- Elastic Cloud on Kubernetes:
- Overview
- Quickstart
- Operating ECK
- Orchestrating Elastic Stack applications
- Run Elasticsearch on ECK
- Node configuration
- Volume claim templates
- Storage recommendations
- Transport settings
- Virtual memory
- Settings managed by ECK
- Secure settings
- Custom configuration files and plugins
- Init containers for plugin downloads
- Update strategy
- Pod disruption budget
- Nodes orchestration
- Advanced Elasticsearch node scheduling
- Create automated snapshots
- Remote clusters
- Readiness probe
- Pod PreStop hook
- Elasticsearch autoscaling
- JVM heap dumps
- Security Context
- Run Kibana on ECK
- Run APM Server on ECK
- Run standalone Elastic Agent on ECK
- Run Fleet-managed Elastic Agent on ECK
- Run Elastic Maps Server on ECK
- Run Enterprise Search on ECK
- Run Beats on ECK
- Run Logstash on ECK
- Elastic Stack Helm Chart
- Recipes
- Secure the Elastic Stack
- Access Elastic Stack services
- Customize Pods
- Manage compute resources
- Autoscaling stateless applications
- Elastic Stack configuration policies
- Upgrade the Elastic Stack version
- Run Elasticsearch on ECK
- Advanced topics
- Reference
- API Reference
- agent.k8s.elastic.co/v1alpha1
- apm.k8s.elastic.co/v1
- apm.k8s.elastic.co/v1beta1
- autoscaling.k8s.elastic.co/v1alpha1
- beat.k8s.elastic.co/v1beta1
- common.k8s.elastic.co/v1
- common.k8s.elastic.co/v1alpha1
- common.k8s.elastic.co/v1beta1
- elasticsearch.k8s.elastic.co/v1
- elasticsearch.k8s.elastic.co/v1beta1
- enterprisesearch.k8s.elastic.co/v1
- enterprisesearch.k8s.elastic.co/v1beta1
- kibana.k8s.elastic.co/v1
- kibana.k8s.elastic.co/v1beta1
- logstash.k8s.elastic.co/v1alpha1
- maps.k8s.elastic.co/v1alpha1
- stackconfigpolicy.k8s.elastic.co/v1alpha1
- Glossary
- Third-party dependencies
- API Reference
- Release highlights
- 2.8.0 release highlights
- 2.7.0 release highlights
- 2.6.2 release highlights
- 2.6.1 release highlights
- 2.6.0 release highlights
- 2.5.0 release highlights
- 2.4.0 release highlights
- 2.3.0 release highlights
- 2.2.0 release highlights
- 2.1.0 release highlights
- 2.0.0 release highlights
- 1.9.1 release highlights
- 1.9.0 release highlights
- 1.8.0 release highlights
- 1.7.1 release highlights
- 1.7.0 release highlights
- 1.6.0 release highlights
- 1.5.0 release highlights
- 1.4.1 release highlights
- 1.4.0 release highlights
- 1.3.2 release highlights
- 1.3.1 release highlights
- 1.3.0 release highlights
- 1.2.2 release highlights
- 1.2.1 release highlights
- 1.2.0 release highlights
- 1.1.2 release highlights
- 1.1.1 release highlights
- 1.1.0 release highlights
- 1.0.1 release highlights
- 1.0.0 release highlights
- 1.0.0-beta1 release highlights
- Release notes
- Elastic Cloud on Kubernetes version 2.8.0
- Elastic Cloud on Kubernetes version 2.7.0
- Elastic Cloud on Kubernetes version 2.6.2
- Elastic Cloud on Kubernetes version 2.6.1
- Elastic Cloud on Kubernetes version 2.6.0
- Elastic Cloud on Kubernetes version 2.5.0
- Elastic Cloud on Kubernetes version 2.4.0
- Elastic Cloud on Kubernetes version 2.3.0
- Elastic Cloud on Kubernetes version 2.2.0
- Elastic Cloud on Kubernetes version 2.1.0
- Elastic Cloud on Kubernetes version 2.0.0
- Elastic Cloud on Kubernetes version 1.9.1
- Elastic Cloud on Kubernetes version 1.9.0
- Elastic Cloud on Kubernetes version 1.8.0
- Elastic Cloud on Kubernetes version 1.7.1
- Elastic Cloud on Kubernetes version 1.7.0
- Elastic Cloud on Kubernetes version 1.6.0
- Elastic Cloud on Kubernetes version 1.5.0
- Elastic Cloud on Kubernetes version 1.4.1
- Elastic Cloud on Kubernetes version 1.4.0
- Elastic Cloud on Kubernetes version 1.3.2
- Elastic Cloud on Kubernetes version 1.3.1
- Elastic Cloud on Kubernetes version 1.3.0
- Elastic Cloud on Kubernetes version 1.2.2
- Elastic Cloud on Kubernetes version 1.2.1
- Elastic Cloud on Kubernetes version 1.2.0
- Elastic Cloud on Kubernetes version 1.1.2
- Elastic Cloud on Kubernetes version 1.1.1
- Elastic Cloud on Kubernetes version 1.1.0
- Elastic Cloud on Kubernetes version 1.0.1
- Elastic Cloud on Kubernetes version 1.0.0
- Elastic Cloud on Kubernetes version 1.0.0-beta1
Prerequisites
editPrerequisites
