2.8.0 release highlights

edit

This release includes a hardened default security context for Elasticsearch containers. It is highly recommended to test against a staging environment before deploying to production.

New and notable

edit

New and notable changes in version 2.8.0 of Elastic Cloud on Kubernetes. Check Elastic Cloud on Kubernetes version 2.8.0 for the full list of changes.

Logstash support

edit

ECK 2.8.0 includes a technical preview for Logstash support, introducing a new Custom Resource Definition (CRD) and controller to easily deploy and orchestrate Logstash on Kubernetes. The technical preview includes support for defining pipelines (with dynamic individual pipeline reload), integrating with Elasticsearch instances, and stack monitoring configuration from within the CRD.

Refer to the Quickstart for more information.

Hardened Security Context for Elasticsearch container

edit

The default SecurityContext of the Elasticsearch containers has been hardened, it includes the following specification by default:

securityContext:
  allowPrivilegeEscalation: false
  privileged: false
  readOnlyRootFilesystem: true

For Elasticsearch versions above 8.0.0 the container’s SecurityContext also include the following capabilities settings:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true

Starting with Elasticsearch 8.8.0, runAsNonRoot is also set to true:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true

Using custom certificates on the transport layer

edit

It is now possible to fully delegate the generation of the transport certificates used by the Elasticsearch nodes. Refer to Issue node transport certificates with third-party tools for more information about the requirements as well as some examples using the cert-manager csi-driver and trust-manager projects.

Provided base_path setting in snapshot repositories configuration is always applied

edit

Before ECK 2.8.0 the base_path setting was overridden by the operator in order to avoid conflicts. The value provided for this setting is now always used when provided. Refer to Specifics for snapshot repositories for more details.