How to whitelist a health probe?


(JamesD) #1

I’m deploying Elasticsearch-oss 6.3.1 on Kubernetes 1.12.3. I have baked ReadOnlyRest plugin into the Elasticsearch image. Kube can start the container, but the health probes fail. Here are the error messages:
Readiness probe failed: Get http://192.168.131.86:9200/_cluster/health: dial tcp 192.168.131.86:9200: connect: connection refused
Liveness probe failed: Get http://192.168.131.86:9200/_cluster/health?local=true: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Here is my current readonlyrest.yml file:
readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK
prompt_for_basic_auth: false
audit_collector: true

  access_control_rules:

  - name: 'Localhost'
    hosts: [127.0.0.1]

  -
    ldap_authentication: everyone
    ldap_authorization: {name: everyone, groups: [SG-App-Kibana-Ecosystem]}
    name: Admins
    kibana_access: admin

  - name: 'Kibana Admin'
    auth_key: 'kibana:foo'

  - name: 'Lander Account'
    auth_key: 'lander:foo'
    kibana_access: ro

  - name: 'Logstash User'
    auth_key: 'logstash_user:foo'
    actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]

  - name: 'Rover User'
    actions: ['cluster:monitor/main', 'indices:data/read/*']
    auth_key: 'rover:foo'

  - name: Local Auth for admin
    type: allow
    kibana_access: admin
    groups: ["Admins"]

  users:
  - username: es_admin
    auth_key: es_admin:foo
    groups: ["Admins"]

  ldaps:

  - name: everyone
    host: my.host.local
    port: 389
	.... deleted...

QUESTION:
How can I allow the health probes to execute without authentication for those specific actions?


(JamesD) #2

I’ve added this and it’s working:

  - name: 'Probes'
    type: allow
    actions: ['cluster:monitor/*']

(JamesD) #3

Lemme know if there is a better way to do this.


(Simone Scarduzio) #4

Hi @jdepaul,

I think your solution is a good beginning, but if you want to be more specific to what exactly you are allowing in without credentials, you could analyse the ES logs and find a “FORBIDDEN” log line. There should be the exact action you can allow without using the wildcard symbol.