github elastic/cloud-on-k8s v3.4.0
on GitHub

6 hours ago

Elastic Cloud on Kubernetes 3.4.0

Release Highlights

Elasticsearch client certificate authentication support

ECK now supports configuring Elasticsearch to require client certificates for authentication. This allows you to enforce mutual TLS (mTLS) between clients and Elasticsearch, strengthening security by requiring both the client and server to present valid certificates. Currently, Elasticsearch and Kibana support this feature - Kibana can be configured to present client certificates when connecting to Elasticsearch. Support for the remaining components that connect to Elasticsearch (Beats, Elastic Agent, APM Server, Logstash, and so on) will follow in future releases. For more details, refer to the client certificate authentication documentation.

Rolling restarts of Elasticsearch clusters

ECK now supports triggering rolling restarts of Elasticsearch clusters through a new annotation-based mechanism. This enables operators to gracefully restart all nodes in a cluster without manual intervention, useful for troubleshooting. The rolling restart documentation provides more details.

Simplified zone awareness configuration

ECK simplifies the configuration of zone awareness for Elasticsearch clusters, reducing the amount of boilerplate configuration needed to set up topology-aware allocation. For more details, refer to the zone awareness documentation.

ECK container image signing

ECK container images are now signed using Sigstore cosign. This allows users to verify the authenticity and integrity of ECK operator images before deployment, strengthening the supply chain security of their Kubernetes clusters.

Automatic password-protected keystore for Elasticsearch in FIPS mode

ECK now automatically manages a password-protected keystore for Elasticsearch when FIPS mode is enabled. When xpack.security.fips_mode.enabled is set to true in the Elasticsearch configuration, the operator generates, stores, and configures a password-protected keystore — eliminating the need for manual podTemplate overrides. This feature activates for Elasticsearch 9.4.0+ and respects any existing user-provided keystore password configuration. For more details, refer to the Elasticsearch FIPS keystore password documentation.

Features and enhancements

  • Implement client certificate required support for Elasticsearch #9229
  • Implement Kibana support for presenting client certificates to Elasticsearch #9230
  • Support rolling restarts of Elasticsearch clusters #9172
  • Simplify zone awareness #9148
  • Operator-managed FIPS keystore password support for Elasticsearch #9287 (issue: #9171)
  • Surface webhook warnings; Refactor webhooks to use controller-runtime's Validator #9235
  • Add extraObjects support to ECK Helm charts #9069
  • Add kubeAPIServerPort configuration option to Helm chart #8980
  • Set seccompProfile to RuntimeDefault #9012
  • Validate user-supplied HTTP CA certificate #8992
  • Sign ECK container images (v2) #9078
  • Improve license signature verification error to diagnose wrong license type #9262
  • Improve AutoOpsAgentPolicy status reporting #9095
  • Support runAsNonRoot true for recent versions of EPR #8974
  • Reduce operator memory footprint by stripping managed fields from informer caches #9321
  • Add version-gated querylog fileset to Filebeat sidecar config #9291
  • Bump default Kibana memory limit from 1Gi to 2Gi #9328
  • Add image digest support to eck-operator Helm chart #9362

Fixes

  • Prevent StackConfigPolicy controller from performing unnecessary file-settings secret updates on every reconciliation #9316
  • Correct NetworkPolicy namespace selector label for soft multi-tenancy #9153
  • Prevent using a nodeSet name while the equivalent StatefulSet already exists #9036
  • Skip default PVC if volume with same name exists #9199 (issue: #8744)
  • Avoid empty reconcile requests in StackConfigPolicy secret watch #9179
  • Make remote-ca secret generation failures non-blocking #9271
  • Garbage collect Agent soft-owned secrets on deletion #9090
  • Detect stale CA in certificate chain and trigger certificates reissuance #9197
  • Skip per-shard replica checks for GREEN clusters in require_started_replica predicate #9188
  • Handle server side default for TrafficDistribution #8994
  • Set default security context to Kibana init container #9218
  • Validate user-supplied CA for the transport layer of Elasticsearch #8953
  • Align DaemonSet UpdateReconciled with Deployment reconciler #9256 (issue: #9246)

Documentation improvements

  • Add recipe for manual mTLS configuration #9124
  • Mention PodTopologyLabelsAdmission in Elasticsearch sample #9035
  • Logstash Chart improvements #9087

Dependency updates

  • Go 1.25.8 => 1.26.2
  • github.com/elastic/go-ucfg v0.8.9-0.20251017163010-3520930bed4f => v0.9.1
  • github.com/gkampitakis/go-snaps v0.5.19 => v0.5.21
  • github.com/google/go-containerregistry v0.20.7 => v0.21.4
  • github.com/hashicorp/vault/api v1.22.0 => v1.23.0
  • go.elastic.co/apm/v2 v2.7.2 => v2.7.6
  • golang.org/x/crypto v0.46.0 => v0.49.0
  • k8s.io/api v0.35.0 => v0.35.3
  • k8s.io/apimachinery v0.35.0 => v0.35.3
  • k8s.io/client-go v0.35.0 => v0.35.3
  • k8s.io/klog/v2 v2.130.1 => v2.140.0
  • sigs.k8s.io/controller-runtime v0.22.4 => v0.23.3
  • sigs.k8s.io/controller-tools v0.20.0 => v0.20.1
  • New direct dependencies: cloud.google.com/go/auth, cloud.google.com/go/storage, github.com/Azure/azure-sdk-for-go/sdk/storage/azblob, github.com/aws/aws-sdk-go-v2, google.golang.org/api
Check out latest releases or
releases around elastic/cloud-on-k8s v3.4.0

Don't miss a new cloud-on-k8s release

NewReleases is sending notifications on new releases.

Get notifications