Deploying ECK on OpenShift

edit

Deploying ECK on OpenShift

edit

This page shows how to run ECK on OpenShift.

Only Elasticsearch and Kibana are compatible with the restricted Security Context Constraint. To run the APM Server on OpenShift you must allow the Pod to run with the anyuid SCC as described in Deploy an APM Server instance with a route

Before you begin

edit
  1. To run the instructions on this page, you must be a system:admin user or a user with the privileges to create Projects, CRDs, and RBAC resources at the cluster level.
  2. Set virtual memory settings on the Kubernetes nodes.

    Before deploying an Elasticsearch cluster with ECK, make sure that the Kubernetes nodes in your cluster have the correct vm.max_map_count sysctl setting applied. By default, Pods created by ECK are likely to run with the restricted Security Context Constraint (SCC) which restricts privileged access required to change this setting in the underlying Kubernetes nodes.

    Alternatively, you can opt for setting node.store.allow_mmap: false at the Elasticsearch node configuration level, but note that this has performance implications and is not recommended for production workloads.

    For more information, see: Virtual memory.

Deploy the operator

edit
  1. Apply the all-in-one template, as described in the quickstart.

    oc apply -f https://download.elastic.co/downloads/eck/1.0.1/all-in-one.yaml
  2. [Optional] If the Software Defined Network is configured with the ovs-multitenant plug-in, you must allow the elastic-system namespace to access other Pods and Services in the cluster:

    oc adm pod-network make-projects-global elastic-system
  3. Create a namespace to hold the Elastic resources (Elasticsearch, Kibana):

    oc new-project elastic # creates the elastic project

    By default the operator watches and creates resources in the default namespace. You need to patch the operator to manage resources in another namespace.

    kubectl patch statefulset/elastic-operator \
      -n elastic-system \
      --type='json' \
      --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env/-","value": {"name": "NAMESPACE", "value": "elastic"}}]'

    Replace elastic in the examples above with the name of the namespace in which you want to deploy your resources.

  4. [Optional] Allow another user or a group of users to manage the Elastic resources:

    oc adm policy add-role-to-user elastic-operator developer -n elastic

    In the example above the user developer is allowed to manage Elastic resources in the namespace elastic.

Deploy an Elasticsearch instance with a route

edit

Use the following code to create an Elasticsearch cluster elasticsearch-sample and a "passthrough" route to access it:

cat <<EOF | oc apply -n elastic -f -
# This sample sets up an Elasticsearch cluster with an OpenShift route
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch-sample
spec:
  version: 8.17.0
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: elasticsearch-sample
spec:
  #host: elasticsearch.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
  tls:
    termination: passthrough # Elasticsearch is the TLS endpoint
    insecureEdgeTerminationPolicy: Redirect
  to:
    kind: Service
    name: elasticsearch-sample-es-http
EOF

Deploy a Kibana instance with a route

edit

Use the following code to create a Kibana instance and a "passthrough" route to access it:

cat <<EOF | oc apply -n elastic -f -
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana-sample
spec:
  version: 8.17.0
  count: 1
  elasticsearchRef:
    name: "elasticsearch-sample"
  podTemplate:
    spec:
      containers:
      - name: kibana
        resources:
          limits:
            memory: 1Gi
            cpu: 1
---
apiVersion: v1
kind: Route
metadata:
  name: kibana-sample
spec:
  #host: kibana.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
  tls:
    termination: passthrough # Kibana is the TLS endpoint
    insecureEdgeTerminationPolicy: Redirect
  to:
    kind: Service
    name: kibana-sample-kb-http
EOF

Use the following command to get the hosts of each Route:

oc get route -n elastic

Deploy an APM Server instance with a route

edit

It is currently not possible to run the APM Server with the restricted SCC. A possible workaround is to allow the Pod to run with the default uid 1000 by assigning it to the anyuid SCC:

  1. Create a service account to run the APM Server

    oc create serviceaccount apm-server -n elastic
  2. Add the APM service account to the anyuid SCC

    oc adm policy add-scc-to-user anyuid -z apm-server -n elastic
    scc "anyuid" added to: ["system:serviceaccount:elastic:apm-server"]
  3. Deploy an APM Server and a route with the following manifest

    cat <<EOF | oc apply -n elastic -f -
    apiVersion: apm.k8s.elastic.co/v1
    kind: ApmServer
    metadata:
      name: apm-server-sample
    spec:
      version: 8.17.0
      count: 1
      elasticsearchRef:
        name: "elasticsearch-sample"
      podTemplate:
        spec:
          serviceAccountName: apm-server
    ---
    apiVersion: v1
    kind: Route
    metadata:
      name: apm-server-sample
    spec:
      #host: apm-server.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
      tls:
        termination: passthrough # the APM Server is the TLS endpoint
        insecureEdgeTerminationPolicy: Redirect
      to:
        kind: Service
        name: apm-server-sample-apm-http
    EOF

    To check that the Pod of the APM Server is using the correct SCC, use the following command:

    oc get pod -o go-template='{{range .items}}{{$scc := index .metadata.annotations "openshift.io/scc"}}{{.metadata.name}}{{" scc:"}}{{range .spec.containers}}{{$scc}}{{" "}}{{"\n"}}{{end}}{{end}}'
    apm-server-sample-apm-server-86bfc5c95c-96lbx scc:anyuid
    elasticsearch-sample-es-5tsqghmm79 scc:restricted
    elasticsearch-sample-es-6qk52mz5jk scc:restricted
    elasticsearch-sample-es-dg4vvpm2mr scc:restricted
    kibana-sample-kb-97c6b6b8d-lqfd2 scc:restricted

Elasticsearch plugins

edit

Note that Elasticsearch plugins cannot be installed at runtime in most OpenShift environments. This is because the plugin installer must run as root, but Elasticsearch is restricted from running as root. To add plugins to Elasticsearch, you can use custom images as described in Creating custom images.