--- clusterName: "opensearch-cluster" nodeGroup: "leader" # The service that non master groups will try to connect to when joining the cluster # This should be set to clusterName + "-" + nodeGroup for your master group masterService: "opensearch-cluster-leader" # OpenSearch roles that will be applied to this nodeGroup # These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client roles: - master - ingest - data - remote_cluster_client replicas: 3 minimumMasterNodes: 2 # if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. majorVersion: "7" #global: # Set if you want to change the default docker registry, e.g. a private one. # dockerRegistry: "" # Allows you to add any config files in {{ .Values.opensearchHome }}/config opensearchHome: /usr/share/opensearch # such as opensearch.yml config: opensearch.yml: | cluster.name: opensearch-cluster plugins.query.datasources.encryption.masterkey: ${QUERY_DATASOURCES_MASTER_KEY} # Bind to all interfaces because we don't know what IP address Docker will assign to us. network.host: 0.0.0.0 # # minimum_master_nodes need to be explicitly set when bound on a public IP # # set to 1 to allow single node clusters # discovery.zen.minimum_master_nodes: 1 # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. # discovery.type: single-node plugins: security: ssl: transport: pemcert_filepath: esnode.pem pemkey_filepath: esnode-key.pem pemtrustedcas_filepath: root-ca.pem enforce_hostname_verification: false http: enabled: true pemcert_filepath: esnode.pem pemkey_filepath: esnode-key.pem pemtrustedcas_filepath: root-ca.pem allow_unsafe_democertificates: true allow_default_init_securityindex: true authcz: admin_dn: - CN=kirk,OU=client,O=client,L=test,C=de audit.type: internal_opensearch enable_snapshot_restore_privilege: true check_snapshot_restore_write_privileges: true restapi: roles_enabled: ["all_access", "security_rest_api_access"] system_indices: enabled: true indices: [ ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*", ] # Extra environment variables to append to this nodeGroup. # This will be appended to the current 'env:' key. You can use any of the kubernetes env # syntax here extraEnvs: # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here - name: DISABLE_INSTALL_DEMO_CONFIG value: "false" # Allows you to load environment variables from kubernextes secret or config map envFrom: [] # A list of secrets and their paths to mount inside the pod # This is useful for mounting certificates for security and for mounting # the X-Pack license secretMounts: [] hostAliases: [] image: repository: "opensearchproject/opensearch" # override image tag, which is .Chart.AppVersion by default tag: "" pullPolicy: "Always" podAnnotations: {} # additionals labels labels: {} opensearchJavaOpts: "-Xmx2G -Xms2G" resources: requests: cpu: "1" memory: "12Gi" networkHost: "0.0.0.0" rbac: create: false serviceAccountAnnotations: {} serviceAccountName: "" podSecurityPolicy: create: false name: "" spec: privileged: true fsGroup: rule: RunAsAny runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - secret - configMap - persistentVolumeClaim - emptyDir persistence: enabled: true # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. enableInitChown: false # override image, which is busybox by default # image: busybox # override image tag, which is latest by default # imageTag: labels: # Add default labels for the volumeClaimTemplate of the StatefulSet enabled: false # OpenSearch Persistent Volume Storage Class # If defined, storageClassName: # If set to "-", storageClassName: "", which disables dynamic provisioning # If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner. (gp2 on AWS, standard on # GKE, AWS & OpenStack) accessModes: - ReadWriteOnce size: 50Gi annotations: {} protocol: http httpPort: 9200 transportPort: 9300 service: type: ClusterIP httpPortName: http transportPortName: transport updateStrategy: RollingUpdate # This is the max unavailable setting for the pod disruption budget # The default value of 1 will make sure that kubernetes won't allow more than 1 # of your pods to be unavailable during maintenance. maxUnavailable: 1 podSecurityContext: fsGroup: 1000 runAsUser: 1000 securityContext: capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 securityConfig: enabled: true path: "/usr/share/opensearch/config/opensearch-security" actionGroupsSecret: configSecret: internalUsersSecret: rolesSecret: rolesMappingSecret: tenantsSecret: # The following option simplifies securityConfig by using a single secret and # specifying the config files as keys in the secret instead of creating # different secrets for for each config file. # Note that this is an alternative to