[Fleet] Users should be able to switch Agents from privileged to unprivileged mode

[ycombinator]

Describe the feature:

Elastic Agents have the ability to run in either privileged mode, i.e. with a privileged user like root on Linux systems, or unprivileged mode, i.e. with an unprivileged user.

Moreover, Agents running in privileged mode have the ability to switch themselves to unprivileged mode. This ability is being exposed via the Agent CLI. We now wish to expose this same ability using the Fleet UI.

⚠️ Important note: users should only be switch Agents from privileged to unprivileged mode, not the other way around, using the Fleet UI.

Describe a specific use case for the feature:

Security: Allowing users to reduce the privileges required to run Elastic Agent.

Depends on elastic/elastic-agent#4973

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[amitkanfer]

why is this blocked?

[kpollich]

I think this should be unblocked now as elastic/elastic-agent#4621 has landed, correct? @ycombinator is there more work to do with exposing the mode-toggling via actions?

[ycombinator]

I think this should be unblocked now as elastic/elastic-agent#4621 has landed, correct? @ycombinator is there more work to do with exposing the mode-toggling via actions?

Chatted with @blakerouse about this. We will indeed need to first define a new action for switching privileged Agents to unprivileged and implement the necessary changes "bottom up" from Agent to Fleet UI. I can also see a couple of small non-happy-path cases we'd want to think about. To that end, I've created elastic/elastic-agent#4973 to capture the requirements and have suggested in that issue that we do some tech definition first.

So this issue here should remain blocked for now, on elastic/elastic-agent#4973.