elastic · shainaraskas · Feb 18, 2025 · Feb 8, 2025 · Feb 8, 2025 · Feb 8, 2025
@@ -1,23 +1,98 @@
 ---
+applies:
+  eck: all
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-overview.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-topics.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-supported.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s_learn_more_about_eck.html
 ---
 
-# Elastic Cloud on Kubernetes
+# Elastic Cloud on Kubernetes [k8s-overview]
 
-% What needs to be done: Refine
+::::{important}
+ECK is an Elastic self-managed product offered in two licensing tiers: Basic and Enterprise. For more details refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) and [](/deploy-manage/license/manage-your-license-in-eck.md) documentation.
+::::
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/357
+Built on the Kubernetes Operator pattern, Elastic Cloud on Kubernetes (ECK) extends the basic Kubernetes orchestration capabilities to support the setup and management of Elasticsearch, Kibana, APM Server, Enterprise Search, Beats, Elastic Agent, Elastic Maps Server, and Logstash on Kubernetes.
 
-% Scope notes: Maybe we can even leave it as it is.
+With Elastic Cloud on Kubernetes you can streamline critical operations, such as:
 
-% Use migrated content from existing pages that map to this page:
+1. Managing and monitoring multiple clusters
+2. Scaling cluster capacity and storage
+3. Performing safe configuration changes through rolling upgrades
+4. Securing clusters with TLS certificates
+5. Setting up hot-warm-cold architectures with availability zone awareness
 
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-overview.md
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-advanced-topics.md
-%      Notes: redirect only
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-supported.md
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s_learn_more_about_eck.md
+This section provides everything you need to install, configure, and manage Elastic Stack applications with ECK, including:
+
+- [](./cloud-on-k8s/deploy-an-orchestrator.md): ECK installation methods and configuration details.
+- [](./cloud-on-k8s/manage-deployments.md): Install and configure {{es}} clusters and {{kib}} instances through ECK.
+- [](./cloud-on-k8s/orchestrate-other-elastic-applications.md): Install and configure APM Server, Enterprise Search, Beats, Elastic Agent, Elastic Maps Server, and Logstash on Kubernetes.
+- [](./cloud-on-k8s/tools-apis.md): Collection of tools and APIs available in ECK based environments.
+
+## Looking for a quickstart? [eck-quickstart]
+
+If you want to get started quickly, follow these guides to deploy ECK and set up an {{es}} cluster:
+
+* [Install ECK using the YAML manifests](./cloud-on-k8s/install-using-yaml-manifest-quickstart.md)
+* [Deploy an {{es}} cluster](./cloud-on-k8s/elasticsearch-deployment-quickstart.md)
+* [Deploy a {{kib}} instance](./cloud-on-k8s/kibana-instance-quickstart.md)
+* [Update your deployment](./cloud-on-k8s/update-deployments.md)
+
+Afterwards, you can find further sample resources [in the project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/samples) or by checking out [our recipes](./cloud-on-k8s/recipes.md).
+
+## Supported versions [k8s-supported]
+
+ECK is compatible with:
+
+* Kubernetes 1.28-1.32
+* OpenShift 4.12-4.17
+* Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS), and Amazon Elastic Kubernetes Service (EKS)
+* Helm: 3.2.0+
