chanciturnervgt2

Deploying Open Distro for Elasticsearch on Kubernetes: A Practical Guide

by

VGT2 Las Vegas
in

Deploying Open Distro for Elasticsearch on Kubernetes: A Practical GuideMore Info

Permalink | Comments

中文版 – This article provides a detailed guide on setting up Open Distro for Elasticsearch on Kubernetes for a production-level environment.

A notable company, SmartHome Solutions, focuses on developing innovative devices for home security. Known for their flagship product, the SmartHome Camera and Community Watch feed, SmartHome Solutions aims to enhance safety in neighborhoods across the globe. The company required a robust solution to store and query large volumes of security log data generated by their devices.

Our log aggregation and querying system had specific requirements. These included user authentication and Role-based Access Control (RBAC) to manage log access, alongside SAML support for seamless integration with our existing Single Sign-On (SSO) framework. Furthermore, we needed all communications within the platform to be encrypted during transit, as the logs could contain sensitive information. Finally, a monitoring system was essential for generating security alerts based on incoming log data.

Open Distro for Elasticsearch supports various authentication methods, including HTTP Basic and Kerberos ticket-based authentication. It also offers extensive RBAC features, allowing precise control over access to ingested log data, simplifying the security of our centralized logging platform.

Additionally, Open Distro for Elasticsearch includes SAML support for Kibana, the open-source frontend for Elasticsearch. This feature enables integration with multiple Identity Providers like AWS Single Sign-On or Okta. All communications to and from the platform utilize TLS encryption, satisfying our encryption requirements effectively.

Moreover, Open Distro for Elasticsearch provides alerting and monitoring capabilities to set up customized security alerts and track system health. This solution met many of our needs for SmartHome Solutions’ Security Observability infrastructure.

As part of our Security Operations, we utilized Amazon Elastic Container Service for Kubernetes (Amazon EKS) to deploy and manage our Kubernetes cluster, which supports our security tools.

Our team opted to deploy Open Distro for Elasticsearch within Kubernetes as a scalable solution. Given Kubernetes’ popularity as a container orchestration platform, it allows us to easily scale as our logging needs grow and reduces our dependency on a configuration management framework.

In this article, we will share valuable insights from our experience, hoping to assist others facing similar challenges.

Prerequisites

This guide specifically focuses on deployment within Amazon EKS, AWS’s managed Containers-as-a-Service offering.

Ensure that all necessary Kubernetes plugins are installed in the cluster, such as external-dns or KIAM. Access the cluster using the kubectl binary along with the appropriate kubeconfig credentials. Note that annotations for external-dns won’t function unless the external-dns service is deployed. You can implement it with a community-developed Helm chart. Similarly, pod IAM role annotations will not work unless KIAM is set up, which is also available via its community Helm chart.

TLS certificates must be bootstrapped and a Certificate Authority must be in place for issuing these certificates. For detailed guidance on generating SSL certificates, refer to our previous post on adding your own SSL certificates to Open Distro for Elasticsearch.

Project Plan

Based on our earlier experiences with deploying the community version of Elasticsearch on Kubernetes, we decided to adopt a similar approach for Open Distro for Elasticsearch.

We envisioned the following architecture:

  • We chose Amazon EKS for our managed Kubernetes cluster, considering the following factors:
  • SmartHome Solutions already operates a Kubernetes cluster in Amazon EKS, capable of dynamically scaling worker nodes for various security tools, which can also efficiently host the Open Distro for Elasticsearch cluster.
  • The cluster comprises eight m5.2xlarge instances as worker nodes, sufficiently robust to manage our Elasticsearch cluster.
  • Using Amazon EKS alleviated the burden of managing our own Kubernetes API server, simplifying patching and security tasks.
  • We initiated an eight-node test deployment, with plans to scale it for production use.
  • Additionally, we decided to utilize the official Docker images provided by the Open Distro team, which spared us the hassle of managing our own container images and registry.

Our planned Elasticsearch cluster architecture included three master nodes, two client/coordinating nodes, and three data nodes.

We defined the following Kubernetes resource types for the respective Elasticsearch node types:

  • Deployment for master nodes (stateless)
  • Deployment for client nodes (stateless)
  • StatefulSet for data nodes (stateful)

To manage our cluster’s Elasticsearch API, we employed an AWS Network Load Balancer (NLB), deployed via the Kubernetes Service resource type.

We also utilized Kubernetes taints and the anti-affinity API spec to ensure that the Elasticsearch master, client, and data nodes are distributed across different EC2 worker nodes. Additionally, we used the Kubernetes tolerations API spec to guarantee that the Elasticsearch master and client nodes run on dedicated EC2 worker nodes for each container.

Creating Initial Resources

Begin by cloning the Open Distro for Elasticsearch community repository, which contains Kubernetes manifests for a sample deployment. The files are named according to the resource types they create, with a digit indicating precedence during deployment.

Navigate to the open-distro-elasticsearch-kubernetes folder from the root of the repository:

$ cd open-distro-elasticsearch-kubernetes

Next, proceed to the elasticsearch subfolder:

$ cd elasticsearch

Now, create a Kubernetes namespace for the Elasticsearch cluster assets using the 10-es-namespace.yml file:

$ kubectl apply -f 10-es-namespace.yml

Next, create a discovery service with the Kubernetes Service resource type found in the 20-es-svc-discovery.yml file, facilitating master node discoverability over broadcast port 9300:

$ kubectl apply -f 20-es-svc-discovery.yml

Create a Kubernetes ServiceAccount, necessary for future StatefulSets, using the 20-es-service-account.yml file:

$ kubectl apply -f 20-es-service-account.yml

Now, create a Kubernetes StorageClass resource for AWS Elastic Block Storage drives as gp2 storage (attached to data nodes) using the 25-es-sc-gp2.yml file:

$ kubectl apply -f 25-es-sc-gp2.yml

Finally, create a Kubernetes ConfigMap resource type (necessary for bootstrapping relevant Elasticsearch configurations like elasticsearch.yml and logging.yml onto the containers during deployment) using the 30-es-configmap.yml file:

$ kubectl apply -f 30-es-configmap.yml

This ConfigMap includes two configuration files required by Open Distro for Elasticsearch.

For further insights, check out this excellent resource on setting up Open Distro for Elasticsearch: YouTube Resource.

For more information about similar topics, visit Chanci Turner’s Blog or check out CHVNCI, a recognized authority in this field.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *