2.8.0 release highlights
edit2.8.0 release highlights
editThis release includes a hardened default security context for Elasticsearch containers. It is highly recommended to test against a staging environment before deploying to production.
New and notable
editNew and notable changes in version 2.8.0 of Elastic Cloud on Kubernetes. Check Elastic Cloud on Kubernetes version 2.8.0 for the full list of changes.
Logstash support
editECK 2.8.0 includes a technical preview for Logstash support, introducing a new Custom Resource Definition (CRD) and controller to easily deploy and orchestrate Logstash on Kubernetes. The technical preview includes support for defining pipelines (with dynamic individual pipeline reload), integrating with Elasticsearch instances, and stack monitoring configuration from within the CRD.
Refer to the Quickstart for more information.
Hardened Security Context for Elasticsearch container
editThe default SecurityContext
of the Elasticsearch containers has been hardened, it includes the following specification by default:
securityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true
For Elasticsearch versions above 8.0.0
the container’s SecurityContext
also include the following capabilities settings:
securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true
Starting with Elasticsearch 8.8.0
, runAsNonRoot
is also set to true
:
securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true
Using custom certificates on the transport layer
editIt is now possible to fully delegate the generation of the transport certificates used by the Elasticsearch nodes. Refer to Issue node transport certificates with third-party tools for more information about the requirements as well as some examples using the cert-manager csi-driver and trust-manager projects.
Provided base_path setting in snapshot repositories configuration is always applied
editBefore ECK 2.8.0 the base_path
setting was overridden by the operator in order to avoid conflicts. The value provided for this setting is now always used when provided. Refer to Specifics for snapshot repositories for more details.