[Fleet] Finalize generic support for agentless integration policies in Fleet policy editor #183863
Comments
kpollich
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
Yes, users today have multiple CSPM integrations installed (on multiple agent policies). I don't think we don't want to limit the number of integrations installed to begin with. |
|
Thanks, @olegsu - could we try to clarify the expected workflow then in the UI? Based on our conversations, I am understanding it as something like
Some questions I have for the expected state after this flow is completed:
|
|
@kpollich you're on point.
That's actually a product question @tinnytintin10
I think not.
I think yes. |
|
On serverless, we have a few users that already use agentless, which uses the method of a preconfigured agent policy behind the scenes. So on fleet, we should be able to distinguish between these two implementation details. This is still an open question, and it will be answered more effectively once we have a more detailed action plan and time estimations. |
|
@kpollich I am wondering if the create a Kibana Agentless service in the Fleet plugin to create Agentless-ElasticAgents plan item for ESS is mostly a duplicate of this issue. Assuming that we are doing what @kfirpeled mentioned and concentrating on ESS, the only difference for ESS would be that we are sending requests to the Agentless-API to create the new agentless-agent. |
|
I don't think this is a duplicate of that issue. This issue seeks to capture the flow in which an integration policy is created for an integration with Whether this logic is encapsulated in the agentless service you're proposing is perhaps a relevant implementation detail, but actually calling that logic from the UI remains the unit of work captured by this issue. See proposed workflow in this comment above: #183863 (comment) The way this works today, the UI makes several sequential API calls to the |
|
@kpollich please correct me if I am not summarizing our conversation correctly. @kpollich and I huddled to discuss if there could be a duplication of effort for this and what we needed to do for the Agentless API. We agreed that 1 through 8 of the sequence diagram below would likely have overlapping concerns, while 9 is unique for the Agentless API. We would likely need to move most or all of the Agentless Kibana logic from the CSPM plugin to the Fleet plugin to allow other integrations to use it. If this issue's solution is to create a new Agentless-agent for each agentless supported integration, the work effort to integrate the Agentless API (ESS) would be considerably smaller. We were unsure if there were CSPM plugin extension hooks for 10 through 16 and I am currently looking into that.
|
kpollich
changed the title
|
@seanrathier @kpollich The toggle will be for Agentless ESS correct? For Serverless, we have a pre-configured agentless policy once we migrate Agentless API to Serverless, then we can show the toggle. |
For Serverless, the toggle will still show, however, Agentless is selected by default and will only use the one pre-built Agentless policy. We need to give the user the option to use an Agent-based policy For ESS, everything is the same as above, except when Agentless is selected it always creates a new agentless policy. You cannot select an existing Agentless policy like in Serverless. |
|
@seanrathier Ahh okay thanks for clarifying. My concerns introducing toggle in Serverless
|
|
It is worth mentioning, that Agentless on Serverless will not be available before migrating it to use Agentless API and making all the flows similar to ESS. What I miss in the ticket's DOD is in edit mode, that it cannot be switched/toggled. So agentless remains agentless and agent based remains agent-based. @kpollich , tbh that value is part of the agent policy values. and not the integration. So if that is where this toggle will be visible, the edit mode should not concern us. Is that what you had in mind? |
If agent-based is selected, a new agent policy + integration policy will always be created. Should this be possible at all in the edit mode for an existing integration policy? e.g. if a user clicks "edit" for their Okta policy, which is running in agent-based mode, should they be able to toggle it to agentless mode and have a new agent policy created for them under the hood? |
|
@kpollich - this looks great, thank you and your team for pushing this effort! Given that agentless is going to be in beta for the first few releases we should make sure to:
We will be doing the same for the CSPM custom UI and have proposed a design for it - #188601. |
|
Both transitions are feasible. We haven't captured that work yet on the first stages of our implementation, we were thinking of blocking it for now so we could focus on the creation flow. It does add some complexity to edit an integration and switch to agentless. Under the hood we need to create a new agentless agent policy when doing so. As for the existing integration, should it be removed from the agent-based policy? should it be duplicated? I'm not quite sure.. |
Let's move forward with this approach. Editing an agentless integration shouldn't be possible, and a new integration policy will need to be created. I'll capture this in the requirements above. |
kpollich
changed the title
|
Updated the description + issue title to better reflect what we're doing here. cc @juliaElastic since you'll be picking this up next sprint as well. Let me know if you have any concerns about the larger list of requirements. |
|
@kpollich A few questions here:
|
|
@juliaElastic I'll answer some of these questions as I worked on the agentless area previously.
