Deploy an APM Server instance with a route

edit

It is currently not possible to run the APM Server with the restricted SCC. A possible workaround is to allow the Pod to run with the default uid 1000 by assigning it to the anyuid SCC:

  1. Create a service account to run the APM Server

    oc create serviceaccount apm-server -n elastic
  2. Add the APM service account to the anyuid SCC

    oc adm policy add-scc-to-user anyuid -z apm-server -n elastic
    scc "anyuid" added to: ["system:serviceaccount:elastic:apm-server"]
  3. Deploy an APM Server and a route with the following manifest

    cat <<EOF | oc apply -n elastic -f -
    apiVersion: apm.k8s.elastic.co/v1
    kind: ApmServer
    metadata:
      name: apm-server-sample
    spec:
      version: 8.16.1
      count: 1
      elasticsearchRef:
        name: "elasticsearch-sample"
      podTemplate:
        spec:
          serviceAccountName: apm-server
    ---
    apiVersion: v1
    kind: Route
    metadata:
      name: apm-server-sample
    spec:
      #host: apm-server.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
      tls:
        termination: passthrough # the APM Server is the TLS endpoint
        insecureEdgeTerminationPolicy: Redirect
      to:
        kind: Service
        name: apm-server-sample-apm-http
    EOF

    To check that the Pod of the APM Server is using the correct SCC, use the following command:

    oc get pod -o go-template='{{range .items}}{{$scc := index .metadata.annotations "openshift.io/scc"}}{{.metadata.name}}{{" scc:"}}{{range .spec.containers}}{{$scc}}{{" "}}{{"\n"}}{{end}}{{end}}'
    apm-server-sample-apm-server-86bfc5c95c-96lbx scc:anyuid
    elasticsearch-sample-es-5tsqghmm79 scc:restricted
    elasticsearch-sample-es-6qk52mz5jk scc:restricted
    elasticsearch-sample-es-dg4vvpm2mr scc:restricted
    kibana-sample-kb-97c6b6b8d-lqfd2 scc:restricted