the individual secret configuration # above and shouldn't be used if the above secrets are used. config: # There are multiple ways to define the configuration here: # * If you define anything under data, the chart will automatically create # a secret and mount it. # * If you define securityConfigSecret, the chart will assume this secret is # created externally and mount it. # * It is an error to define both data and securityConfigSecret. # securityConfigSecret: "" data: config.yml: | _meta: type: "config" config_version: 2 config: dynamic: # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently #filtered_alias_mode: warn #do_not_fail_on_forbidden: false kibana: # Kibana multitenancy multitenancy_enabled: true server_username: kibanaserver index: '.kibana' http: anonymous_auth_enabled: true xff: enabled: false internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern #internalProxies: '.*' # trust all internal proxies, regex pattern #remoteIpHeader: 'x-forwarded-for' ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For ###### and here https://tools.ietf.org/html/rfc7239 ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve authc: kerberos_auth_domain: http_enabled: false transport_enabled: false order: 6 http_authenticator: type: kerberos challenge: true config: # If true a lot of kerberos/security related debugging output will be logged to standard out krb_debug: false # If true then the realm will be stripped from the user name strip_realm_from_principal: true authentication_backend: type: noop basic_internal_auth_domain: description: "Authenticate via HTTP Basic against internal users database" http_enabled: true transport_enabled: true order: 4 http_authenticator: type: basic challenge: true authentication_backend: type: intern proxy_auth_domain: description: "Authenticate via proxy" http_enabled: false transport_enabled: false order: 3 http_authenticator: type: proxy challenge: false config: user_header: "x-proxy-user" roles_header: "x-proxy-roles" authentication_backend: type: noop jwt_auth_domain: description: "Authenticate via Json Web Token" http_enabled: false transport_enabled: false order: 0 http_authenticator: type: jwt challenge: false config: signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" jwt_header: "Authorization" jwt_url_parameter: null roles_key: null subject_key: null authentication_backend: type: noop openid_auth_domain: http_enabled: true transport_enabled: true order: 1 http_authenticator: type: openid challenge: false config: subject_key: email roles_key: email openid_connect_url: https://accounts.google.com/.well-known/openid-configuration authentication_backend: type: noop clientcert_auth_domain: description: "Authenticate via SSL client certificates" http_enabled: false transport_enabled: false order: 2 http_authenticator: type: clientcert config: username_attribute: cn #optional, if omitted DN becomes username challenge: false authentication_backend: type: noop ldap: description: "Authenticate via LDAP or Active Directory" http_enabled: false transport_enabled: false order: 5 http_authenticator: type: basic challenge: false authentication_backend: # LDAP authentication backend (authenticate users against a LDAP or Active Directory) type: ldap config: # enable ldaps enable_ssl: false # enable start tls, enable_ssl should be false enable_start_tls: false # send client certificate enable_ssl_client_auth: false # verify ldap hostname verify_hostnames: true hosts: - localhost:8389 bind_dn: null password: null userbase: 'ou=people,dc=example,dc=com' # Filter to search for users (currently in the whole subtree beneath userbase) # {0} is substituted with the username usersearch: '(sAMAccountName={0})' # Use this attribute from the user as username (if not set then DN is used) username_attribute: null authz: roles_from_myldap: description: "Authorize via LDAP or Active Directory" http_enabled: false transport_enabled: false authorization_backend: # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) type: ldap config: # enable ldaps enable_ssl: false # enable start tls, enable_ssl should be false enable_start_tls: false # send client certificate enable_ssl_client_auth: false # verify ldap hostname verify_hostnames: true hosts: - localhost:8389 bind_dn: null password: null rolebase: 'ou=groups,dc=example,dc=com' # Filter to search for roles (currently in the whole subtree beneath rolebase) # {0} is substituted with the DN of the user # {1} is substituted with the username # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute rolesearch: '(member={0})' # Specify the name of the attribute which value should be substituted with {2} above userroleattribute: