This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Prerequisites
editPrerequisites
editTo set up the network policies correctly you must know the operator Pod selector and the Kubernetes API server IP. They may vary depending on your environment and how the operator has been installed.
Operator Pod selector
editThe operator Pod label depends on how the operator has been installed. Check the following table to know which label name is used in the network policies.
| Installation method | Pod selector |
|---|---|
YAML manifests |
|
Helm Charts |
|
The examples in this section assume that the ECK operator has been installed using the Helm chart.
Kubernetes API server IP
editRun kubectl get endpoints kubernetes -n default to obtain the API server IP address for your cluster.
The following examples assume that the Kubernetes API server IP address is 10.0.0.1.
Isolating the operator
editThe minimal set of permissions required are as follows:
Egress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: elastic-operator
namespace: elastic-system
spec:
egress:
- ports:
- port: 53
protocol: UDP
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: 10.0.0.1/32
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchExpressions:
- key: eck.k8s.elastic.co/tenant
operator: In
values:
- team-a
- team-b
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
ingress:
- from:
- ipBlock:
cidr: 10.0.0.1/32
ports:
- port: 9443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: elastic-operator
Isolating Elasticsearch
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-elasticsearch
namespace: team-a
spec:
egress:
- ports:
- port: 9300
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 53
protocol: UDP
ingress:
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/operator-name: elastic-operator
podSelector:
matchLabels:
app.kubernetes.io/name: elastic-operator
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
# [Optional] Allow ingress controller pods from the ingress-nginx namespace.
#- namespaceSelector:
# matchLabels:
# name: ingress-nginx
ports:
- port: 9200
protocol: TCP
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
ports:
- port: 9300
protocol: TCP
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
Isolating Kibana
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-kibana
namespace: team-a
spec:
egress:
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
# [Optional] Restrict to a single Elasticsearch cluster named hulk.
# elasticsearch.k8s.elastic.co/cluster-name=hulk
- ports:
- port: 53
protocol: UDP
# [Optional] If Agent is deployed, this is to allow Kibana to access the Elastic Package Registry (https://epr.elastic.co).
# - port: 443
# protocol: TCP
ingress:
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
# [Optional] Allow ingress controller pods from the ingress-nginx namespace.
#- namespaceSelector:
# matchLabels:
# name: ingress-nginx
ports:
- port: 5601
protocol: TCP
podSelector:
matchLabels:
common.k8s.elastic.co/type: kibana
Isolating APM Server
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-apm-server
namespace: team-a
spec:
egress:
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 5601
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: kibana
- ports:
- port: 53
protocol: UDP
ingress:
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
# [Optional] Allow ingress controller pods from the ingress-nginx namespace.
#- namespaceSelector:
# matchLabels:
# name: ingress-nginx
ports:
- port: 8200
protocol: TCP
podSelector:
matchLabels:
common.k8s.elastic.co/type: apm-server
Isolating Enterprise Search
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-enterprise-search
namespace: team-a
spec:
egress:
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 53
protocol: UDP
ingress:
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
# [Optional] Allow ingress controller pods from the ingress-nginx namespace.
#- namespaceSelector:
# matchLabels:
# name: ingress-nginx
ports:
- port: 3002
protocol: TCP
podSelector:
matchLabels:
common.k8s.elastic.co/type: enterprise-search
Isolating Beats
editSome Beats may require additional access rules than what is listed here. For example, Heartbeat will require a rule to allow access to the endpoint it is monitoring.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-beats
namespace: team-a
spec:
egress:
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 5601
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: kibana
- ports:
- port: 53
protocol: UDP
podSelector:
matchLabels:
common.k8s.elastic.co/type: beat
Isolating Elastic Agent and Fleet
editSome Elastic Agent policies may require additional access rules other than those listed here.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-agent
namespace: team-a
spec:
egress:
- ports:
- port: 8220
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: agent
- ports:
- port: 5601
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: kibana
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 53
protocol: UDP
- ports:
- port: 443
protocol: TCP
to:
- ipBlock:
cidr: 10.0.0.1/32
ingress:
- from:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
ports:
- port: 8220
protocol: TCP
podSelector:
matchLabels:
common.k8s.elastic.co/type: agent
Isolating Logstash
editLogstash may require additional access rules than those listed here, depending on plugin usage.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: eck-logstash
namespace: team-a
spec:
egress:
- ports:
- port: 9200
protocol: TCP
to:
- namespaceSelector:
matchLabels:
eck.k8s.elastic.co/tenant: team-a
podSelector:
matchLabels:
common.k8s.elastic.co/type: elasticsearch
- ports:
- port: 53
protocol: UDP
podSelector:
matchLabels:
common.k8s.elastic.co/type: logstash