2.8.0 release highlightsedit
This release includes a hardened default security context for Elasticsearch containers. It is highly recommended to test against a staging environment before deploying to production.
New and notableedit
New and notable changes in version 2.8.0 of Elastic Cloud on Kubernetes. Check Elastic Cloud on Kubernetes version 2.8.0 for the full list of changes.
Logstash supportedit
ECK 2.8.0 includes a technical preview for Logstash support, introducing a new Custom Resource Definition (CRD) and controller to easily deploy and orchestrate Logstash on Kubernetes. The technical preview includes support for defining pipelines (with dynamic individual pipeline reload), integrating with Elasticsearch instances, and stack monitoring configuration from within the CRD.
Refer to the Quickstart for more information.
Hardened Security Context for Elasticsearch containeredit
The default SecurityContext of the Elasticsearch containers has been hardened, it includes the following specification by default:
securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true
For Elasticsearch versions above 8.0.0 the container’s SecurityContext also include the following capabilities settings:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
Starting with Elasticsearch 8.8.0, runAsNonRoot is also set to true:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
Using custom certificates on the transport layeredit
It is now possible to fully delegate the generation of the transport certificates used by the Elasticsearch nodes. Refer to Issue node transport certificates with third-party tools for more information about the requirements as well as some examples using the cert-manager csi-driver and trust-manager projects.
Provided base_path setting in snapshot repositories configuration is always appliededit
Before ECK 2.8.0 the base_path setting was overridden by the operator in order to avoid conflicts. The value provided for this setting is now always used when provided. Refer to Specifics for snapshot repositories for more details.