TABLE OF CONTENTS
- Enable XPack and XPack Features
- Disable SearchGuard
- XPack and SearchGuard in Kublr versions before 1.20.2
Kublr runs a regular open source Elastic stack as a part of platform for log collection and management.
By default Elasticsearch is configured with a Basic license and SearchGuard plugin for security and access control.
You can also enable a number of additional features in the Elastic stack that are available either with Basic or commercial license.
Enable XPack and XPack Features
Enabling XPack is done by adding spec.features.logging.values.elasticsearch.xpackEnabled: true property in the Kublr cluster specification.
Additional XPack features that may be enabled separately include Machine Learning, Monitoring, Watchers, and Security.
XPack features may be enabled individually via the following settings in the cluster specification.
For these features to work, either a trial license should be enabled in Elasticsearch, or a commercial license applied.
- This instruction is for Kublr 1.20.2 and higher;
see the section in the end of this article for enabling XPack and XPack features in pre-1.20.2 Kublr versions.
- For some of XPack features to work, either a trial license should be enabled in Elasticsearch, or a commercial license applied. See Elastic stack XPack documentation for more information.
- Re-configuring Elastic stack requires Elastic stack nodes restart and may cause downtime and/or degraded performance.
- XPack Security CANNOT be enabled when SearchGuard is active.
- XPack Security is NOT supported for the Kublr Control Plane
- SearchGuard SHOULD NOT be disabled for the Kublr Control Plane.
spec: features: logging: values: elasticsearch: enabled: true xpackEnabled: true cluster: env: XPACK_ML_ENABLED: true XPACK_MONITORING_ENABLED: true XPACK_WATCHER_ENABLED: true # Note that XPack Security and SearchGuard should not be enabled at the same time # XPACK_SECURITY_ENABLED: true
Important Note: disabling SearchGuard is not recommended and is not necessary in most situations.
In most cases SearchGuard should not be disabled on production systems.
SearchGuard plugin ensures Elastic stack security and space/cluster based access control in Kublr deployments.
SearchGuard plugin can be disabled by setting spec.features.logging.values.searchguard.enabled: false property in the Kublr cluster spec.
While disabling SearcgGuard is possible, it is not recommended for Kublr Control Plane. Without SearcgGuard plugin all clusters logs will be equally accessible to all users.
XPack Security feature may be enabled instead, but index access management will still have to be manual.
Kublr can only automatically manage access to indices collected from different clusters using SearchGuard.
spec: features: logging: values: searchguard: enabled: false
XPack and SearchGuard in Kublr versions before 1.20.2
In pre-1.20.2 Kublr version more customization was required to enable and disable SearchGuard and XPack
XPack enable switch
In the previous versions of Kublr xpackIncluded property in the cluster section was used instead of xpackEnabled property in the elasticsearch section:
spec: features: logging: values: elasticsearch: enabled: true cluster: xpackIncluded: true
Running with different combinations of XPack and SearchGuard plugins requires using different images for ES stack.
As image selection was not yet automated in pre-1.20.2 Kublr versions, the following additional properties should be specified for non-default XPack and SearchGuard combinations:
Both SearchGuard and XPack enabled
spec: features: logging: values: # searchguard - yes, xpack - yes searchguard: elasticsearch: image: name: kublr/elasticsearch-sg kibana: image: name: kublr/kibana-sg
XPack is enabled and SearchGuard is disabled
spec: features: logging: values: # searchguard - no, xpack - yes elasticsearch: image: name: elasticsearch/elasticsearch kibana: image: name: kibana/kibana logstash: image: name: logstash/logstash
Additional SearchGuard Permissions
When both SearchGuard and XPack are enabled, and XPack Watchers or Monitoring features are enabled, it may be necessary to add the following role mappings to sg_role_mappings.yml as described in Kublr SearchGuard Roles Customization document.
SGS_XP_ALERTING: backend_roles: - "admin" SGS_XP_MONITORING: backend_roles: - "admin"