+* Elasticsearch, Kibana, APM Server: 6.8+, 7.1+, 8+
+* Enterprise Search: 7.7+, 8+
+* Beats: 7.0+, 8+
+* Elastic Agent: 7.10+ (standalone), 7.14+ (Fleet), 8+
+* Elastic Maps Server: 7.11+, 8+
+* Logstash: 8.7+
+
+ECK should work with all conformant installers as listed in these [FAQs](https://github.com/cncf/k8s-conformance/blob/master/faq.md#what-is-a-distribution-hosted-platform-and-an-installer). Distributions include source patches and so may not work as-is with ECK.
+
+Alpha, beta, and stable API versions follow the same [conventions used by Kubernetes](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning).
+
+Elastic Stack application images for the OpenShift-certified Elasticsearch (ECK) Operator are only available from version 7.10 and later.
+
+Check the full [Elastic support matrix](https://www.elastic.co/support/matrix#matrix_kubernetes) for more information.
+
+% TBD: discuss if these make sense here
+## Learn more about ECK [k8s_learn_more_about_eck]
+
+* [Orchestrate Elasticsearch on Kubernetes](https://www.elastic.co/elasticsearch-kubernetes)
+* [ECK post on the Elastic Blog](https://www.elastic.co/blog/introducing-elastic-cloud-on-kubernetes-the-elasticsearch-operator-and-beyond?elektra=products&storm=sub1)
+* [Getting Started With Elastic Cloud on Kubernetes (ECK)](https://www.youtube.com/watch?v=PIJmlYBIFXM)
+* [Running the Elastic Stack on Kubernetes with ECK](https://www.youtube.com/watch?v=Wf6E3vkvEFM)
+
+% TBD: discuss where to put this "ask for help info"
+## Ask for help [k8s-ask-for-help]
+
+If you are an existing Elastic customer with an active support contract, you can create a case in the [Elastic Support Portal](https://support.elastic.co/). Kindly attach an [ECK diagnostic](/troubleshoot/deployments/cloud-on-k8s/run-eck-diagnostics.md) when opening your case.
+
+Alternatively, or if you do not have a support contract, and if you are unable to find a solution to your problem with the information provided in these documents, ask for help:
+
+* [ECK Discuss forums](https://discuss.elastic.co/c/eck) to ask any question
+* [Github issues](https://github.com/elastic/cloud-on-k8s/issues) for bugs and feature requests
+
+% TBD: decide if this should be ommited also.
+% This was a "redirect only" in the excel
+## Advanced topics [k8s-advanced-topics]
+
+* [*Deploy ECK on OpenShift*](/deploy-manage/deploy/cloud-on-k8s/deploy-eck-on-openshift.md)
+* [*Deploy ECK on GKE Autopilot*](/deploy-manage/deploy/cloud-on-k8s/deploy-eck-on-gke-autopilot.md)
+* [*Create custom images*](/deploy-manage/deploy/cloud-on-k8s/create-custom-images.md)
+* [*Service meshes*](/deploy-manage/deploy/cloud-on-k8s/service-meshes.md)
+* [*Traffic Splitting*](/deploy-manage/deploy/cloud-on-k8s/requests-routing-to-elasticsearch-nodes.md)
+* [*Network policies*](/deploy-manage/deploy/cloud-on-k8s/network-policies.md)
+* [*Webhook namespace selectors*](/deploy-manage/deploy/cloud-on-k8s/webhook-namespace-selectors.md)
+* [*Stack Monitoring*](/deploy-manage/monitor/stack-monitoring/eck-stack-monitoring.md)
+* [*Deploy a FIPS compatible version of ECK*](/deploy-manage/deploy/cloud-on-k8s/deploy-fips-compatible-version-of-eck.md)
@@ -1,12 +1,14 @@
 ---
+applies:
+  eck: all
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-accessing-elastic-services.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-request-elasticsearch-endpoint.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-services.html
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-security.html
 ---
 
