New to KubeDB? Please start here.

X-Pack Configuration

X-Pack is an Elastic Stack extension that provides security along with other features. In KubeDB, X-Pack authentication can be used with elasticsearch 6.8 and 7.2+. In this guide, we will show, how to use xpack authentication or disable it.

Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.

Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps here.

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial.

$ kubectl create ns demo
namespace/demo created

$ kubectl get ns demo
NAME    STATUS  AGE
demo    Active  5s

Note: YAML files used in this tutorial are stored in docs/examples/elasticsearch folder in GitHub repository kubedb/docs.

X-Pack AuthPlugin

In 0.13.0 release, a new field is introduced to ElasticsearchVersions crd, named authPlugin. In prior this releases, authPlugin was part of Elasticsearch CRD spec, which is deprecated since 0.13.0-rc.1.

The spec.authPlugin is an required field in ElasticsearchVersion CRD, which specifies which plugin to use for authentication. Currently, this field accepts either X-Pack or SearchGuard.

To see, which authPlugin is used in the target ElasticsearchVersion, run the following command:

kubectl get elasticsearchversions 7.3.2 -o yaml
apiVersion: catalog.kubedb.com/v1alpha1
kind: ElasticsearchVersion
metadata:
  name: xpack-8.11.1
spec:
  authPlugin: X-Pack
  db:
    image: kubedb/elasticsearch:7.9.1-xpack
  distribution: ElasticStack
  exporter:
    image: kubedb/elasticsearch_exporter:1.1.0
  initContainer:
    image: kubedb/toybox:0.8.4
    yqImage: kubedb/elasticsearch-init:7.9.1-xpack-v1
  podSecurityPolicies:
    databasePolicyName: elasticsearch-db
  stash:
    addon:
      backupTask:
        name: elasticsearch-backup-7.3.2
      restoreTask:
        name: elasticsearch-restore-7.3.2
  version: 7.9.1

Changing authPlugin

To change authPlugin, it is recommended to create a new ElasticsearchVersion CRD. Then, use that elasticsearchVersion to install an Elasticsearch server with that authPlugin.

Deploy with X-Pack

To deploy with X-Pack, you need to use an ElasticsearchVersion where X-Pack is set to authPlugin.

Here, we are going to use ElasticsearchVersion 7.3.2, which is mentioned earlier in this guide.

Now, let’s create an Elasticsearch server using the following yaml.

apiVersion: kubedb.com/v1
kind: Elasticsearch
metadata:
  name: config-elasticsearch
  namespace: demo
spec:
  version: xpack-8.11.1
  storage:
    storageClassName: "standard"
    accessModes:
    - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
$ kubectl create -f https://github.com/kubedb/docs/raw/v2025.1.9/docs/examples/elasticsearch/x-pack/config-elasticsearch.yaml
elasticsearch.kubedb.com/config-elasticsearch created

The deployed elasticsearch object specs, after the mutation is done by kubedb:

$ kubectl get elasticsearch -n demo config-elasticsearch -o yaml

apiVersion: kubedb.com/v1
kind: Elasticsearch
metadata:
  creationTimestamp: "2019-09-30T08:34:10Z"
  finalizers:
  - kubedb.com
  generation: 3
  name: config-elasticsearch
  namespace: demo
  resourceVersion: "60830"
  selfLink: /apis/kubedb.com/v1/namespaces/demo/elasticsearches/config-elasticsearch
  uid: 13263dfa-e35d-11e9-85c8-42010a8c002f
spec:
  authSecret:
    name: config-elasticsearch-auth
  podTemplate:
    controller: {}
    metadata: {}
    spec:
      resources: {}
      serviceAccountName: config-elasticsearch
  replicas: 1
  storage:
    accessModes:
    - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
    storageClassName: standard
  storageType: Durable
  deletionPolicy: Halt
  version: xpack-8.11.1
status:
  observedGeneration: 1$4210395375389091791
  phase: Running

As we can see, KubeDB has created a secret named config-elasticsearch-auth, which contains password for built-in user elastic .

Manually Generated Password

If you want to provide your own password, you need to create a secret that contains two keys: ADMIN_USERNAME, ADMIN_PASSWORD.

