Elastic Cloud on Kubernetes managed credentials
ECK
When deploying an Elastic Stack application, the operator generates a set of credentials essential for the operation of that application. For example, these generated credentials include the default elastic user for Elasticsearch and the security token for APM Server.
To list all auto-generated credentials in a namespace, run the following command:
kubectl get secret -l eck.k8s.elastic.co/credentials=true
When the Elasticsearch resource is created, a default user named elastic is created automatically, and is assigned the superuser role.
Its password can be retrieved in a Kubernetes secret, whose name is based on the Elasticsearch resource name: <elasticsearch-name>-es-elastic-user.
For example, the password of the elastic user for an Elasticsearch cluster named quickstart can be retrieved with:
kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'
If your prefer to manage all users via SSO, for example using SAML Authentication or OpenID Connect, you can disable the default elastic superuser by setting the auth.disableElasticUser field in the Elasticsearch resource to true:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
version: 9.1.2
auth:
disableElasticUser: true
nodeSets:
- name: default
count: 1
You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the elastic user from the quickstart example, use the following command:
kubectl delete secret quickstart-es-elastic-user
If you are using the elastic user credentials in your own applications, they will fail to connect to Elasticsearch and Kibana after you run this command. It is not recommended to use elastic user credentials for production use cases. Always create your own users with restricted roles to access Elasticsearch.
To regenerate all auto-generated credentials in a namespace, run the following command:
kubectl delete secret -l eck.k8s.elastic.co/credentials=true
This command regenerates auto-generated credentials of all Elastic Stack applications in the namespace.
Elastic Cloud on Kubernetes provides functionality to facilitate custom user creation through various authentication realms. You can create users using the native realm, file realm, or external authentication methods.
ECK supports creating users through Kubernetes secrets referenced in the Elasticsearch resource. These secrets can contain either file realm content or standard authentication credentials with a username and password.
For more information, refer to File-based user authentication > Add users, and check the ECK examples.
You can create custom users in the Elasticsearch native realm using Elasticsearch user management APIs or Kibana.
Refer to Native user authentication for more details.
You can also configure external authentication realms such as LDAP, OpenID Connect, or SAML in your ECK deployments by providing the appropriate Elasticsearch or Kibana configuration settings and any required certificates or configuration files.
For more information, refer to External authentication.
ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in Kibana.
Refer to Managing custom roles for details and ECK based examples.