Cannot disable TLS and security in EKS

Hello,

I Installed ECK open source 1.0.1 in k8s 1.15.5
I tried to disable the security and TLS using:

  apiVersion: elasticsearch.k8s.elastic.co/v1
  kind: Elasticsearch
  metadata:
    name: elasticsearch
  spec:
    version: 7.6.0
    nodeSets:
    - name: default
      count: 1
      config:
        node.master: true
        node.data: true
        node.ingest: true
        node.store.allow_mmap: false

        xpack.security.enabled: false
        xpack.security.http.ssl.enabled: false
        xpack.security.transport.ssl.enabled: false

but it doesn't seem to work:

kubectl port-forward service/elasticsearch-es-http 9200
curl http://localhost:9200
==> not working

and

PASSWORD=$(kubectl get secret elasticsearch-es-elastic-user -o=jsonpath='{.data.elastic}' | base64 --decode)
curl -k -u "elastic:$PASSWORD" https://localhost:9200
==> works

If I check the configuration in the 'elasticsearch-es-default-es-config'
kubectl get secrets elasticsearch-es-default-es-config -o jsonpath="{.data['elasticsearch.yml']}" | base64 -d
I get:

cluster:
  name: elasticsearch
discovery:
  seed_providers: file
network:
  host: 0.0.0.0
  publish_host: ${POD_IP}
node:
  data: true
  ingest: true
  master: true
  name: ${POD_NAME}
  store:
    allow_mmap: false
path:
  data: /usr/share/elasticsearch/data
  logs: /usr/share/elasticsearch/logs
xpack:
  license:
    upload:
      types:
      - trial
      - enterprise
  security:
    authc:
      realms:
        file:
          file1:
            order: -100
        native:
          native1:
            order: -99
      reserved_realm:
        enabled: "false"
    enabled: "true"
    http:
      ssl:
        certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
        certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
        enabled: true
        key: /usr/share/elasticsearch/config/http-certs/tls.key
    transport:
      ssl:
        certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
        certificate_authorities:
        - /usr/share/elasticsearch/config/transport-certs/ca.crt
        enabled: "true"
        key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
        verification_mode: certificate

which still contains the security and tls config enabled...

Any idea on how to disable security and tls config ?
Thanks
Yann

These settings are managed by ECK and you cannot currently disable security and you cannot disable TLS on the transport layer. Please see https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-reserved-settings.html for a list of settings managed by ECK that we don't support to be set by users.

If you want to disable security in order to allow access without authentication to your clusters, please consider enabling anonymous access instead: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/anonymous-access.html

You can however disable TLS on the HTTP layer if desired. Instructions are here: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-accessing-elastic-services.html#k8s-disable-tls

Thanks Peter, that solved my issue.

for folks here is the complete solution:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch
spec:
  version: 7.6.0
  nodeSets:
  - name: default
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false
      xpack.security.authc:
          anonymous:
            username: anonymous
            roles: superuser
            authz_exception: false
  http:
    tls:
      selfSignedCertificate:
        disabled: true

Yann

1 Like

Hi, I tried this but it doesn't seems to work for ES.

Thank you for the instructions. But it seems like the option for disabling TLS on http layer must be set when the ES cluster is initially deployed. I cannot disable that on an existing cluster with TLS enabled. The ECK would not make that switch even I added that section:

http:
    tls:
      certificate:
        selfSignedCertificate:
          disabled: true
1 Like

hi, I can confirm that applying this config and then removing the default pod does not seem to work, it keeps https. Any solutions to that?

More specifially, it says here:

how it should be disabled.

here it says xpack security is disabled by default for non-trial:

that does not seem to be the case for k8s.
What is the recommended way for k8s to disable https?
Seems like a more sane default too, since most folks probably expose https via ingress-nginx or an external Google Loadbalancer?

What is the recommended way for k8s to disable https?

You have pointed the correct documentation: TLS certificates | Elastic Cloud on Kubernetes [1.3] | Elastic.

here it says xpack security is disabled by default for non-trial

This is not the ECK documentation, so it does not apply to ECK.


Here is an example step by step on how to disable TLS on the HTTP layer of an existing Elasticsearch cluster managed by ECK.

On a fresh GKE v1.18.14 cluster, I deployed ECK v1.3.1 and a simple Elasticsearch cluster using this manifest:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: badaboum
spec:
  version: 7.10.2
  nodeSets:
  - name: master
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false

Started the port-forwarding:

kubectl port-forward service/badaboum-es-http 9200

Checked that HTTPS was working but not HTTP:

> curl -k https://localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer real
m=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer 
realm=\"security\"","ApiKey"]}},"status":401} 

> curl http://localhost:9200
curl: (52) Empty reply from server

Then, I updated my Elasticsearch cluster to disable TLS with this manifest:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: badaboum
spec:
  version: 7.10.2
  http:                  
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: master
    count: 1
    config:
      node.master: true
      node.data: true
      node.ingest: true
      node.store.allow_mmap: false

Restarted the port-forwarding.

Checked that HTTPS was no longer working and HTTP was working:

> curl -k https://localhost:9200
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

> curl http://localhost:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"se
curity_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

hi, thank you for your reply. Isn't that the exact same snippet for the Elasticsearch file?
Update : I had a snippet added which had a typo, certificate without capital letter.
After correcting that and deleting the pod it works as expected, thanks for yoru support!

Hello @Zijun_X ,

Now I see the error in your snippet.

You shared:

http:
    tls:
      certificate:
        selfSignedCertificate:
          disabled: true

While the 'certificate' field shouldn't be present:

http:
    tls:
      selfSignedCertificate:
        disabled: true
2 Likes