Elastic Cloud on Kubernetes managed credentials

ECK

When deploying an Elastic Stack application, the operator generates a set of credentials essential for the operation of that application. For example, these generated credentials include the default elastic user for Elasticsearch and the security token for APM Server.

To list all auto-generated credentials in a namespace, run the following command:

kubectl get secret -l eck.k8s.elastic.co/credentials=true

When the Elasticsearch resource is created, a default user named elastic is created automatically, and is assigned the superuser role.

Its password can be retrieved in a Kubernetes secret, whose name is based on the Elasticsearch resource name: <elasticsearch-name>-es-elastic-user.

For example, the password of the elastic user for an Elasticsearch cluster named quickstart can be retrieved with:

kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'

If your prefer to manage all users via SSO, for example using SAML Authentication or OpenID Connect, you can disable the default elastic superuser by setting the auth.disableElasticUser field in the Elasticsearch resource to true:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch-sample
spec:
  version: 8.16.1
  auth:
    disableElasticUser: true
  nodeSets:
  - name: default
    count: 1

You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the elastic user from the quickstart example, use the following command:

kubectl delete secret quickstart-es-elastic-user

To regenerate all auto-generated credentials in a namespace, run the following command:

kubectl delete secret -l eck.k8s.elastic.co/credentials=true