How to Set Up Kibana Login and Manage Elasticsearch Users on Kubernetes

Veerendra K
3 min readFeb 18, 2025

--

If you’re running Elasticsearch and Kibana on Kubernetes with the Elastic Operator, managing users and login access is easier than you might think. In this post, I’ll walk you through how to set up users, manage roles, and configure Kibana authentication the Kubernetes way.

Reference Docs

For deeper insights, check out these official docs

Create a Secret for User Authentication

To define users for Elasticsearch and Kibana, create a Kubernetes Secret specifying the username, password, and roles.

Here’s an example:

apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: rdeniro # Required field for kubernetes.io/basic-auth
password: mypassword # Required field for kubernetes.io/basic-auth
roles: kibana_admin,ingest_admin # Optional, not part of kubernetes.io/basic-auth

You can check other built-in roles in Elasticsearch here or create custom roles as needed.

Defining Multiple Users in a Single Secret

Elasticsearch also allows defining multiple users in one secret, like this:

apiVersion: v1
kind: Secret
metadata:
name: my-filerealm-secrets
stringData:
users: |-
jack:$5b$30$BBJ/ILiyJ1eBTYoRKxkfqbuDEdYECplvxnqQ57uiowE7yGqvCEgjdW
smith:$3a$16$chwghElYiMYZ/TzhK4uvzGeJ1KbpXZp2PfoQD.gfaVdImnHOwIuBKS
robert:{PBKDF2}50900$z1CLJt0MEFjkIK5iEfgvfnA6xq7lF25uasspsTKSo5Q=$XxCVLbaKDimOdyWgLCLJiyoiWpA/XDMe/xtVgn1r5Sg=
users_roles: |-
admin:jack
power_user:smith,jacknich
user:jacknich

Generate Users via File Realm

To create users and their roles manually, follow these steps:

# Create a folder with the required files
mkdir filerealm
touch filerealm/users filerealm/users_roles

# Add a user 'myuser' with the role 'monitoring_user'
docker run \
-v $(pwd)/filerealm:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:8.17.2 \
bin/elasticsearch-users useradd myuser -p mypassword -r monitoring_user

# Create a Kubernetes Secret from the file realm content
kubectl create secret generic my-file-realm-secret --from-file filerealm

Attach User Secrets to Elasticsearch

To apply these users to Elasticsearch, reference the secrets in your Elasticsearch configuration:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
version: 8.17.2
auth:
roles:
- secretName: my-roles-secret-1
- secretName: my-roles-secret-2
nodeSets:
- name: default
count: 1

Configure Kibana to Use These Credentials

Now, let’s make Kibana use the credentials we created for login. You need to pass the secrets as environment variables in the Kibana configuration:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: kibana
namespace: my-namespace
spec:
config:
xpack.security.authc.providers:
# Anonymous Login
anonymous.anonymous1:
credentials:
password: ${ES_PASSWORD}
username: ${ES_USERNAME}
order: 0
# HTTP Basic Authentication
basic.basic1:
description: Log in as a user
order: 1
count: 1
elasticsearchRef:
name: elasticsearch
version: 8.17.2
podTemplate:
spec:
containers:
- name: kibana
env:
- name: ES_USERNAME
valueFrom:
secretKeyRef:
key: username
name: elasticsearch-test-report-user
- name: ES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: elasticsearch-test-report-user
readinessProbe:
httpGet:
path: /api/status
port: http

If you’re using Flux CD, make sure to use double dollar signs ($$) for environment variables to prevent Flux from interpreting them as placeholders.

...
config:
xpack.security.authc.providers:
# Anonymous Login
anonymous.anonymous1:
credentials:
password: $${ES_PASSWORD}
username: $${ES_USERNAME}
...

In this configuration, we set up two authentication providers:

1. Anonymous Login — Allows users to access Kibana without credentials (not recommended if your Kibana instance is publicly accessible without additional security measures).

  • Kibana uses predefined credentials (ES_USERNAME, ES_PASSWORD) to authenticate anonymous users.

2. Basic Authentication — Requires users to log in with their username and password.

Once you apply these changes, the login page will display both options.

Tip: Make sure to set minimal permissions for anonymous logins to avoid security risks.

--

--

Veerendra K
Veerendra K

Written by Veerendra K

I’m Veerendra, Site Reliability Engineer, passionate about tech. You can also find my blog posts in https://veerendra2.github.io/

No responses yet