Running Kibana on ECK

edit

The quickstart is a good starting point to quickly setup a Kibana instance with ECK. The following sections describe how to customize a Kibana deployment to suit your requirements.

Use an Elasticsearch cluster managed by ECK

edit

It is quite straightforward to connect a Kibana instance to an Elasticsearch cluster managed by ECK:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: quickstart
    namespace: default

namespace is optional if the Elasticsearch cluster is running in the same namespace as Kibana.

Any Kibana can reference (and thus access) any Elasticsearch instance as long as they both are in namespaces that are watched by the same ECK instance. ECK will copy the required Secret from Elasticsearch to Kibana namespace. If this behavior is not desired, more than one ECK instance can be deployed. Kibana won’t be able to automatically connect to Elasticsearch (through elasticsearchRef) in a namespace managed by a different ECK instance.

The Kibana configuration file is automatically setup by ECK to establish a secure connection to Elasticsearch.

Connect to an Elasticsearch cluster not managed by ECK

edit

It is also possible to configure Kibana to connect to an Elasticsearch cluster that is being managed by a different installation of ECK or running outside the Kubernetes cluster. In this case, you need to know the IP address or URL of the Elasticsearch cluster and a valid username and password pair to access the cluster.

Use the secure settings mechanism to securely store the credentials of the external Elasticsearch cluster:

kubectl create secret generic kibana-elasticsearch-credentials --from-literal=elasticsearch.password=$PASSWORD
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  config:
    elasticsearch.hosts:
      - https://elasticsearch.example.com:9200
    elasticsearch.username: elastic
  secureSettings:
    - secretName: kibana-elasticsearch-credentials

If the external Elasticsearch cluster is using a self-signed certificate, create a Kubernetes secret containing the CA certificate and mount it to the Kibana container as follows:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  config:
    elasticsearch.hosts:
      - https://elasticsearch-sample-es-http:9200
    elasticsearch.username: elastic
    elasticsearch.ssl.certificateAuthorities: /etc/certs/ca.crt
  secureSettings:
    - secretName: kibana-elasticsearch-credentials
  podTemplate:
    spec:
      volumes:
        - name: elasticsearch-certs
          secret:
            secretName: elasticsearch-certs-secret
      containers:
        - name: kibana
          volumeMounts:
            - name: elasticsearch-certs
              mountPath: /etc/certs
              readOnly: true

Advanced configuration

edit

If you already looked at the Elasticsearch on ECK documentation, then concepts and ideas described here might sound familiar to you. This is because the resource definitions in ECK share the same philosophy when it comes to:

  • Customizing the Pod configuration
  • Customizing the product configuration
  • Managing HTTP settings
  • Using secure settings

Pod Configuration

edit

You can define a pod template to customize the Kibana pod and override any configuration values.

The following example demonstrates how to create a Kibana deployment with custom node affinity and resource limits.

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  podTemplate:
    spec:
      containers:
      - name: kibana
        resources:
          requests:
            memory: 1Gi
            cpu: 0.5
          limits:
            memory: 2Gi
            cpu: 2
      nodeSelector:
        type: frontend

The name of the container in the pod template must be kibana.

See Set compute resources for Kibana and APM Server for more information.

Kibana Configuration

edit

You can add your own Kibana settings to the spec.config section.

The following example demonstrates how to set the elasticsearch.requestHeadersWhitelist configuration option:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  config:
     elasticsearch.requestHeadersWhitelist:
     - authorization

Scale out a Kibana deployment

edit

You may want to deploy more than one instance of Kibana. In this case all the instances must share the same encryption key.

This can be done by setting the xpack.security.encryptionKey property using a secure setting as described in the next section.

Note that while most reconfigurations of your Kibana instances will be carried out in rolling upgrade fashion, all version upgrades will cause Kibana downtime. This is due to the requirement to run only a single version of Kibana at any given time.

Secure Settings

edit

Similar to Elasticsearch, you can use Kubernetes secrets to manage secure settings for Kibana as well.

For example, you can define a custom encryption key for Kibana as follows:

  1. Create a secret containing the desired setting:

    kubectl create secret generic kibana-secret-settings \
     --from-literal=xpack.security.encryptionKey=94d2263b1ead716ae228277049f19975aff864fb4fcfe419c95123c1e90938cd
  2. Add a reference to the secret in the secureSettings section:

    apiVersion: kibana.k8s.elastic.co/v1
    kind: Kibana
    metadata:
      name: kibana-sample
    spec:
      version: 8.16.1
      count: 3
      elasticsearchRef:
        name: "elasticsearch-sample"
      secureSettings:
      - secretName: kibana-secret-settings

HTTP Configuration

edit

Load balancer settings and TLS SANs

edit

By default a ClusterIP service is created and associated with the Kibana deployment. You may want to expose Kibana externally with a load balancer. In which case you may also want to include a custom DNS name or IP in the self-generated certificate.

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  http:
    service:
      spec:
        type: LoadBalancer # default is ClusterIP
    tls:
      selfSignedCertificate:
        subjectAltNames:
        - ip: 1.2.3.4
        - dns: kibana.example.com

Provide your own certificate

edit

If you want to use your own certificate, the required configuration is identical to Elasticsearch. See: Custom HTTP certificate.

Disable TLS

edit

You can disable the generation of the self-signed certificate and hence disable TLS.

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.16.1
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  http:
    tls:
      selfSignedCertificate:
        disabled: true