null # Roles as an attribute of the user entry userrolename: disabled #userrolename: memberOf # The attribute in a role entry containing the name of that role, Default is "name". # Can also be "dn" to use the full DN as rolename. rolename: cn # Resolve nested roles transitive (roles which are members of other roles and so on ...) resolve_nested_roles: true userbase: 'ou=people,dc=example,dc=com' # Filter to search for users (currently in the whole subtree beneath userbase) # {0} is substituted with the username usersearch: '(uid={0})' # Skip users matching a user name, a wildcard or a regex pattern #skip_users: # - 'cn=Michael Jackson,ou*people,o=TEST' # - '/\S*/' roles_from_another_ldap: description: "Authorize via another Active Directory" http_enabled: false transport_enabled: false authorization_backend: type: ldap internal_users.yml: | _meta: type: "internalusers" config_version: 2 # Define your internal users here ## Demo users admin: hash: "$2y$12$Z4K8PeTTLUA4x.4mDri2ReuHCtZ55.zxiw342xhYeQf1P9RIkLSCW" reserved: true backend_roles: - "admin" description: "Demo admin user" kibanaserver: hash: "$2y$12$fYudyhWT/xks1IZhko5Osuja3yrpt8NrQjXN.HdACfIs4uMy5TGKC" reserved: true description: "Demo OpenSearch Dashboards user" kibanaro: hash: "$2y$12$O7ZpyD71zss2i.KafEA9GeRtKs8Ch2hSN8HtbcT1xCUwJPWVN7Y3u" reserved: false backend_roles: - "kibanauser" - "readall" attributes: attribute1: "value1" attribute2: "value2" attribute3: "value3" description: "Demo OpenSearch Dashboards read only user" logstash: hash: "$2y$12$.iY36ILKEixrPF1ioV8in.vNlFVCW8wsy1Gf9m.mXlbT0U9QmvBK2" reserved: false backend_roles: - "logstash" description: "Demo logstash user" readall: hash: "$2y$12$15huaUhaiNxHiP0JIhf.QeB9NVsB/nTiSytIT1DQJfXCEKKJaIy8C" reserved: false backend_roles: - "readall" description: "Demo readall user" snapshotrestore: hash: "$2y$12$dyT.lMC1GdPwOVBSxfnS5ebGBH9S2.SkVI/F6D6ASy90oX8SdAxV." reserved: false backend_roles: - "snapshotrestore" description: "Demo snapshotrestore user" roles.yml: | _meta: type: "roles" config_version: 2 # Restrict users so they can only view visualization and dashboard on OpenSearchDashboards kibana_read_only: reserved: true # The security REST API access role is used to assign specific users access to change the security settings through the REST API. security_rest_api_access: reserved: true # Allows users to view monitors, destinations and alerts alerting_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/alerting/alerts/get' - 'cluster:admin/opendistro/alerting/destination/get' - 'cluster:admin/opendistro/alerting/destination/email_group/search' - 'cluster:admin/opendistro/alerting/destination/email_account/search' - 'cluster:admin/opendistro/alerting/monitor/get' - 'cluster:admin/opendistro/alerting/monitor/search' # Allows users to view and acknowledge alerts alerting_ack_alerts: reserved: true cluster_permissions: - 'cluster:admin/opendistro/alerting/alerts/*' # Allows users to use all alerting functionality alerting_full_access: reserved: true cluster_permissions: - 'cluster_monitor' - 'cluster:admin/opendistro/alerting/*' index_permissions: - index_patterns: - '*' allowed_actions: - 'indices_monitor' - 'indices:admin/aliases/get' - 'indices:admin/mappings/get' # Allow users to read Anomaly Detection detectors and results anomaly_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/ad/detector/info' - 'cluster:admin/opendistro/ad/detector/search' - 'cluster:admin/opendistro/ad/detectors/get' - 'cluster:admin/opendistro/ad/result/search' - 'cluster:admin/opendistro/ad/tasks/search' - 'cluster:admin/opendistro/ad/detector/validate' - 'cluster:admin/opendistro/ad/result/topAnomalies' # Allows users to use all Anomaly Detection functionality anomaly_full_access: reserved: true cluster_permissions: - 'cluster_monitor' - 'cluster:admin/opendistro/ad/*' index_permissions: - index_patterns: - '*' allowed_actions: - 'indices_monitor' - 'indices:admin/aliases/get' - 'indices:admin/mappings/get' # Allows users to read Notebooks notebooks_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/notebooks/list' - 'cluster:admin/opendistro/notebooks/get' # Allows users to all Notebooks functionality notebooks_full_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/notebooks/create' - 'cluster:admin/opendistro/notebooks/update' - 'cluster:admin/opendistro/notebooks/delete' - 'cluster:admin/opendistro/notebooks/get' - 'cluster:admin/opendistro/notebooks/list' # Allows users to read observability objects observability_read_access: reserved: true cluster_permissions: - 'cluster:admin/opensearch/observability/get' - 'cluster:admin/opensearch/ppl' # Allows users to all Observability functionality