📋
k8s use handbook
  • 概述
  • 1. kuberbetes应用接入准则篇
    • 1.1 git分支管理规范
    • 1.2 接入elk字段格式以及约定
    • 1.3 健康检测接口规范
    • 1.4 项目命名规范
  • 2. kubernetes集群部署篇
    • 2.0 kubernetes手动安装概览
      • 201 创建跟证书和秘钥
      • 202 ETCD集群部署及维护
      • 203 kubectl部署以及基本使用
      • 204 Master节点部署及维护
        • 2041 kube-apiserver
        • 2042 kube-scheduler
        • 2043 kube-controller-manager
      • 205 Node节点部署及维护
        • 2051 Flannel部署及维护
        • 2052 kubernetes runtime部署及维护
        • 2053 kubelet
        • 2054 kube-proxy
    • 2.1 kubernetes ansible安装
    • 2.2 kubernetes kubeadm安装
    • 2.3 kubernetes 组件安装
      • 231 coredns
      • 232 kube-dashboard
  • 3. kubernetes权限控制篇
    • 认证
    • 授权
    • 准入机制
  • 4. what happens when k8s .....
    • Kubernetes使用什么方法方法来检查应用程序的运行状况?
    • 如何优雅的关闭pod?
    • TLS bootstrapping 是如何工作的?
    • 怎么编辑kubernetes的yaml文件以及kubernetes的控制是什么样的?
    • deployment如何使用不同的策略部署我们的程序?
    • Kubernetes 如何接收请求,又是如何将结果返回至客户端的?
    • Kubernetes 的调度流程是怎样的?
    • Kubelet 是如何接受调度请求并启动容器的?
    • Kube-proxy 的作用,提供的能力是什么?
    • Kubernetes 控制器是如何工作的?
    • ingress-service-deployment如何关联的?
    • 如何指定pod的运行节点?
    • Https 的通信过程?
  • 5. kubernetes私有仓库篇
  • 6. kubernetes CI/CD篇
    • 5. kubernetes cicd发布流水线
  • 6. kubernetes日志系统篇
    • 6.1 elk使用规范和指南
    • 6.2 kibana搜索简易指南
    • 6.3 基于es api进行查询的注意事项
    • 6.4 集群部署
      • 6.4.1 es规划
        • 索引的生命周期
      • 6.4.2 安装
      • 6.4.3 elasticsearch配置
      • 6.4.4 logstash配置
      • 6.4.5 kibana配置
      • 6.4.6 enable-xpack
        • 6.4.6.1 X-Pack on Elasticsearch
        • 6.4.6.2 X-Pack on Logstash
        • 6.4.6.3 X-Pack on Kibana
        • 6.4.6.4 xpack破解
        • 6.4.6.5 LDAP user authentication
      • 6.4.7 Cerebro configuration
      • 6.4.8 Curator configuration
    • 6.10 备份恢复
  • 7.0 kuberbetes服务暴露Ingress篇
    • 7.1 Ingress规划
    • 7.2 Traefik ingress controller
      • 7.2.1 Traefik配置详解
      • 7.2.2 Traefik部署
      • 7.2.3 分场景使用示例
      • 7.2.4 Traefik功能示例
      • 7.2.5 Traefik日志收集
      • 7.2.6 https证书更新
    • 7.3 Nginx ingress controller
      • 7.3.1 Nginx 配置详解
      • 7.3.2 Nginx 部署
      • 7.3.3 使用示例
    • 7.4 ingress日常运维
  • 8.0 kubernetes监控篇
    • 8.1 prometheus非k8s部署
    • 8.2 prometheusk8s部署
    • 8.3 prometheus 配置文件详解
    • 8.3 prometheus alertmanager
  • 9.0 kubernetes配置管理篇
  • 10.0 权威DNS篇
    • 10.1 PowerDNS安装部署
    • 10.1 PowerDNS zone设置
由 GitBook 提供支持
在本页
  • Security setting in Elasticsearch (安全验证)
  • 关键参数说明:
  • (可选)配置自动创建索引
  • 配置传输层安全性(TLS/SSL)
  • 开启X-Pack security
  • 开启集群中https传输
  • 设置内建用户的密码
  • Auditing Security Settings(安全审计)
  • 关键参数说明
  • 开启审计
  • 设置审计日志输出的位置
  • 定义filter不输出审计日志
  • Watcher Setting in Elasticsearch
  • 关键参数说明
  • 开启Watcher
  • 配置smtp账号信息
  • 配置notification的默认账号
  • Monitoring Settings in Elasticsearch
  • Machine Learning Settings in Elasticsearch
  • elasticsearch配置整合

这有帮助吗?

