Secure your environmentedit
This documentation is still in development and may be changed or removed in a future release.
In order to prepare your environment to be production ready, you’ll need to set up secure communication between each of your Elastic resources.
Secure communicationedit
Setting up TLSedit
Transport layer security (TLS) helps ensure safe communication between the Elastic Stack components running in Kubernetes. Let’s take Filebeat and Logstash TLS mutual verification as an example. Logstash serves as the server side, while Filebeat is the client.
Create a Secret containing server and client SSL keys:
kubectl create secret generic logstash-beats-tls --from-file=ca.crt --from-file=client.crt --from-file=client.key --from-file=server.crt --from-file=server.pkcs8.key
On Logstash, configure the server certificates to the pipeline:
input {
beats {
port => "5044"
ssl => true
ssl_certificate_authorities => ["/usr/share/logstash/config/ca.crt"]
ssl_certificate => "/usr/share/logstash/config/server.crt"
ssl_key => "/usr/share/logstash/config/server.pkcs8.key"
ssl_verify_mode => "force_peer"
}
}
Mount the keys we just created to Logstash Deployment:
volumeMounts:
- name: logstash-beats-tls
mountPath: /usr/share/logstash/config/ca.crt
subPath: ca.crt
- name: logstash-beats-tls
mountPath: /usr/share/logstash/config/server.pkcs8.key
subPath: server.pkcs8.key
- name: logstash-beats-tls
mountPath: /usr/share/logstash/config/server.crt
subPath: server.crt
volumes:
- name: logstash-beats-tls
secret:
secretName: logstash-beats-tls
On Filebeat, configure the client certificates:
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
name: demo
spec:
type: filebeat
config:
output.logstash:
ssl.certificate_authorities: ["/usr/share/filebeat/ca.crt"]
ssl.certificate: "/usr/share/filebeat/client.crt"
ssl.key: "/usr/share/filebeat/client.key"
(...)
deployment:
podTemplate:
spec:
containers:
- name: filebeat
volumeMounts:
- name: logstash-beats-tls
mountPath: /usr/share/filebeat/ca.crt
subPath: ca.crt
- name: logstash-beats-tls
mountPath: /usr/share/filebeat/client.key
subPath: client.key
- name: logstash-beats-tls
mountPath: /usr/share/filebeat/client.crt
subPath: client.crt
volumes:
- name: logstash-beats-tls
secret:
secretName: logstash-beats-tls
Securing connection to Elasticsearch on ECKedit
Authenticationedit
ECK creates a user for every Elastic resource. To access these resources, such as Elasticsearch, Logstash needs a username and password.
The default username of Elasticsearch is elastic. You can also run the command to check the username:
> kubectl describe secret demo-es-elastic-user
Name: demo-es-elastic-user
Namespace: default
Labels: common.k8s.elastic.co/type=elasticsearch
eck.k8s.elastic.co/credentials=true
eck.k8s.elastic.co/owner-kind=Elasticsearch
eck.k8s.elastic.co/owner-name=demo
eck.k8s.elastic.co/owner-namespace=default
elasticsearch.k8s.elastic.co/cluster-name=demo
Annotations: <none>
Type: Opaque
Data
====
elastic: 24 bytes
To get the password, set SecretKeyRef and pass it as a container environment variable in Deployment:
spec:
containers:
- name: logstash
env:
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: demo-es-elastic-user
key: elastic
Using self-signed certificateedit
If your certificate is issued by a well-known CA, you can skip this section, otherwise, you need to mount the CA certificate from the Secret created by ECK.
volumeMounts:
- name: es-certs
mountPath: /usr/share/logstash/config/es_ca.crt
subPath: ca.crt
volumes:
- name: es-certs
secret:
secretName: demo-es-http-certs-public
Using secretsedit
This is for illustration purposes. In production, managing Kubernetes secrets should be done using recognized good practices to ensure the protection of sensitive information.
To store sensitive information, such as a password, we can use a Kubernetes Secret, and reference it as a container environment variable.
Encode confidential data with Base64:
echo -n "changeme" | base64
Base64 is an encoding algorithm not encryption.
Create Secret to hold the result of the encoding:
apiVersion: v1 kind: Secret metadata: name: logstash-secret type: Opaque data: ES_PW: Y2hhbmdlbWU=
Reference the confidential data in Deployment:
spec:
containers:
- name: logstash
env:
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: logstash-secret
key: ES_PW
Using the Logstash keystoreedit
Logstash can use the key of keystore in place of the confidential data when configure sensitive settings.
To create Secret from an existing keystore logstash.keystore:
kubectl create secret generic logstash-keystore --from-file=logstash.keystore --dry-run=client -o yaml
Mount the Secret to the Logstash config directory in Deployment:
apiVersion: apps/v1
kind: Deployment
(...)
spec:
containers:
- name: logstash
env:
- name: LOGSTASH_KEYSTORE_PASS
valueFrom:
secretKeyRef:
name: logstash-secret
key: LOGSTASH_KEYSTORE_PASS
(...)
volumeMounts:
- name: logstash-keystore
mountPath: /usr/share/logstash/config/logstash.keystore
subPath: logstash.keystore
volumes:
- name: logstash-keystore
secret:
secretName: logstash-keystore
|
|