We are setting up a fleet server in Kubernetes. It has been given a CA and states its running but we cannot shell into it, and the logs are nothing but the following:

E0817 09:12:10.074969 927 leaderelection.go:330] error retrieving resource lock default/elastic-agent-cluster-leader: leases.coordination.k8s.io "elastic-agent-cluster-leader" is forbidden: User "system:serviceaccount:default:elastic-agent" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "default"

I can find very little information on this ever happening let alone a resolution. Any information pointing to a possible resolution would be massively helpful!

CodePudding user response：

You need to make sure that you have applied the ServiceAccount, ClusterRoles and ClusterRoleBindings from the setup files.

An example of these can be found in the quickstart documentation.

https://www.elastic.co/guide/en/cloud-on-k8s/2.2/k8s-elastic-agent-fleet-quickstart.html

Service Account

kind: ServiceAccount
metadata:
  name: elastic-agent
  namespace: default

Cluster Role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: elastic-agent
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - pods
  - nodes
  - namespaces
  verbs:
  - get
  - watch
  - list
- apiGroups: ["coordination.k8s.io"]
  resources:
  - leases
  verbs:
  - get
  - create
  - update

Cluster Role Binding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: elastic-agent
subjects:
- kind: ServiceAccount
  name: elastic-agent
  namespace: default
roleRef:
  kind: ClusterRole
  name: elastic-agent
  apiGroup: rbac.authorization.k8s.io