ECK Filebeat action [indices:admin/auto_create] is unauthorized for user [elk-stack-filebeat-beat-user]

If I understand correctly from the documentation. When specifying elasticsearchRefs.name: elasticsearch, filebeat should be created user and anauthorized automatically.
It works but when I try to write in a new index which is not the default I get an error:

action [indices:admin/auto_create] is unauthorized for user [elk-stack-filebeat-beat-user] with effective roles 
[beats_admin,eck_beat_es_filebeat_role_v77,ingest_admin,kibana_admin,remote_monitoring_agent] 
on indices [k8s-infra], this action is granted by the index 
privileges [auto_configure,create_index,manage,all]\"}, dropping event!

I use eck-stack chart
There is my values.yaml:

---
# Default values for eck-stack.
# This is a YAML-formatted file.

# If enabled, will use the eck-elasticsearch chart and deploy an Elasticsearch resource.
#
eck-elasticsearch:
  enabled: true
  # This is adjusting the full name of the elasticsearch resource so that both the eck-elasticsearch
  # and the eck-kibana chart work together by default in the eck-stack chart.
  fullnameOverride: elasticsearch
  nodeSets:
    - config:
        node.store.allow_mmap: false
      count: 3
      name: default
      podTemplate:
        spec:
          affinity:
            podAntiAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                - labelSelector:
                    matchLabels:
                      elasticsearch.k8s.elastic.co/cluster-name: elasticsearch
                  topologyKey: "kubernetes.io/hostname"
          containers:
            - name: elasticsearch
              resources:
                limits:
                  memory: 2Gi
                requests:
                  memory: 2Gi
      volumeClaimTemplates:
        - metadata:
            name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 10Gi
                  
# If enabled, will use the eck-kibana chart and deploy a Kibana resource.
#
eck-kibana:
  enabled: true
  fullnameOverride: kibana
  spec:
    # This is also adjusting the kibana reference to the elasticsearch resource named previously so that
    # both the eck-elasticsearch and the eck-kibana chart work together by default in the eck-stack chart.
    elasticsearchRef:
      name: elasticsearch
    config:
      # Note that these are specific to the namespace into which this example is installed, and are
      # using `elastic-stack` as configured here and detailed in the README when installing:
      #
      # `helm install es-kb-quickstart elastic/eck-stack -n elastic-stack`
      #
      # If installed outside of the `elastic-stack` namespace, the following 2 lines need modification.
      server.publicBaseUrl: "https://kibana.k8s.mydomain.dev/"
      xpack.fleet.agents.elasticsearch.hosts: [ "https://elasticsearch-es-http.elk-stack.svc:9200" ]
      xpack.fleet.agents.fleet_server.hosts: [ "https://fleet-server-agent-http.elk-stack.svc:8220" ]
      xpack.fleet.packages:
        - name: system
          version: latest
        - name: elastic_agent
          version: latest
        - name: fleet_server
          version: latest
        - name: kubernetes
          version: latest
      xpack.fleet.agentPolicies:
        - name: Fleet Server on ECK policy
          id: fleet-server
          namespace: default
          monitoring_enabled:
            - logs
            - metrics
          package_policies:
            - name: fleet_server-1
              id: fleet_server-1
              package:
                name: fleet_server
        - name: Elastic Agent on ECK policy
          id: eck-agent
          namespace: default
          monitoring_enabled:
            - logs
            - metrics
          unenroll_timeout: 900
          package_policies:
            - package:
                name: system
              name: system-1
            - package:
                name: kubernetes
              name: kubernetes-1

# If enabled, will use the eck-agent chart and deploy an Elastic Agent instance.
#
eck-agent:
  enabled: false

# If enabled, will use the eck-fleet-server chart and deploy a Fleet Server resource.
#
eck-fleet-server:
  enabled: true
  fullnameOverride: fleet-server
  spec:
    # This is also adjusting the kibana reference to the elasticsearch resource named previously so that
    # both the eck-elasticsearch and the eck-kibana chart work together by default in the eck-stack chart.
    elasticsearchRefs:
      - name: elasticsearch
    kibanaRef:
      name: kibana
    policyID: fleet-server

# If enabled, will use the eck-beats chart and deploy a Beats resource.
#
eck-beats:
  enabled: true
  fullnameOverride: filebeat
  name: filebeat
  spec:
    elasticsearchRef:
      name: elasticsearch
    kibanaRef:
      name: kibana
    config:
      output.elasticsearch:
        index: k8s-infra
      setup:
        template:
          index: k8s-infra
          name: k8s-infra
          pattern: k8s-infra
          lifecycle:
            enabled: true
            data_retention: "90d"
          settings:
            index:
              number_of_replicas: 2
      filebeat:
        autodiscover:
          providers:
            - type: kubernetes
              node: ${NODE_NAME}
              hints:
                enabled: true
                default_config:
                  type: container
                  paths:
                    - /var/log/containers/*${data.kubernetes.container.id}.log
      processors:
        - add_cloud_metadata: {}
        - add_host_metadata: {}
    type: filebeat
    daemonSet:
      podTemplate:
        spec:
          automountServiceAccountToken: true
          serviceAccount: filebeat
          hostNetwork: true
          dnsPolicy: ClusterFirstWithHostNet
          terminationGracePeriodSeconds: 30
          containers:
            - name: filebeat
              resources:
                limits:
                  cpu: 1000m
                  memory: 300Mi
                requests:
                  cpu: 1000m
                  memory: 300Mi
              securityContext:
                runAsUser: 0
                # If using Red Hat OpenShift uncomment this:
                #privileged: true
              volumeMounts:
                - name: varlogcontainers
                  mountPath: /var/log/containers
                - name: varlogpods
                  mountPath: /var/log/pods
                - name: varlibdockercontainers
                  mountPath: /var/lib/docker/containers
              env:
                - name: NODE_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: spec.nodeName
          volumes:
            - name: varlogcontainers
              hostPath:
                path: /var/log/containers
            - name: varlogpods
              hostPath:
                path: /var/log/pods
            - name: varlibdockercontainers
              hostPath:
                path: /var/lib/docker/containers
  
  clusterRole:
    # permissions needed for metricbeat
    # source: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kubernetes.html
    name: filebeat
    rules:
      - apiGroups: [ "" ] # "" indicates the core API group
        resources:
          - namespaces
          - pods
          - nodes
        verbs:
          - get
          - watch
          - list
      - apiGroups: [ "apps" ]
        resources:
          - replicasets
        verbs:
          - get
          - list
          - watch
      - apiGroups: [ "batch" ]
        resources:
          - jobs
        verbs:
          - get
          - list
          - watch
  
  serviceAccount:
    name: filebeat
  
  clusterRoleBinding:
    name: filebeat
    subjects:
      - kind: ServiceAccount
        name: filebeat
    roleRef:
      kind: ClusterRole
      name: filebeat
      apiGroup: rbac.authorization.k8s.io

# If enabled, will use the eck-logstash chart and deploy a Logstash resource.
#
eck-logstash:
  fullnameOverride: logstash
  enabled: false

# If enabled, will use the eck-apm-server chart and deploy a standalone APM Server resource.
#
eck-apm-server:
  enabled: false

I can fix it by adding manually role with permissions to create a new index in Kibana and attaching it in secret elk-stack-filebeat-beat-user, but it is a workaround.

1 Like

I have the same issues.