Kubernetes Secrets Provider

edit

Provides access to the Kubernetes Secrets API.

The provider needs a kubeconfig file to establish connection to the Kubernetes API. It can automatically reach the API if it’s run in an InCluster environment (Elastic Agent runs as pod).

providers.kubernetes_secrets:
  #kube_config: /Users/elastic-agent/.kube/config

Reference the Kubernetes Secrets variable as ${kubernetes_secrets.default.somesecret.value}, where default is the namespace of the Secret, somesecret is the name of the Secret and value the field of the Secret to access.

If you run agent on Kubernetes, the proper rule in the ClusterRole is required to provide access to the Elastic Agent pod in the Secrets API:

- apiGroups: [""]
  resources:
    - secrets
  verbs: ["get"]

The above rule will give permission to Elastic Agent pod to access Kubernetes Secrets API. Anyone who has access to the Elastic Agent pod (kubectl exec for example) will also have access to the Kubernetes Secrets API. This allows access to a specific secret, regardless of the namespace that it belongs to. This option should be carefully considered.