TABLE OF CONTENTS


Overview


Kublr runs a regular open source Elastic stack as a part of platform for log collection and management.


By default Elasticsearch is configured with a Basic license and SearchGuard plugin for security and access control.


You can also enable a number of additional features in the Elastic stack that are available either with Basic or commercial license.


Enable XPack and XPack Features


Enabling XPack is done by adding spec.features.logging.values.elasticsearch.xpackEnabled: true property in the Kublr cluster specification.


Additional XPack features that may be enabled separately include Machine Learning, Monitoring, Watchers, and Security.

XPack features may be enabled individually via the following settings in the cluster specification.


For these features to work, either a trial license should be enabled in Elasticsearch, or a commercial license applied.


Important Notes:

  1. This instruction is for Kublr 1.20.2 and higher;
    see the section in the end of this article for enabling XPack and XPack features in pre-1.20.2 Kublr versions.
  2. For some of XPack features to work, either a trial license should be enabled in Elasticsearch, or a commercial license applied. See Elastic stack XPack documentation for more information.
  3. Re-configuring Elastic stack requires Elastic stack nodes restart and may cause downtime and/or degraded performance.
  4. XPack Security CANNOT be enabled when SearchGuard is active.
  5. XPack Security is NOT supported for the Kublr Control Plane
  6. SearchGuard SHOULD NOT be disabled for the Kublr Control Plane.


spec:
  features:
    logging:
      values:
        elasticsearch:
          enabled: true
          xpackEnabled: true
          cluster:
            env:
              XPACK_ML_ENABLED: true
              XPACK_MONITORING_ENABLED: true
              XPACK_WATCHER_ENABLED: true
              # Note that XPack Security and SearchGuard should not be enabled at the same time
              # XPACK_SECURITY_ENABLED: true


Disable SearchGuard


Important Note: disabling SearchGuard is not recommended and is not necessary in most situations.

In most cases SearchGuard should not be disabled on production systems.


SearchGuard plugin ensures Elastic stack security and space/cluster based access control in Kublr deployments.


SearchGuard plugin can be disabled by setting spec.features.logging.values.searchguard.enabled: false property in the Kublr cluster spec.


While disabling SearcgGuard is possible, it is not recommended for Kublr Control Plane. Without SearcgGuard plugin all clusters logs will be equally accessible to all users.


XPack Security feature may be enabled instead, but index access management will still have to be manual.


Kublr can only automatically manage access to indices collected from different clusters using SearchGuard.


spec:
  features:
    logging:
      values:
        searchguard:
          enabled: false


XPack and SearchGuard in Kublr versions before 1.20.2


In pre-1.20.2 Kublr version more customization was required to enable and disable SearchGuard and XPack


XPack enable switch


In the previous versions of Kublr xpackIncluded property in the cluster section was used instead of xpackEnabled property in the elasticsearch section:


spec:
  features:
    logging:
      values:
        elasticsearch:
          enabled: true
          cluster:
            xpackIncluded: true


Docker images


Running with different combinations of XPack and SearchGuard plugins requires using different images for ES stack.

As image selection was not yet automated in pre-1.20.2 Kublr versions, the following additional properties should be specified for non-default XPack and SearchGuard combinations:


Both SearchGuard and XPack enabled


spec:
  features:
    logging:
      values:
        # searchguard - yes, xpack - yes
        searchguard:
          elasticsearch:
            image:
              name: kublr/elasticsearch-sg
          kibana:
            image:
              name: kublr/kibana-sg


XPack is enabled and SearchGuard is disabled


spec:
  features:
    logging:
      values:
        # searchguard - no, xpack - yes
        elasticsearch:
          image:
            name: elasticsearch/elasticsearch
        kibana:
          image:
            name: kibana/kibana
        logstash:
          image:
            name: logstash/logstash


Additional SearchGuard Permissions


When both SearchGuard and XPack are enabled, and XPack Watchers or Monitoring features are enabled, it may be necessary to add the following role mappings to sg_role_mappings.yml as described in Kublr SearchGuard Roles Customization document.


SGS_XP_ALERTING:
  backend_roles:
    - "admin"
SGS_XP_MONITORING:
  backend_roles:
    - "admin"