Fleet Server In Elastic Error : elastic-agent-cluster-leader is forbidden

Question

We are setting up a fleet server in Kubernetes. It has been given a CA and states its running but we cannot shell into it, and the logs are nothing but the following:

E0817 09:12:10.074969 927 leaderelection.go:330] error retrieving resource lock default/elastic-agent-cluster-leader: leases.coordination.k8s.io "elastic-agent-cluster-leader" is forbidden: User "system:serviceaccount:default:elastic-agent" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "default"

I can find very little information on this ever happening let alone a resolution. Any information pointing to a possible resolution would be massively helpful!

Answer 1

You need to make sure that you have applied the ServiceAccount, ClusterRoles and ClusterRoleBindings from the setup files.

An example of these can be found in the quickstart documentation.

https://www.elastic.co/guide/en/cloud-on-k8s/2.2/k8s-elastic-agent-fleet-quickstart.html

Service Account

kind: ServiceAccount
metadata:
  name: elastic-agent
  namespace: default

Cluster Role

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: elastic-agent
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - pods
  - nodes
  - namespaces
  verbs:
  - get
  - watch
  - list
- apiGroups: ["coordination.k8s.io"]
  resources:
  - leases
  verbs:
  - get
  - create
  - update

Cluster Role Binding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: elastic-agent
subjects:
- kind: ServiceAccount
  name: elastic-agent
  namespace: default
roleRef:
  kind: ClusterRole
  name: elastic-agent
  apiGroup: rbac.authorization.k8s.io