Elastic
Required RBAC permissions
Installing and running ECK, as well as using ECK-managed resources requires the following Kubernetes permissions:
Installing CRDs ¶
This permission is required to install CRDs. CRDs (CustomResourceDefinitions) are the only non-namespaced resources required to be installed.
| Name | API group | Optional? | Usage |
|---|---|---|---|
CustomResourceDefinition |
apiextensions.k8s.io |
no | Extend Kubernetes APIs with Elastic Stack application resources. |
Installing the ECK operator ¶
These permissions are required to install the ECK operator in a Kubernetes cluster.
| Name | API group | Optional? | Usage |
|---|---|---|---|
StatefulSet or Deployment |
apps |
no | The ECK operator can be either deployed as a StatefulSet or as a Deployment. |
ServiceAccount |
core |
no | Service account that the operator Pods run as. |
Role or ClusterRole |
rbac.authorization.k8s.io |
no | Role bound to the operators Service account. Depending on the installation type (global/restricted) either a global (ClusterRole) or a namespaced (Role) resource is needed. |
RoleBinding or ClusterRoleBinding |
rbac.authorization.k8s.io |
no | Binding between the operators role and the operators service account. Depending on the installation type (global/restricted), either global (ClusterRoleBinding) or namespaced (RoleBinding) resource is needed. |
ConfigMap |
core |
yes | Configuration parameters of the Operator. They can be specified directly in the StatefulSet (or Deployment) resource instead. |
Namespace |
core |
yes | Namespace where the operator will run. It can be a pre-existing namespace as well. |
ValidatingWebhookConfiguration |
admissionregistration.k8s.io |
yes | Validating webhook installation. It provides fast feedback for the user directly as a APIServer response. A subset of these validations is also run by the operator itself, but the results are only available through operator logs and Kubernetes events. Check docs for more. |
Secret |
core |
yes | Secret containing the validating webhook’s endpoint CA certificate. |
Service |
core |
yes | Service for validating webhook endpoint. |
And all permissions that Running ECK operator section specifies.
Running ECK operator ¶
These permissions are needed by the Service Account that ECK operator runs as.
| Name | API group | Optional? | Usage |
|---|---|---|---|
Pod |
no | Assuring expected Pods presence during Elasticsearch reconciliation, safely deleting Pods during configuration changes and validating podTemplate by dry-run creation of Pods. |
|
Endpoint |
no | Checking availability of service endpoints. | |
Event |
no | Emitting events concerning reconciliation progress and issues. | |
PersistentVolumeClaim |
no | Expanding existing volumes. Check docs to learn more. | |
Secret |
no | Reading/writing configuration, passwords, certificates, and so on. | |
Service |
no | Creating Services fronting Elastic Stack applications. | |
ConfigMap |
no | Reading/writing configuration. | |
StatefulSet |
apps |
no | Deploying Elasticsearch |
Deployment |
apps |
no | Deploying Kibana, APM Server, EnterpriseSearch, Maps, Beats or Elastic Agent. |
DaemonSet |
apps |
no | Deploying Beats or Elastic Agent. |
PodDisruptionBudget |
policy |
no | Ensuring update safety for Elasticsearch. Check docs to learn more. |
StorageClass |
storage.k8s.io |
yes | Validating storage expansion support. Check docs to learn more. |
coreauthorization.k8s.io |
SubjectAccessReview |
yes | Controlling access between referenced resources. Check docs to learn more. |
And all permissions that the Using ECK-managed resources chapter specifies.
Using ECK-managed resources ¶
These permissions are needed to manage each Elastic Stack application. For example, to create, update and delete Elasticsearch clusters the permissions for the respective verbs must be held by the user that performs the operation.
| Name | API group | Optional? |
|---|---|---|
Elasticsearch<br>Elasticsearch/status<br>Elasticsearch/finalizers |
elasticsearch.k8s.elastic.co |
no |
Kibana<br>Kibana/status<br>Kibana/finalizers |
kibana.k8s.elastic.co |
no |
APMServer<br>APMServer/status<br>APMServer/finalizers |
apm.k8s.elastic.co |
no |
EnterpriseSearch<br>EnterpriseSearch/status<br>EnterpriseSearch/finalizers |
enterprisesearch.k8s.elastic.co |
no |
Beat<br>Beat/status<br>Beat/finalizers |
beat.k8s.elastic.co |
no |
Agent<br>Agent/status<br>Agent/finalizers |
agent.k8s.elastic.co |
no |
ElasticMapsServer<br>ElasticMapsServer/status<br>ElasticMapsServer/finalizers |
maps.k8s.elastic.co |
no |
Logstash<br>Logstash/status<br>Logstash/finalizers |
logstashes.k8s.elastic.co |
no |