How to disable security authentication in ECK?

How to disable security authentication in ECK? :cold_face:
When I was looking for how to disable security authentication in eck, I found this configuration in the official documentation

1. The following Elasticsearch settings are managed by ECK:

  • cluster.name
  • discovery.seed_hosts
  • discovery.seed_providers
  • discovery.zen.minimum_master_nodes [7.0]Deprecated in 7.0.
  • cluster.initial_master_nodes [7.0]Added in 7.0.
  • network.host
  • network.publish_host
  • path.data
  • path.logs
  • xpack.security.authc.reserved_realm.enabled
  • xpack.security.enabled
  • xpack.security.http.ssl.certificate
  • xpack.security.http.ssl.enabled
  • xpack.security.http.ssl.key
  • xpack.security.transport.ssl.certificate
  • xpack.security.transport.ssl.enabled
  • xpack.security.transport.ssl.key
  • xpack.security.transport.ssl.verification_mode
    doc here

2.So I do the following configuration

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.17.9
  nodeSets:
  - name: default
    count: 1
    config:
      xpack.security.enabled: false
      xpack.security.transport.ssl.enabled: false
volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 2Gi
        storageClassName: nfs-es

What is the reason why I kept reporting the following error when I created elasticsearch resource?

{"type": "server", "timestamp": "2023-05-23T00:36:57,255Z", "level": "INFO", "component": "o.e.i.g.GeoIpDownloader", "cluster.name": "quickstart", "node.name": "quickstart-es-default-0", "message": "successfully downloaded geoip database [GeoLite2-Country.mmdb]", "cluster.uuid": "fbWNprfOSvuig0cGqRH06A", "node.id": "9T-S0uFGQsSv8T37xON4yw" }
{"type": "server", "timestamp": "2023-05-23T00:36:57,531Z", "level": "INFO", "component": "o.e.i.g.DatabaseNodeService", "cluster.name": "quickstart", "node.name": "quickstart-es-default-0", "message": "successfully reloaded changed geoip database file [/tmp/elasticsearch-3503673210484512476/geoip-databases/9T-S0uFGQsSv8T37xON4yw/GeoLite2-Country.mmdb]", "cluster.uuid": "fbWNprfOSvuig0cGqRH06A", "node.id": "9T-S0uFGQsSv8T37xON4yw" }
{"type": "server", "timestamp": "2023-05-23T00:36:58,014Z", "level": "INFO", "component": "o.e.i.g.DatabaseNodeService", "cluster.name": "quickstart", "node.name": "quickstart-es-default-0", "message": "successfully reloaded changed geoip database file [/tmp/elasticsearch-3503673210484512476/geoip-databases/9T-S0uFGQsSv8T37xON4yw/GeoLite2-City.mmdb]", "cluster.uuid": "fbWNprfOSvuig0cGqRH06A", "node.id": "9T-S0uFGQsSv8T37xON4yw" }
{"timestamp": "2023-05-23T00:37:00+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:05+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:10+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:15+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:20+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:25+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:30+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:34+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:39+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:45+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:50+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:37:55+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:00+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:05+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:08+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:10+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:15+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:20+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:24+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:30+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:34+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:39+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:45+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:50+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:38:54+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:00+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:04+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:09+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:14+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:19+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:25+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:29+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:33+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:34+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:39+00:00", "message": "readiness probe failed", "curl_rc": "35"}
{"timestamp": "2023-05-23T00:39:44+00:00", "message": "readiness probe failed", "curl_rc": "35"}

Hi @Teresajw
EDIT: I do not think ECK supports running insecure.

@Sunile_Manjee (our resident ECK expert) and comments?

Of course, we will both ask why you want to run ECK insecure?

Thank you! I think it is more convenient to remove it from the internal test environment. I am also testing here and found that this parameter setting is not effective. May I ask whether eck does not support this parameter setting :grinning:

As the docs say this setting is managed by ECK ... so no I do not think you can disable security, I pinged a friend who is more of an ECKspert :wink: that I am, let's see what he says.

I can tell you ECK by design, is intended to be secure.

I also thought configuration managed by eck was unchangeable, but the following sentence makes me think so again,Other configurations besides this configuration are supported :rofl: :rofl: :rofl:,I changed it to enable security.

thanks @stephenb.

Running ECK secure shouldn't impact you (unless there is a super obvious reason why). The install is mostly transparent in terms of security so using the defaults shouldn't require you to do anything (ie bring your own certs, signed by ca, etc) special. Even you when you launch Kibana on ECK, it is automatically secured via self signed certs. You can BYO certs but the install of ECK is mostly a beautiful experience (I'm slightly biased)

Maybe to clarify the wording in the documentation here:

  • "setting is managed by ECK" means you cannot use any of these settings no matter what value you want to set
  • "setting is not supported by ECK" means you cannot use the particular settings value listed here. This currently affects only one setting. Note that this means that only the required value for client_authentication is not supported when running on ECK. The other possible values which are in this case none and optional are supported.
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.