editTo set up the network policies correctly you must know the operator Pod selector and the Kubernetes API server IP. They may vary depending on your environment and how the operator has been installed.
Operator Pod selector
editThe operator Pod label depends on how the operator has been installed. Check the following table to know which label name is used in the network policies.
Installation method | Pod selector |
---|---|
YAML manifests |
|
Helm Charts |
|
The examples in this section assume that the ECK operator has been installed using the Helm chart.
Kubernetes API server IP
editRun kubectl get endpoints kubernetes -n default
to obtain the API server IP address for your cluster.
The following examples assume that the Kubernetes API server IP address is 10.0.0.1
.
Isolating the operator
editThe minimal set of permissions required are as follows:
Egress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: elastic-operator namespace: elastic-system spec: egress: - ports: - port: 53 protocol: UDP - ports: - port: 443 protocol: TCP to: - ipBlock: cidr: 10.0.0.1/32 - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchExpressions: - key: eck.k8s.elastic.co/tenant operator: In values: - team-a - team-b podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch ingress: - from: - ipBlock: cidr: 10.0.0.1/32 ports: - port: 9443 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: elastic-operator
Isolating Elasticsearch
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-elasticsearch namespace: team-a spec: egress: - ports: - port: 9300 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/operator-name: elastic-operator podSelector: matchLabels: app.kubernetes.io/name: elastic-operator - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 9200 protocol: TCP - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch ports: - port: 9300 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch
Isolating Kibana
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-kibana namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch # [Optional] Restrict to a single Elasticsearch cluster named hulk. # elasticsearch.k8s.elastic.co/cluster-name=hulk - ports: - port: 53 protocol: UDP # [Optional] If Agent is deployed, this is to allow Kibana to access the Elastic Package Registry (https://epr.elastic.co). # - port: 443 # protocol: TCP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 5601 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: kibana
Isolating APM Server
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-apm-server namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 8200 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: apm-server
Isolating Enterprise Search
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-enterprise-search namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 3002 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: enterprise-search
Isolating Beats
editSome Beats may require additional access rules than what is listed here. For example, Heartbeat will require a rule to allow access to the endpoint it is monitoring.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-beats namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 53 protocol: UDP podSelector: matchLabels: common.k8s.elastic.co/type: beat
Isolating Elastic Agent and Fleet
editSome Elastic Agent policies may require additional access rules other than those listed here.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-agent namespace: team-a spec: egress: - ports: - port: 8220 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: agent - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP - ports: - port: 443 protocol: TCP to: - ipBlock: cidr: 10.0.0.1/32 ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a ports: - port: 8220 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: agent
Isolating Logstash
editLogstash may require additional access rules than those listed here, depending on plugin usage.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-logstash namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP podSelector: matchLabels: common.k8s.elastic.co/type: logstash
On this page