endpoints - events - persistentvolumeclaims - secrets - services - configmaps - serviceaccounts verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apps resources: - deployments - statefulsets - daemonsets verbs: - get - list - watch - create - update - patch - delete - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - create - update - patch - delete - apiGroups: - elasticsearch.k8s.elastic.co resources: - elasticsearches - elasticsearches/status - elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP - enterpriselicenses - enterpriselicenses/status verbs: - get - list - watch - create - update - patch - delete - apiGroups: - kibana.k8s.elastic.co resources: - kibanas - kibanas/status - kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apm.k8s.elastic.co resources: - apmservers - apmservers/status - apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - enterprisesearch.k8s.elastic.co resources: - enterprisesearches - enterprisesearches/status - enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - beat.k8s.elastic.co resources: - beats - beats/status - beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - agent.k8s.elastic.co resources: - agents - agents/status - agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - maps.k8s.elastic.co resources: - elasticmapsservers - elasticmapsservers/status - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP verbs: - get - list - watch - create - update - patch - delete - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - list - watch - create - update - patch - delete --- # Source: eck-operator/templates/cluster-roles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "elastic-operator-view" labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" rules: - apiGroups: ["elasticsearch.k8s.elastic.co"] resources: ["elasticsearches"] verbs: ["get", "list", "watch"] - apiGroups: ["apm.k8s.elastic.co"] resources: ["apmservers"] verbs: ["get", "list", "watch"] - apiGroups: ["kibana.k8s.elastic.co"] resources: ["kibanas"] verbs: ["get", "list", "watch"] - apiGroups: ["enterprisesearch.k8s.elastic.co"] resources: ["enterprisesearches"] verbs: ["get", "list", "watch"] - apiGroups: ["beat.k8s.elastic.co"] resources: ["beats"] verbs: ["get", "list", "watch"] - apiGroups: ["agent.k8s.elastic.co"] resources: ["agents"] verbs: ["get", "list", "watch"] - apiGroups: ["maps.k8s.elastic.co"] resources: ["elasticmapsservers"] verbs: ["get", "list", "watch"] --- # Source: eck-operator/templates/cluster-roles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "elastic-operator-edit" labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" rules: - apiGroups: ["elasticsearch.k8s.elastic.co"] resources: ["elasticsearches"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["apm.k8s.elastic.co"] resources: ["apmservers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["kibana.k8s.elastic.co"] resources: ["kibanas"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["enterprisesearch.k8s.elastic.co"] resources: ["enterprisesearches"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["beat.k8s.elastic.co"] resources: ["beats"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["agent.k8s.elastic.co"] resources: ["agents"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["maps.k8s.elastic.co"] resources: ["elasticmapsservers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] --- # Source: eck-operator/templates/role-bindings.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: elastic-operator labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: elastic-operator subjects: - kind: ServiceAccount name: elastic-operator namespace: elastic-system --- # Source: eck-operator/templates/webhook.yaml apiVersion: v1 kind: Service metadata: name: elastic-webhook-server namespace: elastic-system labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" spec: ports: - name: https port: 443 targetPort: 9443 selector: control-plane: elastic-operator --- # Source: eck-operator/templates/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: elastic-operator namespace: elastic-system labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" spec: selector: matchLabels: control-plane: elastic-operator serviceName: elastic-operator replicas: 1 template: metadata: annotations: # Rename the fields "error" to "error.message" and "source" to "event.source" # This is to avoid a conflict with the ECS "error" and "source" documents. "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]" "checksum/config": 032e84bdd1e85533291d73835756b3ef2b86d606c6281a446ad3703106703562 labels: control-plane: elastic-operator spec: terminationGracePeriodSeconds: 10 serviceAccountName: elastic-operator securityContext: runAsNonRoot: true containers: - image: "docker.elastic.co/eck/eck-operator:1.8.0" imagePullPolicy: IfNotPresent name: manager args: - "manager" - "--config=/conf/eck.yaml" - "--distribution-channel=all-in-one" env: - name: OPERATOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: WEBHOOK_SECRET value: elastic-webhook-server-cert resources: limits: cpu: 1 memory: 512Mi requests: cpu: 100m memory: 150Mi ports: - containerPort: 9443 name: https-webhook protocol: TCP volumeMounts: - mountPath: "/conf" name: conf readOnly: true - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true volumes: - name: conf configMap: name: elastic-operator - name: cert secret: defaultMode: 420 secretName: elastic-webhook-server-cert --- # Source: eck-operator/templates/webhook.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: elastic-webhook.k8s.elastic.co labels: control-plane: elastic-operator app.kubernetes.io/version: "1.8.0" webhooks: - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-agent-k8s-elastic-co-v1alpha1-agent failurePolicy: Ignore name: elastic-agent-validation-v1alpha1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - agent.k8s.elastic.co apiVersions: - v1alpha1 operations: - CREATE - UPDATE resources: - agents - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-apm-k8s-elastic-co-v1-apmserver failurePolicy: Ignore name: elastic-apm-validation-v1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - apm.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - apmservers - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-apm-k8s-elastic-co-v1beta1-apmserver failurePolicy: Ignore name: elastic-apm-validation-v1beta1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - apm.k8s.elastic.co apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - apmservers - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-beat-k8s-elastic-co-v1beta1-beat failurePolicy: Ignore name: elastic-beat-validation-v1beta1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - beat.k8s.elastic.co apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - beats - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch failurePolicy: Ignore name: elastic-ent-validation-v1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - enterprisesearch.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - enterprisesearches - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch failurePolicy: Ignore name: elastic-ent-validation-v1beta1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - enterprisesearch.k8s.elastic.co apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - enterprisesearches - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch failurePolicy: Ignore name: elastic-es-validation-v1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - elasticsearch.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - elasticsearches - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch failurePolicy: Ignore name: elastic-es-validation-v1beta1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - elasticsearch.k8s.elastic.co apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - elasticsearches - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-kibana-k8s-elastic-co-v1-kibana failurePolicy: Ignore name: elastic-kb-validation-v1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - kibana.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - kibanas - clientConfig: caBundle: Cg== service: name: elastic-webhook-server namespace: elastic-system path: /validate-kibana-k8s-elastic-co-v1beta1-kibana failurePolicy: Ignore name: elastic-kb-validation-v1beta1.k8s.elastic.co matchPolicy: Exact admissionReviewVersions: [v1beta1] sideEffects: "None" rules: - apiGroups: - kibana.k8s.elastic.co apiVersions: - v1beta1 operations: - CREATE - UPDATE resources: - kibanas