- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Manage Elastic Agent integrations
- Add an Elastic Agent integration to a policy
- View Elastic Agent integration policies
- Edit or delete an Elastic Agent integration policy
- Install and uninstall Elastic Agent integration assets
- View Elastic Agent integration assets
- Upgrade an Elastic Agent integration
- Uninstall an Elastic Agent integration
- Air-gapped environments
- Install Elastic Agents
- Centrally manage Elastic Agents in Fleet
- Elastic Agent standalone configuration
- Elastic Agent command reference
- Troubleshoot
- Release notes
Kubernetes Secrets Provider
editKubernetes Secrets Provider
editProvides access to the Kubernetes Secrets API.
The provider needs a kubeconfig file to establish connection to the Kubernetes API.
It can automatically reach the API if it’s run in an inCluster environment (Elastic Agent runs as pod).
providers.kubernetes_secrets: #kube_config: /Users/elastic-agent/.kube/config
Reference the Kubernetes Secrets variable as ${kubernetes_secrets.default.somesecret.value},
where default is the namespace of the Secret, somesecret is the name of the Secret and value the field
of the Secret to access.
If you run agent on Kubernetes, the proper rule in the ClusterRole is required to provide access to the Elastic Agent pod in the Secrets API:
- apiGroups: [""] resources: - secrets verbs: ["get"]
The above rule will give permission to Elastic Agent pod to access Kubernetes Secrets API.
Anyone who has access to the Elastic Agent pod (kubectl exec for example) will also have
access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to.
This option should be carefully considered.