observability_full_access: reserved: true cluster_permissions: - 'cluster:admin/opensearch/observability/create' - 'cluster:admin/opensearch/observability/update' - 'cluster:admin/opensearch/observability/delete' - 'cluster:admin/opensearch/observability/get' # Allows users to read and download Reports reports_instances_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/reports/instance/list' - 'cluster:admin/opendistro/reports/instance/get' - 'cluster:admin/opendistro/reports/menu/download' # Allows users to read and download Reports and Report-definitions reports_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/reports/definition/get' - 'cluster:admin/opendistro/reports/definition/list' - 'cluster:admin/opendistro/reports/instance/list' - 'cluster:admin/opendistro/reports/instance/get' - 'cluster:admin/opendistro/reports/menu/download' # Allows users to all Reports functionality reports_full_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/reports/definition/create' - 'cluster:admin/opendistro/reports/definition/update' - 'cluster:admin/opendistro/reports/definition/on_demand' - 'cluster:admin/opendistro/reports/definition/delete' - 'cluster:admin/opendistro/reports/definition/get' - 'cluster:admin/opendistro/reports/definition/list' - 'cluster:admin/opendistro/reports/instance/list' - 'cluster:admin/opendistro/reports/instance/get' - 'cluster:admin/opendistro/reports/menu/download' # Allows users to use all asynchronous-search functionality asynchronous_search_full_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/asynchronous_search/*' index_permissions: - index_patterns: - '*' allowed_actions: - 'indices:data/read/search*' # Allows users to read stored asynchronous-search results asynchronous_search_read_access: reserved: true cluster_permissions: - 'cluster:admin/opendistro/asynchronous_search/get' # Allows user to use all index_management actions - ism policies, rollups, transforms index_management_full_access: reserved: true cluster_permissions: - "cluster:admin/opendistro/ism/*" - "cluster:admin/opendistro/rollup/*" - "cluster:admin/opendistro/transform/*" index_permissions: - index_patterns: - '*' allowed_actions: - 'indices:admin/opensearch/ism/*' # Allows users to use all cross cluster replication functionality at leader cluster cross_cluster_replication_leader_full_access: reserved: true index_permissions: - index_patterns: - '*' allowed_actions: - "indices:admin/plugins/replication/index/setup/validate" - "indices:data/read/plugins/replication/changes" - "indices:data/read/plugins/replication/file_chunk" # Allows users to use all cross cluster replication functionality at follower cluster cross_cluster_replication_follower_full_access: reserved: true cluster_permissions: - "cluster:admin/plugins/replication/autofollow/update" index_permissions: - index_patterns: - '*' allowed_actions: - "indices:admin/plugins/replication/index/setup/validate" - "indices:data/write/plugins/replication/changes" - "indices:admin/plugins/replication/index/start" - "indices:admin/plugins/replication/index/pause" - "indices:admin/plugins/replication/index/resume" - "indices:admin/plugins/replication/index/stop" - "indices:admin/plugins/replication/index/update" - "indices:admin/plugins/replication/index/status_check" # Allow users to read ML stats/models/tasks ml_read_access: reserved: true cluster_permissions: - 'cluster:admin/openserach/ml/stats' - 'cluster:admin/opensearch/ml/models/get' - 'cluster:admin/opensearch/ml/models/search' - 'cluster:admin/opensearch/ml/tasks/get' - 'cluster:admin/opensearch/ml/tasks/search' # Allows users to read Notifications config/channels notifications_read_access: reserved: true cluster_permissions: - 'cluster:admin/opensearch/notifications/configs/get' - 'cluster:admin/opensearch/notifications/features' - 'cluster:admin/opensearch/notifications/channels/get' # Allows users to see snapshots, repositories, and snapshot management policies snapshot_management_read_access: reserved: true cluster_permissions: - 'cluster:admin/opensearch/snapshot_management/policy/get' - 'cluster:admin/opensearch/snapshot_management/policy/search' - 'cluster:admin/opensearch/snapshot_management/policy/explain' - 'cluster:admin/repository/get' - 'cluster:admin/snapshot/get' # Allows users to use all ML functionality ml_full_access: reserved: true cluster_permissions: - 'cluster_monitor' - 'cluster:admin/opensearch/ml/*' index_permissions: - index_patterns: - '*' allowed_actions: - 'indices_monitor' # Anonymous access role opendistro_security_anonymous_role: reserved: true cluster_permissions: # For using _cat/indices - 'cluster:monitor/state' - 'cluster:monitor/health' - 'cluster:monitor/nodes/info' # To