K8S 部署Elasticsearch 并开启X-Pack安全认证
作者:myluzh 分类: Kubernetes 长度:9407 阅读:616
0x00 制作带有证书的镜像
基于 Elasticsearch 的官方镜像创建一个新的自定义镜像,将证书文件包含在内。
1、生成证书
# 创建一个es-temp容器,生成elastic-certificates.p12
docker run -it --name es-temp elasticsearch:7.17.24 bash -c "bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass '' && ls -l config/elastic-certificates.p12"
# 把es-temp里面的elastic-certificates.p12复制到本地来
docker cp es-temp:/usr/share/elasticsearch/config/elastic-certificates.p12 ./elastic-certificates.p12
2、构建镜像
FROM elasticsearch:7.17.24
LABEL maintainer="myluzh <myluzh@qq.com>"
COPY elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12
EXPOSE 9200 9300
docker build -t elasticsearch:7.17.24-p12 .
3、上传镜像到harbor私有仓
docker tag elasticsearch:7.17.24-p12 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
docker push 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
注意:这样做的好处可以直接把证书塞到容器内,也可以把p12证书通过secret存储在集群中,在pod中调用secret。
kubectl create secret generic es-cert --from-file=elastic-certificates.p12 --namespace my-namespace
0x01 部署Elasticsearch单节点
这边没有做持久化,如果需要做数据持久化需要把容器里面的/usr/share/elasticsearch/data挂载出来。
1、部署 elasticsearch_single_node.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: elasticsearch-config
namespace: default
data:
elasticsearch.yml: |
# 单节点
discovery.type: single-node
http.cors.allow-origin: '*'
http.cors.enabled: true
network.host: 0.0.0.0
# 启用X-Pack安全功能
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch
namespace: default
spec:
serviceName: "elasticsearch"
replicas: 1
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
containers:
- name: elasticsearch
image: 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
ports:
- containerPort: 9200
name: es9200
- containerPort: 9300
name: es9300
env:
- name: ES_JAVA_OPTS
value: -Xms2g -Xmx2g
volumeMounts:
- name: config-volume
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
volumes:
- name: config-volume
configMap:
name: elasticsearch-config
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: default
spec:
clusterIP: None
ports:
- name: http
port: 9200
targetPort: 9200
- name: transport
port: 9300
targetPort: 9300
selector:
app: elasticsearch
2、进入es容器内,设置密码
# 手动设置密码
./bin/elasticsearch-setup-passwords interactive
# 自动设置密码
./bin/elasticsearch-setup-passwords auto
Please confirm that you would like to continue [y/N]y
...
Changed password for user elastic
PASSWORD elastic = tVUsASb07cRYc3etwNyv
3、在集群内测试es连通性
[root@centos-test-5b7765fcbd-76vzc /]# curl -u elastic:tVUsASb07cRYc3etwNyv http://elasticsearch.default.svc.cluster.local:9200/_cluster/health?pretty
{
"cluster_name" : "elasticsearch",
"status" : "green",
...
}
0x02 部署Elasticsearch集群
参考连接:https://blog.csdn.net/weixin_45813250/article/details/131026318
apiVersion: v1 # 创建命名空间
kind: Namespace
metadata:
labels:
app: es7-cluster
kubernetes.io/name: "Elasticsearch"
name: elastic-worker
---
apiVersion: v1 # 创建service 文件用于内部通讯
kind: Service
metadata:
name: es7-headless
namespace: elastic-worker
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "Elasticsearch"
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: rest-api
port: 9200
targetPort: 9200
- name: inter-node
port: 9300
targetPort: 9300
selector:
app: es7-cluster
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: es7-cluster
namespace: elastic-worker
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: es7-cluster
namespace: elastic-worker
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- ""
resources:
- "services"
- "namespaces"
- "endpoints"
verbs:
- "get"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: es7-cluster
namespace: elastic-worker
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
subjects:
- kind: ServiceAccount
name: es7-cluster
namespace: kube-system
apiGroup: ""
roleRef:
kind: ClusterRole
name: es7-cluster
apiGroup: ""
---
apiVersion: apps/v1 # 创建有状态的服务
kind: StatefulSet
metadata:
name: es7-cluster
namespace: elastic-worker
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
srv: srv-elasticsearch
spec:
serviceName: es7-headless
replicas: 3
selector:
matchLabels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
template:
metadata:
labels:
app: es7-cluster
kubernetes.io/cluster-service: "true"
spec:
serviceAccountName: es7-cluster
containers: # 主容器
- name: elasticsearch
image: e172.30.82.223:5443/base/elasticsearch:7.17.24-p12 # 自定义镜像,带有p12证书。
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9200
name: rest-api
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: localtime
readOnly: true
mountPath: /etc/localtime
env:
- name: cluster.name
value: "es7-cluster"
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.zen.minimum_master_nodes
value: "2"
- name: discovery.seed_hosts
value: "es7-headless"
- name: cluster.initial_master_nodes
value: "es7-cluster-0,es7-cluster-1,es7-cluster-2"
- name: ES_JAVA_OPTS
value: "-Xms1g -Xmx1g"
- name: xpack.security.enabled # X-Pack 安全认证
value: "true"
- name: xpack.security.transport.ssl.enabled
value: "true"
- name: xpack.security.transport.ssl.verification_mode # 证书校验类型
value: "certificate"
- name: xpack.security.transport.ssl.keystore.path # 证书路径
value: "elastic-certificates.p12"
- name: xpack.security.transport.ssl.truststore.path
value: "elastic-certificates.p12"
- name: xpack.monitoring.ui.container.elasticsearch.enabled # 生成并提供与容器相关的监控数据,待验证
value: "true"
#- name: reindex.remote.whitelist # 设置同步白名单,可以用来数据迁移
# value: "192.168.10.13:9200"
initContainers: # 初始化容器
- name: fix-permissions
image: busybox
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: localtime
readOnly: true
mountPath: /etc/localtime
- name: increase-vm-max-map
image: busybox
imagePullPolicy: IfNotPresent
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: busybox
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "ulimit -n 65536"]
volumes:
- name: localtime
hostPath:
path: /etc/localtime
type: ''
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteMany" ]
# 使用的存储类名称,需要配置一个有效的存储类
storageClassName: "managed-nfs-storage"
resources:
requests:
storage: 2Gi
参考链接:
k8s部署Elasticsearch集群+Kibana方案--开启X-Pack 安全认证
https://blog.csdn.net/weixin_45813250/article/details/131026318
k8s 部署 k8s部署 apply elasticsearch elasticsearch7 es 单节点