-# Accessing services
+# Accessing services [k8s-accessing-elastic-services]
 
 % What needs to be done: Refine
 
@@ -22,7 +24,126 @@ mapped_urls:
 % - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md
 
 % Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
+% already present
 $$$k8s-allow-public-access$$$
+% pending
+$$$k8s-setting-up-your-own-certificate$$$
+
+All Elastic Stack resources deployed by the ECK operator are secured by default. The operator sets up basic authentication and TLS to encrypt network traffic to, from, and within your Elasticsearch cluster.
+
+To provide access to {{es}} and {{kib}}, ECK creates standard Kubernetes services when orchestrating deployments.
+
+This section explains how to access and customize the Kubernetes services and secrets created by ECK, covering topics such as:
+
+* [Retrieving the `elastic` user password for basic authentication](#k8s-authentication)
+* [Managing Kubernetes services](#k8s-kubernetes-service)
+* [Obtaining the CA certificate and accessing the endpoint](#k8s-request-elasticsearch-endpoint)
+
+For advanced use cases related to exposing and accessing orchestrated applications, see:
+
+* [](./tls-certificates.md) → Learn how to use the self-signed certificate generated by ECK or configure a custom certificate for the HTTP endpoint.
+* [](./service-meshes.md) → Connect ECK and your managed deployments to service mesh implementations such as `Istio` and `Linkerd`.
+* [](./requests-routing-to-elasticsearch-nodes.md) → Create custom services to expose different node types.
+* [Add Ingress resources through the Helm chart](./managing-deployments-using-helm-chart.md#k8s-eck-stack-ingress).
+
+## Retrieve the `elastic` user password [k8s-authentication]
+
+To access Elastic resources, the operator manages a default user named `elastic` with the `superuser` role. Its password is stored in a `Secret` named `<name>-elastic-user`.
+
+```sh
+> kubectl get secret hulk-es-elastic-user -o go-template='{{.data.elastic | base64decode }}'
+42xyz42citsale42xyz42
+```
+
+::::{note}
+Beware of copying this Secret as-is into a different namespace. Check [Common Problems: Owner References](../../../troubleshoot/deployments/cloud-on-k8s/common-problems.md#k8s-common-problems-owner-refs) for more information.
+::::
+
+## Managing Kubernetes services [k8s-kubernetes-service]
+
+You can access Elastic resources by using native Kubernetes services that are not reachable from the public Internet by default.
+
+For each resource, the operator manages a Kubernetes service named `<name>-[es|kb|apm|ent|agent]-http`, which is of type `ClusterIP` by default. `ClusterIP` exposes the service on a cluster-internal IP and makes the service only reachable within the cluster.
+
+```sh
+> kubectl get svc
+
+NAME                TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)          AGE
+hulk-apm-http       ClusterIP      10.19.212.105   <none>           8200/TCP   1m
+hulk-es-http        ClusterIP      10.19.252.160   <none>           9200/TCP   1m
+hulk-kb-http        ClusterIP      10.19.247.151   <none>           5601/TCP   1m
+```
+
+### Allow public access [k8s-allow-public-access]
+
+You can expose services in [different ways](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) by specifying an `http.service.spec.type` in the `spec` of the resource manifest. On cloud providers which support external load balancers, you can set the `type` field to `LoadBalancer` to provision a load balancer for the `Service`, and populate the column `EXTERNAL-IP` after a short delay. Depending on the cloud provider, it may incur costs.
+
+By default, the Elasticsearch service created by ECK is configured to route traffic to all Elasticsearch nodes in the cluster. Depending on your cluster configuration, you may want more control over the set of nodes that handle different types of traffic (query, ingest, and so on). Refer to [](./requests-routing-to-elasticsearch-nodes.md) for more information.
+
+::::{warning}
+When you change the `clusterIP` setting of the service, ECK will delete and re-create the service as `clusterIP` is an immutable field. Depending on your client implementation, this might result in a short disruption until the service DNS entries refresh to point to the new endpoints.
+::::
+
+```yaml
+apiVersion: <kind>.k8s.elastic.co/v1
+kind: <Kind>
+metadata:
+  name: hulk
+spec:
+  version: 8.16.1
+  http:
+    service:
+      spec:
+        type: LoadBalancer
+```
+
+```sh
+> kubectl get svc
+
+NAME                TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)          AGE
+hulk-apm-http       LoadBalancer   10.19.212.105   35.176.227.106   8200:31000/TCP   1m
+hulk-es-http        LoadBalancer   10.19.252.160   35.198.131.115   9200:31320/TCP   1m
+hulk-kb-http        LoadBalancer   10.19.247.151   35.242.197.228   5601:31380/TCP   1m
+```
+
+## Access the endpoint [k8s-request-elasticsearch-endpoint]
+
+You can access the Elasticsearch endpoint within or outside the Kubernetes cluster.
+
+**Within the Kubernetes cluster**
+
+1. Retrieve the CA certificate.
+2. Retrieve the password of the `elastic` user.
+3. Use the service name to access the endpoint.
+
+```sh
+NAME=hulk
+
+kubectl get secret "$NAME-es-http-certs-public" -o go-template='{{index .data "tls.crt" | base64decode }}' > tls.crt
+PW=$(kubectl get secret "$NAME-es-elastic-user" -o go-template='{{.data.elastic | base64decode }}')
+
+curl --cacert tls.crt -u elastic:$PW https://$NAME-es-http:9200/
+```
+
+::::{tip}
+You can also use the examples in this section to access {{kib}} instead of {{es}} by adapting the secret and service names.
+::::
+
+**Outside the Kubernetes cluster**
+
+1. Retrieve the CA certificate.
+2. Retrieve the password of the `elastic` user.
+3. Retrieve the IP of the `LoadBalancer` service.
+
+```sh
+NAME=hulk
+
+kubectl get secret "$NAME-es-http-certs-public" -o go-template='{{index .data "tls.crt" | base64decode }}' > tls.crt
+IP=$(kubectl get svc "$NAME-es-http" -o jsonpath='{.status.loadBalancer.ingress[].ip}')
+PW=$(kubectl get secret "$NAME-es-elastic-user" -o go-template='{{.data.elastic | base64decode }}')
+
+curl --cacert tls.crt -u elastic:$PW https://$IP:9200/
+```
+
+
 
-$$$k8s-setting-up-your-own-certificate$$$
@@ -1,4 +1,6 @@
 ---
+applies:
+  eck: all
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-logstash-advanced-configuration.html
 ---

@@ -1,4 +1,6 @@
 ---
+applies:
+  eck: all
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-maps-advanced-configuration.html
 ---

@@ -1,4 +1,6 @@
 ---
+applies:
+  eck: all
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-apm-advanced-configuration.html
 ---

@@ -1,4 +1,6 @@
 ---
+applies:
+  eck: all
 mapped_pages:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html
 ---