- Elastic Cloud on Kubernetes:
- Overview
- Quickstart
- Operating ECK
- Orchestrating Elastic Stack applications
- Run Elasticsearch on ECK
- Node configuration
- Volume claim templates
- Storage recommendations
- Transport settings
- Virtual memory
- Settings managed by ECK
- Secure settings
- Custom configuration files and plugins
- Init containers for plugin downloads
- Update strategy
- Pod disruption budget
- Nodes orchestration
- Advanced Elasticsearch node scheduling
- Create automated snapshots
- Remote clusters
- Readiness probe
- Pod PreStop hook
- Elasticsearch autoscaling
- JVM heap dumps
- Security Context
- Run Kibana on ECK
- Run APM Server on ECK
- Run standalone Elastic Agent on ECK
- Run Fleet-managed Elastic Agent on ECK
- Run Elastic Maps Server on ECK
- Run Enterprise Search on ECK
- Run Beats on ECK
- Secure the Elastic Stack
- Access Elastic Stack services
- Customize Pods
- Manage compute resources
- Autoscaling stateless applications
- Upgrade the Elastic Stack version
- Run Elasticsearch on ECK
- Advanced topics
- Reference
- API Reference
- agent.k8s.elastic.co/v1alpha1
- apm.k8s.elastic.co/v1
- apm.k8s.elastic.co/v1beta1
- beat.k8s.elastic.co/v1beta1
- common.k8s.elastic.co/v1
- common.k8s.elastic.co/v1beta1
- elasticsearch.k8s.elastic.co/v1
- elasticsearch.k8s.elastic.co/v1beta1
- enterprisesearch.k8s.elastic.co/v1
- enterprisesearch.k8s.elastic.co/v1beta1
- kibana.k8s.elastic.co/v1
- kibana.k8s.elastic.co/v1beta1
- maps.k8s.elastic.co/v1alpha1
- Glossary
- Third-party dependencies
- API Reference
- Release highlights
- 2.0.0 release highlights
- 1.9.1 release highlights
- 1.9.0 release highlights
- 1.8.0 release highlights
- 1.7.1 release highlights
- 1.7.0 release highlights
- 1.6.0 release highlights
- 1.5.0 release highlights
- 1.4.1 release highlights
- 1.4.0 release highlights
- 1.3.2 release highlights
- 1.3.1 release highlights
- 1.3.0 release highlights
- 1.2.2 release highlights
- 1.2.1 release highlights
- 1.2.0 release highlights
- 1.1.2 release highlights
- 1.1.1 release highlights
- 1.1.0 release highlights
- 1.0.1 release highlights
- 1.0.0 release highlights
- 1.0.0-beta1 release highlights
- Release notes
- Elastic Cloud on Kubernetes version 2.0.0
- Elastic Cloud on Kubernetes version 1.9.1
- Elastic Cloud on Kubernetes version 1.9.0
- Elastic Cloud on Kubernetes version 1.8.0
- Elastic Cloud on Kubernetes version 1.7.1
- Elastic Cloud on Kubernetes version 1.7.0
- Elastic Cloud on Kubernetes version 1.6.0
- Elastic Cloud on Kubernetes version 1.5.0
- Elastic Cloud on Kubernetes version 1.4.1
- Elastic Cloud on Kubernetes version 1.4.0
- Elastic Cloud on Kubernetes version 1.3.2
- Elastic Cloud on Kubernetes version 1.3.1
- Elastic Cloud on Kubernetes version 1.3.0
- Elastic Cloud on Kubernetes version 1.2.2
- Elastic Cloud on Kubernetes version 1.2.1
- Elastic Cloud on Kubernetes version 1.2.0
- Elastic Cloud on Kubernetes version 1.1.2
- Elastic Cloud on Kubernetes version 1.1.1
- Elastic Cloud on Kubernetes version 1.1.0
- Elastic Cloud on Kubernetes version 1.0.1
- Elastic Cloud on Kubernetes version 1.0.0
- Elastic Cloud on Kubernetes version 1.0.0-beta1
Required RBAC permissions
editRequired RBAC permissions
editInstalling and running ECK, as well as using ECK-managed resources requires certain Kubernetes permissions. These permissions are listed below, with a reason why they are needed.
Installing CRDs
editThis permission is required to install CRDs. CRDs (CustomResourceDefinitions) are the only non-namespaced resources required to be installed.
Name | API group | Optional? | Usage |
---|---|---|---|
|
|
no |
Extend Kubernetes APIs with Elastic Stack application resources. |
Installing the ECK operator
editThese permissions are required to install the ECK operator in a Kubernetes cluster.
Name | API group | Optional? | Usage |
---|---|---|---|
|
|
no |
The ECK operator can be either deployed as a StatefulSet or as a Deployment. |
|
|
no |
Service account that the operator Pods run as. |
|
|
no |
Role bound to the operators Service account. Depending on the installation type (global/restricted) either a global (ClusterRole) or a namespaced (Role) resource is needed. |
|
|
no |
Binding between the operators role and the operators service account. Depending on the installation type (global/restricted), either global (ClusterRoleBinding) or namespaced (RoleBinding) resource is needed. |
|
|
yes |
Configuration parameters of the Operator. They can be specified directly in the StatefulSet (or Deployment) resource instead. |
|
|
yes |
Namespace where the operator will run. It can be a pre-existing namespace as well. |
|
|
yes |
Validating webhook installation. It provides fast feedback for the user directly as a APIServer response. A subset of these validations is also run by the operator itself, but the results are only available through operator logs and Kubernetes events. Check docs for more. |
|
|
yes |
Secret containing the validating webhook’s endpoint CA certificate. |
|
|
yes |
Service for validating webhook endpoint. |
And all permissions that Running ECK operator section specifies.
Running ECK operator
editThese permissions are needed by the Service Account that ECK operator runs as.
Name | API group | Optional? | Usage |
---|---|---|---|
|
no |
Assuring expected Pods presence during Elasticsearch reconciliation, safely deleting Pods during configuration changes and validating |
|
|
no |
Checking availability of service endpoints. |
|
|
no |
Emitting events concerning reconciliation progress and issues. |
|
|
no |
Expanding existing volumes. Check docs to learn more. |
|
|
no |
Reading/writing configuration, passwords, certificates, and so on. |
|
|
no |
Creating Services fronting Elastic Stack applications. |
|
|
no |
Reading/writing configuration. |
|
|
|
no |
Deploying Elasticsearch |
|
|
no |
Deploying Kibana, APM Server, EnterpriseSearch, Maps, Beats or Elastic Agent. |
|
|
no |
Deploying Beats or Elastic Agent. |
|
|
no |
Ensuring update safety for Elasticsearch. Check docs to learn more. |
|
|
yes |
Validating storage expansion support. Check docs to learn more. |
|
|
yes |
Controlling access between referenced resources. Check docs to learn more. |
And all permissions that the Using ECK-managed resources chapter specifies.
Using ECK-managed resources
editThese permissions are needed to manage each Elastic Stack application. For example, to create, update and delete Elasticsearch clusters the permissions for the respective verbs must be held by the user that performs the operation.
Name | API group | Optional? |
---|---|---|
|
|
no |
|
|
no |
|
|
no |
|
|
no |
|
|
no |
|
|
no |
|
|
no |
On this page