  1. 6. kubernetes日志系统篇
  2. 6.4 集群部署
  3. 6.4.6 enable-xpack

6.4.6.1 X-Pack on Elasticsearch

上一页6.4.6 enable-xpack下一页6.4.6.2 X-Pack on Logstash

最后更新于5年前

这有帮助吗?

由于本文使用的es的版本为6.*,所以X-Pack不需要单独安装, 由于没有es的正式license请先查看, 并保证license为生效状态, 所有相关参数配置elasticsearch.yml中,配置完成后使用systemctl restart elasticsearch.service 重启服务

关键参数说明:

  • action.auto_create_index 是否开启自动创建index

  • xpack.security.enabled 是否开启安全认证, 默认为true

  • xpack.security.transport.ssl.enabled elasticsearch节点之前是否使用ssl传输数据, 默认false

  • xpack.security.transport.ssl.verification_mode 包含三种方式full(default) certificate none

    • full 检查证书是否由权威机构发布的, 还效验主机名是否和证书中的标识相同

    • certificate 检查证书是否由权威机构发布的, 但是不效验主机名

    • none 不执行任何效验

  • xpack.security.transport.ssl.keystore.path 证书文件存储全路径

  • xpack.security.transport.ssl.truststore.path 信任证书存储的全路径

(可选)配置自动创建索引

X-Pack需要在elasticsearch自动的创建一些索引, 默认elasticsearch允许自动创建索引, 如果关闭了自动创建索引必须在elasticsearch.yml中配置action.auto_create_index允许X-Pack自动创建如下的索引:

action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*

也可以这样配置action.auto_create_index: *允许创建所有索引

配置传输层安全性(TLS/SSL)

如果您拥有License,并且希望使用X-Pack安全性,则必须为节点间通信配置TLS。

  1. 创建一个CA, 生成文件名称为elastic-stack-ca.p12

bin/elasticsearch-certutil ca
  1. 生成证书和私钥

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
  1. 将证书传输到各个节点的指定位置

mkdir /etc/elasticsearch/certs
mv bin/elastic-certificates.p12 /etc/elasticsearch/certs
mv bin/elastic-stack-ca.p12 /etc/elasticsearch/certs

开启X-Pack security

编辑elasticsearch.yml , 输入如下内容

xpack.security.enabled: true

开启集群中https传输

编辑elasticsearch.yml输入如下内容

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

设置内建用户的密码

需要保留创建的用户名和密码, logstash 和 kibana 连接es时需要使用该密码

  • 手动方式设置所有内建用户的密码

# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
  • 使用自动方式设置所有内建用户的密码

 bin/elasticsearch-setup-passwords auto

保存console的输出内容以便于后续使用时查看

关键参数说明

  • xpack.security.audit.enabled 是否开启自动创建index

  • xpack.security.audit.outputs 指定审计日志的输出位置, [ index, logfile ]

    • logfile(default) 输出审计日志到每个节点的<cluster-name>_access.log

    • index 输出审计日志到名字为.security_audit_log索引中

    PS: 应当尽量索引方式和日志方式同时使用避免审计日志的丢失

  • xpack.security.audit.logfile.events.include 指定审计日志输出的event, 默认值为:access_denied、access_granted、anonymous_access_denied、authentication_failed、connection_denied、tampered_request、run_as_denied、run_as_granted。

  • xpack.security.audit.logfile.events.emit_request_body 指定是否在某些事件类型(如authentication_failed)上包含来自REST请求的请求体。默认值为false。

  • xpack.security.audit.logfile.events.ignore_filters

    <policy_name> 自定义策略的名称

    • xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users

      匹配的users将不输出审计日志,例如: ["logstash_internal"]

    • xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms

      A list of authentication realm names or wildcards. The specified policy will not print audit events for users in these realms.

    • xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles

      匹配的roles将不输出审计日志

    • xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices

      匹配的索引将不输出审计日志

开启审计

编辑elasticsearch.yml , 输入如下内容

  xpack.security.audit.enabled: true
  xpack.security.audit.logfile.events.emit_request_body: true

设置审计日志输出的位置

xpack.security.audit.outputs: [ logfile ]

定义filter不输出审计日志

忽略用户logstash_internal 不产生审计日志

xpack.security.audit.logfile.events.ignore_filters: 
  exclude_logstash_write:
    users: ["logstash_internal"]

关键参数说明

  • xpack.watcher.enabled 设置为true或false 打开或者关闭Watcher

  • xpack.http.proxy.host 指定代理主机

  • xpack.http.proxy.port 指定代理主机连接的端口

  • Email Notification Settings

    • xpack.notification.email.account

      • smtp.auth 设置为true或者false, true使用认证, false不实用认证

      • smtp.host 指定smtp的地址

      • smtp.port 指定smtp 连接的端口

      • smtp.user 指定smtp认证的用户名

      • smtp.password 指定smtp.user的密码

      • smtp.starttls.enable 指定是否需要使用tls协议连接

  • xpack.notification.email.default_account 指定发送报警的账号

开启Watcher

编辑elasticsearch.yml , 输入如下内容

xpack.watcher.enabled: True

配置smtp账号信息

xpack.notification.email.account:
  exmail:
    profile: standard
    email_defaults:
      from: gongxiude888@163.com
    smtp:
      auth: true
      starttls.enable: true
      host: smtp.163.com
      port: 465
      user: gongxiude888@163.com
      password: 651201

配置notification的默认账号

xpack.notification.email.default_account: exmail

Monitoring默认是打开状态, 可以配置monitoring在elasticsearch.yml文件中

xpack.monitoring.enabled: True

机器学习默认为开启状态, 因为没有具体使用将其关闭, 编辑elasticsearch.yml , 输入如下内容

xpack.ml.enabled: False

elasticsearch配置整合

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html

# Cluster / Node Basics
cluster.name: welog

# Node can have abritrary attributes we can use for routing
node.name: es-welog02cn-dw03-p014
node.max_local_storage_nodes: 1
node.master: False
node.data: True
node.ingest: True
node.attr.rack: warm 

# networking Settings
network.host: 10.40.9.154,127.0.0.1
http.enabled: false
transport.tcp.port: 9300

# dirs
path.data:
    - /data/elasticsearch/data-vdc
    - /data/elasticsearch/data-vde
    - /data/elasticsearch/data-vdd

path.logs: /data/elasticsearch/logs

# Minimum nodes alive to constitute an operational cluster
discovery.zen.minimum_master_nodes: 2

# Unicast Discovery (disable multicast)
discovery.zen.ping.unicast.hosts:
  - es-welog02cn-p001.pek3.example.net
  - es-welog02cn-p002.pek4.example.net
  - es-welog02cn-p003.pek3.example.net

# X-Pack
xpack.security.enabled: True
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.logfile.events.ignore_filters:
  exclude_logstash_write:
    users: ["logstash_internal"]
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.watcher.enabled: True
xpack.monitoring.enabled: True
xpack.ml.enabled: False

xpack.notification.email.account:
  exmail:
    profile: standard
    email_defaults:
      from: log-monitor@exmail.qq.com
    smtp:
      auth: true
      starttls.enable: true
      host: smtp.exmail.qq.com
      port: 587
      user: 
      password: 

# X-Pack watcher email notification
xpack.notification.email.default_account: exmail
xpack.notification.email.account.alerting.smtp.host: "smtp.exmail.qq.com"

(安全审计)

以下内容摘自, 更多配置请参考官方文档

可以在elasticsearch.yml中配置 xpack.notification 发送通知到, , , 或者 .

profile;; The to use to build the MIME messages that are sent from the account. Valid values: standard, gmail and outlook. Defaults to standard.

email_defaults.* An optional set of email attributes to use as defaults for the emails sent from the account. See for the supported attributes

Auditing Security Settings
官方文档
Watcher Setting in Elasticsearch
email
HipChat
Slack
PagerDuty
email profile
Email Action Attributes
Monitoring Settings in Elasticsearch
Machine Learning Settings in Elasticsearch
6.4.6.4 xpack破解
Security setting in Elasticsearch (安全验证)