Elastic Agent Kubernetes Integration missing default permissions

[kaykhan]

We are using ECK with Elastic Agents Managed by Fleet and have installed the Kubernetes Integration.

We have noticed a number of errors relating to permissions;

The first two i believe can be resolved by updating the cluster role: https://github.com/elastic/cloud-on-k8s/blob/main/deploy/eck-stack/charts/eck-agent/values.yaml#L127-L183

{"log.level":"error","@timestamp":"2024-10-31T10:18:59.704Z","message":"E1031 10:18:59.703948 1125 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.DaemonSet: failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "daemonsets" in API group "apps" at the cluster scope","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"kubernetes/metrics-default","type":"kubernetes/metrics"},"log":{"source":"kubernetes/metrics-default"},"ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2024-10-31T09:26:58.580Z","message":"E1031 09:26:58.580250 1036 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.PersistentVolume: failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "persistentvolumes" in API group "" at the cluster scope","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"kubernetes/metrics-default","type":"kubernetes/metrics"},"log":{"source":"kubernetes/metrics-default"},"ecs.version":"1.6.0"}

We are unsure why we are receiving the below 401 errors.

{"log.level":"error","@timestamp":"2024-10-31T09:30:20.489Z","message":"add_cloud_metadata: received error failed with http status code 401","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","ecs.version":"1.6.0","log.logger":"add_cloud_metadata","log.origin":{"file.line":190,"file.name":"add_cloud_metadata/providers.go","function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata"},"ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2024-10-31T09:30:15.788Z","message":"add_cloud_metadata: received error failed with http status code 401","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":190,"file.name":"add_cloud_metadata/providers.go","function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"add_cloud_metadata","ecs.version":"1.6.0"}

[kaykhan]

Running 8.15.2 and 2.15 eck found another perrmission mismatch

E1113 08:17:22.525476    1104 reflector.go:147] k8s.io/[email protected]/tools/cache/reflector.go:229: Failed to watch *v1.StorageClass: failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope

W1113 08:17:22.525445    1104 reflector.go:539] k8s.io/[email protected]/tools/cache/reflector.go:229: failed to list *v1.StorageClass: storageclasses.storage.k8s.io is forbidden: User "system:serviceaccount:elastic-system:elastic-agent" cannot list resource "storageclasses" in API group "storage.k8s.io" at the cluster scope