$ export ADMIN_PASSWORD=admin-password
$ kubectl create secret generic -n demo config-elasticsearch-auth \
                --from-literal=ADMIN_USERNAME=elastic \
                --from-literal=ADMIN_PASSWORD=harderPASSWORD \
secret/config-elasticsearch-auth created

Use this Secret config-elasticsearch-auth in spec.authSecret field of your Elasticsearch object while creating the elasticsearch for the 1st time. Changing the password after creating, won’t work at this time.

Connect to Elasticsearch Database

KubeDB operator sets the status.phase to Running once the database is successfully created.

$ kubectl get es -n demo config-elasticsearch -o wide
NAME                   VERSION   STATUS    AGE
config-elasticsearch   7.3.2     Running   2m8s

To connect to the elasticsearch node, we are going to use port forward to the elasticsearch pod. Run following command on a separate terminal,

$ kubectl port-forward -n demo config-elasticsearch-0 9200
Forwarding from 127.0.0.1:9200 -> 9200
Forwarding from [::1]:9200 -> 9200

Connection information:

  • Address: localhost:9200

  • Username: Run following command to get username

    $ kubectl get secrets -n demo config-elasticsearch-auth -o jsonpath='{.data.\ADMIN_USERNAME}' | base64 -d
      elastic
    
  • Password: Run following command to get password

    $ kubectl get secrets -n demo config-elasticsearch-auth -o jsonpath='{.data.\ADMIN_PASSWORD}' | base64 -d
      ruobj2eo
    

Firstly, try to connect to this database without providing any authentication. You will face the following error:

$ curl "localhost:9200/_cluster/health?pretty"
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication credentials for REST request [/_cluster/health?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication credentials for REST request [/_cluster/health?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    }
  },
  "status" : 401
}

Now, provide the authentication,

$ curl --user elastic:ruobj2eo "localhost:9200/_cluster/health?pretty"
{
  "cluster_name" : "config-elasticsearch",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Additionally, to query the settings about xpack,

$ curl --user "elastic:ruobj2eo" "localhost:9200/_nodes/_all/settings?pretty"
{
  "_nodes": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "cluster_name": "config-elasticsearch",
  "nodes": {
    "LxLZBdU6SLemcv6mF1p2vw": {
      "name": "config-elasticsearch-0",
      "transport_address": "10.8.0.112:9300",
      "host": "10.8.0.112",
      "ip": "10.8.0.112",
      "version": "7.3.2",
      "build_flavor": "default",
      "build_type": "docker",
      "build_hash": "508c38a",
      "roles": [
        "master",
        "data",
        "ingest"
      ],
      "attributes": {
        "ml.machine_memory": "7841255424",
        "xpack.installed": "true",
        "ml.max_open_jobs": "20"
      },
      "settings": {
        "cluster": {
          "initial_master_nodes": "config-elasticsearch-0",
          "name": "config-elasticsearch"
        },
        "node": {
          "name": "config-elasticsearch-0",
          "attr": {
            "xpack": {
              "installed": "true"
            },
            "ml": {
              "machine_memory": "7841255424",
              "max_open_jobs": "20"
            }
          },
          "data": "true",
          "ingest": "true",
          "master": "true"
        },
        "path": {
          "logs": "/usr/share/elasticsearch/logs",
          "home": "/usr/share/elasticsearch"
        },
        "discovery": {
          "seed_hosts": "config-elasticsearch-master"
        },
        "client": {
          "type": "node"
        },
        "http": {
          "type": "security4",
          "type.default": "netty4"
        },
        "transport": {
          "type": "security4",
          "features": {
            "x-pack": "true"
          },
          "type.default": "netty4"
        },
        "xpack": {
          "security": {
            "http": {
              "ssl": {
                "enabled": "false"
              }
            },
            "enabled": "true",
            "transport": {
              "ssl": {
                "enabled": "true"
              }
            }
          }
        },
        "network": {
          "host": "0.0.0.0"
        }
      }
    }
  }
}

As you can see, xpack.security.enabled is set to true.

Cleaning up

To clean up the Kubernetes resources created by this tutorial, run:

kubectl patch -n demo es/config-elasticsearch -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge"
kubectl delete -n demo es/config-elasticsearch

kubectl delete ns demo

Next Steps

  • Learn how to use ssl enabled elasticsearch cluster with xpack.