enable read access to ISM - cluster:admin/opendistro/ism/policy/search - cluster:admin/opendistro/ism/managedindex/explain - cluster:admin/opendistro/rollup/search - cluster:admin/opendistro/transform/get_transforms # To enable read access to various ISM Jobs - cluster:admin/opendistro/rollup/explain - cluster:admin/opendistro/ism/policy/get - cluster:admin/opendistro/rollup/get - cluster:admin/opendistro/transform/explain - cluster:admin/opendistro/transform/get # For ML - cluster:admin/opensearch/ml/trainAndPredict # To enable read access to security analytics - cluster:admin/opensearch/securityanalytics/rule/search - cluster:admin/opensearch/securityanalytics/detector/search - cluster:admin/opensearch/securityanalytics/findings/get - cluster:admin/opensearch/securityanalytics/alerts/get - cluster:admin/opensearch/securityanalytics/detector/get # For using sql join query - "indices:data/read/scroll*" index_permissions: - index_patterns: - ".kibana" - ".kibana-6" - ".kibana_*" - ".opensearch_dashboards" - ".opensearch_dashboards-6" - ".opensearch_dashboards_*" allowed_actions: - "read" - index_patterns: - ".tasks" - ".management-beats" - "*:.tasks" - "*:.management-beats" allowed_actions: - "read" - index_patterns: - 'opensearch_dashboards_sample_data_logs' - 'opensearch_dashboards_sample_data_flights' - 'opensearch_dashboards_sample_data_ecommerce' allowed_actions: - "read" - index_patterns: - '*' allowed_actions: - "read" - "indices:data/read/mget" - "indices:data/read/msearch" - "indices:data/read/mtv" - "indices:admin/get" - "indices:admin/aliases/exists*" - "indices:admin/aliases/get*" - "indices:admin/mappings/get" - "indices:data/read/scroll" - "indices:monitor/settings/get" - "indices:monitor/stats" tenant_permissions: - tenant_patterns: - '*' allowed_actions: - "kibana_all_read" # Google users access role google_users_role: reserved: true cluster_permissions: # For using _cat/indices - 'cluster:monitor/state' - 'cluster:monitor/health' - 'cluster:monitor/nodes/info' # For script - 'cluster:admin/script/put' # To enable read access to ISM - cluster:admin/opendistro/ism/policy/search - cluster:admin/opendistro/ism/managedindex/explain - cluster:admin/opendistro/rollup/search - cluster:admin/opendistro/transform/get_transforms # To enable read access to various ISM Jobs - cluster:admin/opendistro/rollup/explain - cluster:admin/opendistro/ism/policy/get - cluster:admin/opendistro/rollup/get - cluster:admin/opendistro/transform/explain - cluster:admin/opendistro/transform/get # To enable read access to security analytics - cluster:admin/opensearch/securityanalytics/rule/search - cluster:admin/opensearch/securityanalytics/detector/search - cluster:admin/opensearch/securityanalytics/findings/get - cluster:admin/opensearch/securityanalytics/alerts/get - cluster:admin/opensearch/securityanalytics/detector/get # For using sql join query - "indices:data/read/scroll*" # For Observability sample - cluster:admin/opensearch/observability/create - cluster:admin/opensearch/observability/update - cluster:admin/opensearch/observability/get # For ML - cluster:admin/opensearch/ml/trainAndPredict index_permissions: - index_patterns: - ".kibana" - ".kibana-6" - ".kibana_*" - ".opensearch_dashboards" - ".opensearch_dashboards-6" - ".opensearch_dashboards_*" allowed_actions: - "read" - index_patterns: - ".tasks" - ".management-beats" - "*:.tasks" - "*:.management-beats" allowed_actions: - "read" - index_patterns: - 'opensearch_dashboards_sample_data_logs' - 'opensearch_dashboards_sample_data_flights' - 'opensearch_dashboards_sample_data_ecommerce' allowed_actions: - "*" - index_patterns: - '*' allowed_actions: - "read" - "indices:data/read/mget" - "indices:data/read/msearch" - "indices:data/read/mtv" - "indices:data/write*" - "indices:admin/create" - 'indices:admin/analyze' - "indices:admin/get" - "indices:admin/aliases/exists*" - "indices:admin/aliases/get*" - "indices:admin/mappings/get" - "indices:monitor/settings/get" - "indices:monitor/stats" tenant_permissions: - tenant_patterns: - '*' allowed_actions: - "kibana_all_read" roles_mapping.yml: | _meta: type: "rolesmapping" config_version: 2 # Define your roles mapping here google_users_role: backend_roles: - "kibanauser" users: - "*@gmail.com" opendistro_security_anonymous_role: backend_roles: - "opendistro_security_anonymous_backendrole" alerting_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" anomaly_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" notebooks_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" observability_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" reports_instances_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" reports_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" asynchronous_search_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" ml_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" notifications_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" snapshot_management_read_access: