- Elastic Cloud on Kubernetes:
- Overview
- Quickstart
- Operating ECK
- Orchestrating Elastic Stack applications
- Run Elasticsearch on ECK
- Node configuration
- Volume claim templates
- Storage recommendations
- Transport settings
- Virtual memory
- Settings managed by ECK
- Secure settings
- Custom configuration files and plugins
- Init containers for plugin downloads
- Update strategy
- Pod disruption budget
- Nodes orchestration
- Advanced Elasticsearch node scheduling
- Create automated snapshots
- Remote clusters
- Readiness probe
- Pod PreStop hook
- Elasticsearch autoscaling
- JVM heap dumps
- Security Context
- Run Kibana on ECK
- Run APM Server on ECK
- Run standalone Elastic Agent on ECK
- Run Fleet-managed Elastic Agent on ECK
- Run Elastic Maps Server on ECK
- Run Enterprise Search on ECK
- Run Beats on ECK
- Run Logstash on ECK
- Elastic Stack Helm Chart
- Recipes
- Secure the Elastic Stack
- Access Elastic Stack services
- Customize Pods
- Manage compute resources
- Autoscaling stateless applications
- Elastic Stack configuration policies
- Upgrade the Elastic Stack version
- Connect to external Elastic resources
- Run Elasticsearch on ECK
- Advanced topics
- Troubleshooting ECK
- Reference
- API Reference
- agent.k8s.elastic.co/v1alpha1
- apm.k8s.elastic.co/v1
- apm.k8s.elastic.co/v1beta1
- autoscaling.k8s.elastic.co/v1alpha1
- beat.k8s.elastic.co/v1beta1
- common.k8s.elastic.co/v1
- common.k8s.elastic.co/v1alpha1
- common.k8s.elastic.co/v1beta1
- elasticsearch.k8s.elastic.co/v1
- elasticsearch.k8s.elastic.co/v1beta1
- enterprisesearch.k8s.elastic.co/v1
- enterprisesearch.k8s.elastic.co/v1beta1
- kibana.k8s.elastic.co/v1
- kibana.k8s.elastic.co/v1beta1
- logstash.k8s.elastic.co/v1alpha1
- maps.k8s.elastic.co/v1alpha1
- stackconfigpolicy.k8s.elastic.co/v1alpha1
- Glossary
- Third-party dependencies
- API Reference
- Release highlights
- 2.16.1 release highlights
- 2.16.0 release highlights
- 2.15.0 release highlights
- 2.14.0 release highlights
- 2.13.0 release highlights
- 2.12.1 release highlights
- 2.12.0 release highlights
- 2.11.1 release highlights
- 2.11.0 release highlights
- 2.10.0 release highlights
- 2.9.0 release highlights
- 2.8.0 release highlights
- 2.7.0 release highlights
- 2.6.2 release highlights
- 2.6.1 release highlights
- 2.6.0 release highlights
- 2.5.0 release highlights
- 2.4.0 release highlights
- 2.3.0 release highlights
- 2.2.0 release highlights
- 2.1.0 release highlights
- 2.0.0 release highlights
- 1.9.1 release highlights
- 1.9.0 release highlights
- 1.8.0 release highlights
- 1.7.1 release highlights
- 1.7.0 release highlights
- 1.6.0 release highlights
- 1.5.0 release highlights
- 1.4.1 release highlights
- 1.4.0 release highlights
- 1.3.2 release highlights
- 1.3.1 release highlights
- 1.3.0 release highlights
- 1.2.2 release highlights
- 1.2.1 release highlights
- 1.2.0 release highlights
- 1.1.2 release highlights
- 1.1.1 release highlights
- 1.1.0 release highlights
- 1.0.1 release highlights
- 1.0.0 release highlights
- 1.0.0-beta1 release highlights
- Release notes
- Elastic Cloud on Kubernetes version 2.16.1
- Elastic Cloud on Kubernetes version 2.16.0
- Elastic Cloud on Kubernetes version 2.15.0
- Elastic Cloud on Kubernetes version 2.14.0
- Elastic Cloud on Kubernetes version 2.13.0
- Elastic Cloud on Kubernetes version 2.12.1
- Elastic Cloud on Kubernetes version 2.12.0
- Elastic Cloud on Kubernetes version 2.11.1
- Elastic Cloud on Kubernetes version 2.11.0
- Elastic Cloud on Kubernetes version 2.10.0
- Elastic Cloud on Kubernetes version 2.9.0
- Elastic Cloud on Kubernetes version 2.8.0
- Elastic Cloud on Kubernetes version 2.7.0
- Elastic Cloud on Kubernetes version 2.6.2
- Elastic Cloud on Kubernetes version 2.6.1
- Elastic Cloud on Kubernetes version 2.6.0
- Elastic Cloud on Kubernetes version 2.5.0
- Elastic Cloud on Kubernetes version 2.4.0
- Elastic Cloud on Kubernetes version 2.3.0
- Elastic Cloud on Kubernetes version 2.2.0
- Elastic Cloud on Kubernetes version 2.1.0
- Elastic Cloud on Kubernetes version 2.0.0
- Elastic Cloud on Kubernetes version 1.9.1
- Elastic Cloud on Kubernetes version 1.9.0
- Elastic Cloud on Kubernetes version 1.8.0
- Elastic Cloud on Kubernetes version 1.7.1
- Elastic Cloud on Kubernetes version 1.7.0
- Elastic Cloud on Kubernetes version 1.6.0
- Elastic Cloud on Kubernetes version 1.5.0
- Elastic Cloud on Kubernetes version 1.4.1
- Elastic Cloud on Kubernetes version 1.4.0
- Elastic Cloud on Kubernetes version 1.3.2
- Elastic Cloud on Kubernetes version 1.3.1
- Elastic Cloud on Kubernetes version 1.3.0
- Elastic Cloud on Kubernetes version 1.2.2
- Elastic Cloud on Kubernetes version 1.2.1
- Elastic Cloud on Kubernetes version 1.2.0
- Elastic Cloud on Kubernetes version 1.1.2
- Elastic Cloud on Kubernetes version 1.1.1
- Elastic Cloud on Kubernetes version 1.1.0
- Elastic Cloud on Kubernetes version 1.0.1
- Elastic Cloud on Kubernetes version 1.0.0
- Elastic Cloud on Kubernetes version 1.0.0-beta1
Security Context
editSecurity Context
editIn Kubernetes, a securityContext
defines privilege and access control settings for a Pod or Container. You can set up it through the podTemplate
section of an Elastic resource specification.
Default Elasticsearch security context
editAs of version 8.8.0, the Elasticsearch container and ECK managed sidecars and init containers are running with the following security context:
Running older versions of Elasticsearch as non-root
editwhen running on Red Hat OpenShift a random user ID is automatically assigned and the following instructions do not apply.
In versions of Elasticsearch before 8.0.0, the Elastisearch container is run as root and its entrypoint is responsible to run the Elasticsearch process with the elasticsearch
user (defined with ID 1000). In the background, ECK uses an initContainer
to make sure that the data volume is writable for the elasticsearch
user.
To run the Elastisearch container as a non-root user, you need to configure the Elasticsearch manifest with an appropriate security context to make the data volume writable to the elasticsearch
user by specifying the right group ID through the fsGroup
.
Kubernetes recursively changes ownership and permissions for the contents of each volume to match the fsGroup
specified in a Pod’s securityContext when that volume is mounted and makes all processes of the containers part of the supplementary group ID.
For example, if you force the Pod to run as user 1234
, you need to set fsGroup
accordingly to 1234
:
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now