How to Set Up Kibana Login and Manage Elasticsearch Users on Kubernetes

If you’re running Elasticsearch and Kibana on Kubernetes with the Elastic Operator, managing users and login access is easier than you might think. In this post, I’ll walk you through how to set up users, manage roles, and configure Kibana authentication the Kubernetes way.

Reference Docs

For deeper insights, check out these official docs

• Managing Users and Roles in Kubernetes
• Elasticsearch Built-in Roles

Create a Secret for User Authentication

To define users for Elasticsearch and Kibana, create a Kubernetes Secret specifying the username, password, and roles.

Here’s an example:

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
  username: rdeniro  # Required field for kubernetes.io/basic-auth
  password: mypassword  # Required field for kubernetes.io/basic-auth
  roles: kibana_admin,ingest_admin  # Optional, not part of kubernetes.io/basic-auth

You can check other built-in roles in Elasticsearch here or create custom roles as needed.

Defining Multiple Users in a Single Secret

Elasticsearch also allows defining multiple users in one secret, like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-filerealm-secrets
stringData:
  users: |-
    jack:$5b$30$BBJ/ILiyJ1eBTYoRKxkfqbuDEdYECplvxnqQ57uiowE7yGqvCEgjdW
    smith:$3a$16$chwghElYiMYZ/TzhK4uvzGeJ1KbpXZp2PfoQD.gfaVdImnHOwIuBKS
    robert:{PBKDF2}50900$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg=
  users_roles: |-
    admin:jack
    power_user:smith,jacknich
    user:jacknich

Generate Users via File Realm

To create users and their roles manually, follow these steps:

# Create a folder with the required files
mkdir filerealm
touch filerealm/users filerealm/users_roles

# Add a user 'myuser' with the role 'monitoring_user'
docker run \
  -v $(pwd)/filerealm:/usr/share/elasticsearch/config \
  docker.elastic.co/elasticsearch/elasticsearch:8.17.2 \
  bin/elasticsearch-users useradd myuser -p mypassword -r monitoring_user

# Create a Kubernetes Secret from the file realm content
kubectl create secret generic my-file-realm-secret --from-file filerealm

Attach User Secrets to Elasticsearch

To apply these users to Elasticsearch, reference the secrets in your Elasticsearch configuration:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elasticsearch-sample
spec:
  version: 8.17.2
  auth:
    roles:
    - secretName: my-roles-secret-1
    - secretName: my-roles-secret-2
  nodeSets:
  - name: default
    count: 1

Configure Kibana to Use These Credentials

Now, let’s make Kibana use the credentials we created for login. You need to pass the secrets as environment variables in the Kibana configuration:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
  namespace: my-namespace
spec:
  config:
    xpack.security.authc.providers:
      # Anonymous Login
      anonymous.anonymous1:
        credentials:
          password: ${ES_PASSWORD}
          username: ${ES_USERNAME}
        order: 0
      # HTTP Basic Authentication
      basic.basic1:
        description: Log in as a user
        order: 1
  count: 1
  elasticsearchRef:
    name: elasticsearch
  version: 8.17.2
  podTemplate:
    spec:
      containers:
      - name: kibana
        env:
        - name: ES_USERNAME
          valueFrom:
            secretKeyRef:
              key: username
              name: elasticsearch-test-report-user
        - name: ES_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: elasticsearch-test-report-user
        readinessProbe:
          httpGet:
            path: /api/status
            port: http

If you’re using Flux CD, make sure to use double dollar signs ($$) for environment variables to prevent Flux from interpreting them as placeholders.

...
config:
    xpack.security.authc.providers:
      # Anonymous Login
      anonymous.anonymous1:
        credentials:
          password: $${ES_PASSWORD}
          username: $${ES_USERNAME}
...

In this configuration, we set up two authentication providers:

1. Anonymous Login — Allows users to access Kibana without credentials (not recommended if your Kibana instance is publicly accessible without additional security measures).

• Kibana uses predefined credentials (ES_USERNAME, ES_PASSWORD) to authenticate anonymous users.

2. Basic Authentication — Requires users to log in with their username and password.

Once you apply these changes, the login page will display both options.

Tip: Make sure to set minimal permissions for anonymous logins to avoid security risks.