backend_roles: - "opendistro_security_anonymous_backendrole" users: - "*@gmail.com" ## Demo roles mapping all_access: reserved: false backend_roles: - "admin" description: "Maps admin to all_access" own_index: reserved: false users: - "*" description: "Allow full access to an index named like the username" logstash: reserved: false backend_roles: - "logstash" kibana_user: reserved: false backend_roles: - "kibanauser" description: "Maps kibanauser to kibana_user" readall: reserved: false backend_roles: - "readall" manage_snapshots: reserved: false backend_roles: - "snapshotrestore" kibana_server: reserved: true users: - "kibanaserver" action_groups.yml: | _meta: type: "actiongroups" config_version: 2 tenants.yml: | _meta: type: "tenants" config_version: 2 # Define your tenants here ## Demo tenants # Demo: # reserved: false # description: "Demo tenant for admin user" whitelist.yml: | config: enabled: false requests: /_cluster/settings: - GET /_cat/nodes: - GET nodes_dn.yml: | _meta: type: "nodesdn" config_version: 2 audit.yml: | _meta: type: "audit" config_version: 2 config: # enable/disable audit logging enabled: true audit: # Enable/disable REST API auditing enable_rest: true # Categories to exclude from REST API auditing disabled_rest_categories: - AUTHENTICATED - GRANTED_PRIVILEGES # Enable/disable Transport API auditing enable_transport: true # Categories to exclude from Transport API auditing disabled_transport_categories: - AUTHENTICATED - GRANTED_PRIVILEGES # Users to be excluded from auditing. Wildcard patterns are supported. Eg: # ignore_users: ["test-user", "employee-*"] ignore_users: - kibanaserver # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: # ignore_requests: ["indices:data/read/*", "SearchRequest"] ignore_requests: [] # Log individual operations in a bulk request resolve_bulk_requests: false # Include the body of the request (if available) for both REST and the transport layer log_request_body: true # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns resolve_indices: true # Exclude sensitive headers from being included in the logs. Eg: Authorization exclude_sensitive_headers: true compliance: # enable/disable compliance enabled: true # Log updates to internal security changes internal_config: true # Log external config files for the node external_config: false # Log only metadata of the document for read events read_metadata_only: true # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: # read_watched_fields: { # "twitter": ["message"] # "logs-*": ["id", "attr*"] # } read_watched_fields: {} # List of users to ignore for read events. Wildcard patterns are supported. Eg: # read_ignore_users: ["test-user", "employee-*"] read_ignore_users: - kibanaserver # Log only metadata of the document for write events write_metadata_only: true # Log only diffs for document updates write_log_diffs: false # List of indices to watch for write events. Wildcard patterns are supported # write_watched_indices: ["twitter", "logs-*"] write_watched_indices: [] # List of users to ignore for write events. Wildcard patterns are supported. Eg: # write_ignore_users: ["test-user", "employee-*"] write_ignore_users: - kibanaserver # How long to wait for opensearch to stop gracefully terminationGracePeriod: 120 sysctlVmMaxMapCount: 262144 readinessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 3 timeoutSeconds: 2000 ## Use an alternate scheduler. ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" imagePullSecrets: [] nodeSelector: {} tolerations: [] # Enabling this will publically expose your OpenSearch instance. # Only enable this if you have security enabled on your cluster ingress: enabled: false # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress annotations: {} path: / hosts: - chart-example.local tls: [] nameOverride: "" fullnameOverride: "" masterTerminationFix: false lifecycle: {} keystore: - secretName: opensearch-dashboards-ob networkPolicy: ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. ## In order for a Pod to access OpenSearch, it needs to have the following label: ## {{ template "uname" . }}-client: "true" http: enabled: false # Deprecated # please use the above podSecurityContext.fsGroup instead fsGroup: "" ## Set optimal sysctl's. This requires privilege. Can be disabled if ## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: enabled: false installList: []