AFAIK we don't have any. I generated a couple of packages locally with this flag to simulate this behavior. I added these packages it in this PR, but let me know if you cannot download them or if they don't work for you, I should still have them. The testing steps are in the PR description.
Yes that's the idea, there was a lot of discussion on this but basically we want to be able to show a "reduced" version of that UI for a generic agentless integration, as the current form is custom-built for CSPM and is closely tied to its inputs.
I think that the assumption has been since the beginning that an "agentless" policy will only allow a single integration policy. I don't know if we want to put in place any explicit guards to prevent additional integrations policies from installing, but the relation should be 1:1 Also, related to this item in the description:
I believe that this already happens, but we need to verify it. I'll leave the other answers to @kpollich as I'm not sure what was decided about those. |
|
Thanks, @criamico - your answers above look good.
The UI should be changed in both stateful and serverless. Users should be able to decide whether they want agentless or agent based deployment regardless of their environment.
Yes we should prevent toggling an existing policy between deployment modes.
We'll just use the usual Fleet API - this doesn't need to interact with the agentless API at all for now. @seanrathier if I understand correctly we might change this later such that saving a new agentless policy would create and deploy an agentless agent via the agentless API (a mouthful!) For now, so long as we are creating an integration policy with the proper variables set that belongs to a new agent policy with
Yes, Cristina is correct this should not be possible. The goal is to have a single integration policy on each agent policy with |
|
@kpollich I had a few more questions. While implementing this, I see there is a lot of behavior now added for CSPM integration: setting agentless mode as default, calling agentless API to create agentless agent when creating agentless policy, only allow agentless selector if env is serverless/cloud with agentless api set. Also currently agentless policies are created as managed policies, which helps to prevent adding more integration policies. However managed policies don't allow deleting integration policies, so I think we have to either remove the managed property from the created agentless agent policies or let these integration policies be deleted even if the agent policy is managed.
I'm not sure how this could work, the agentless/agent-based selector determines whether the created agent policy will have
I started implementing this, and realised if we disable the edit action, users won't be able to view the current config of the integration policy (only in Agent policy / View policy as yaml). Alternatively we could allow going to the Edit integration page, and only disable the submit button. |
@juliaElastic @kpollich, I'm chiming in here for your knowledge. Most of the work we have completed and planned for the Agentless API (ESS) has been in the Fleet plugin, we want to avoid "customizations" for CSPM and make agentless available to all integrations. We have not been making any changes in the CSPM plugin aside from the UI changes to |
|
Does that mean that the agentless API logic should be called for all integrations, not just CSPM? I can try to move out the setup technology selector out of the CSPM extension view to render with the generic logic, I added locally to the form like this, without the |
@juliaElastic, AFAIK, eventually all integrations that have the
We have a task in our plan to migrate Serverless to use the Agentless API solution which will create a new Agentless-agent, instead of using the hard-coded |
…on policy (#190391) ## Summary Related to #183863 Follow up from #189934 (comment) Since the edit integration was re-enabled for agentless integration policies, we have to make sure to hide the agent policy change option when editing an agentless policy. This pr addresses that. To verify: - add CSPM integration with agentless setup technology - edit the integration policy - verify that the agent policies can't be modified - upload another agentless package (instruction [here](#189612)) - add Agentless integration with setup technology agentless - edit the integration policly - verify that the agent policies can't be modified <img width="1526" alt="image" src="https://github.com/user-attachments/assets/557cc6d4-37e7-43f6-b52a-3d5f4c073e1c"> <img width="1524" alt="image" src="https://github.com/user-attachments/assets/e890efa8-4faf-4608-9228-32debadb895a"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Follow up on #180375
In #180375, Fleet added support for policy variables being shown/hidden based on the
deployment_modesvalue in an integrations and ensured that policies saved for agentless integration policies are always saved with the hardcoded agent policy with IDagentless.To finalize Fleet's generic support for integrations that opt into the agentless deployment mode, we need to do the following:
deployment_modes.agentless.enabled: trueis set on a given policy templatesupports_agentless: trueset.supports_agentless: trueis set, the policy editor default to the current agent-based option and the toggle is set toagent-basedagentlessoption is clearly marked as beta, and display a beta banner in the policy editor form itself to reiterate this when agentless mode is enabledOpen questions
The text was updated successfully, but these errors were encountered: