Deploying ECK on OpenShift
editDeploying ECK on OpenShift
editThis page shows how to run ECK on OpenShift.
Only Elasticsearch and Kibana are compatible with the restricted Security Context Constraint. To run the APM Server on OpenShift you must allow the Pod to run with the anyuid SCC as described in Deploy an APM Server instance with a route
Before you begin
edit-
To run the instructions on this page, you must be a
system:adminuser or a user with the privileges to create Projects, CRDs, and RBAC resources at the cluster level. -
Set virtual memory settings on the Kubernetes nodes.
Before deploying an Elasticsearch cluster with ECK, make sure you correctly applied the
vm.max_map_countsetting on all the nodes of your cluster. Pods created by ECK are likely to run with therestrictedSecurity Context Constraint (SCC): they run with a limited set of privileges and cannot change this setting on the nodes that host them. For more details, see the Elasticsearch documentation on Virtual memory.
Deploy the operator
edit-
Apply the all-in-one template, as described in the quickstart.
oc apply -f https://download.elastic.co/downloads/eck/1.0.0-beta1/all-in-one.yaml
-
[Optional] If the Software Defined Network is configured with the
ovs-multitenantplug-in, you must allow theelastic-systemnamespace to access other Pods and Services in the cluster:oc adm pod-network make-projects-global elastic-system
-
Create a namespace to hold the Elastic resources (Elasticsearch, Kibana):
oc new-project elastic # creates the elastic project
By default the operator watches and creates resources in the
defaultnamespace. You need to patch the operator to manage resources in another namespace.kubectl patch statefulset/elastic-operator \ -n elastic-system \ --type='json' \ --patch '[{"op":"add","path":"/spec/template/spec/containers/0/env/-","value": {"name": "NAMESPACE", "value": "elastic"}}]'Replace
elasticin the examples above with the name of the namespace in which you want to deploy your resources. -
[Optional] Allow another user or a group of users to manage the Elastic resources:
oc adm policy add-role-to-user elastic-operator developer -n elastic
In the example above the user
developeris allowed to manage Elastic resources in the namespaceelastic.
Deploy an Elasticsearch instance with a route
editUse the following code to create an Elasticsearch cluster elasticsearch-sample and a "passthrough" route to access it:
cat <<EOF | oc apply -n elastic -f -
# This sample sets up an Elasticsearch cluster with an OpenShift route
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
version: 8.19.8
nodeSets:
- name: default
count: 1
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: false
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: elasticsearch-sample
spec:
#host: elasticsearch.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
tls:
termination: passthrough # Elasticsearch is the TLS endpoint
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: elasticsearch-sample-es-http
EOF
Deploy a Kibana instance with a route
editUse the following code to create a Kibana instance and a "passthrough" route to access it:
cat <<EOF | oc apply -n elastic -f -
apiVersion: kibana.k8s.elastic.co/v1beta1
kind: Kibana
metadata:
name: kibana-sample
spec:
version: 8.19.8
count: 1
elasticsearchRef:
name: "elasticsearch-sample"
podTemplate:
spec:
containers:
- name: kibana
resources:
limits:
memory: 1Gi
cpu: 1
---
apiVersion: v1
kind: Route
metadata:
name: kibana-sample
spec:
#host: kibana.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>)
tls:
termination: passthrough # Kibana is the TLS endpoint
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: kibana-sample-kb-http
EOF
Use the following command to get the hosts of each Route:
oc get route -n elastic
Deploy an APM Server instance with a route
editIt is currently not possible to run the APM Server with the restricted SCC. A possible workaround is to allow the Pod to run with the default uid 1000 by assigning it to the anyuid SCC:
-
Create a service account to run the APM Server
oc create serviceaccount apm-server -n elastic
-
Add the APM service account to the
anyuidSCCoc adm policy add-scc-to-user anyuid -z apm-server -n elastic
scc "anyuid" added to: ["system:serviceaccount:elastic:apm-server"]
-
Deploy an APM Server and a route with the following manifest
cat <<EOF | oc apply -n elastic -f - apiVersion: apm.k8s.elastic.co/v1beta1 kind: ApmServer metadata: name: apm-server-sample spec: version: 8.19.8 count: 1 elasticsearchRef: name: "elasticsearch-sample" podTemplate: spec: serviceAccountName: apm-server --- apiVersion: v1 kind: Route metadata: name: apm-server-sample spec: #host: apm-server.example.com # override if you don't want to use the host that is automatically generated by OpenShift (<route-name>[-<namespace>].<suffix>) tls: termination: passthrough # the APM Server is the TLS endpoint insecureEdgeTerminationPolicy: Redirect to: kind: Service name: apm-server-sample-apm-http EOFTo check that the Pod of the APM Server is using the correct SCC, use the following command:
oc get pod -o go-template='{{range .items}}{{$scc := index .metadata.annotations "openshift.io/scc"}}{{.metadata.name}}{{" scc:"}}{{range .spec.containers}}{{$scc}}{{" "}}{{"\n"}}{{end}}{{end}}'apm-server-sample-apm-server-86bfc5c95c-96lbx scc:anyuid elasticsearch-sample-es-5tsqghmm79 scc:restricted elasticsearch-sample-es-6qk52mz5jk scc:restricted elasticsearch-sample-es-dg4vvpm2mr scc:restricted kibana-sample-kb-97c6b6b8d-lqfd2 scc:restricted