ElasticSearch

Elasticsearch Installation

Initial Configuration

Copy the default Fluentd config

cp ./seldon-deploy-install/reference-configuration/efk/values-fluentd.yaml fluentd-values.yaml

As the starting fluentd configuration is crafted for Elasticsearch, by Open Distro, you need to modify the elasticsearch section in the fluentd-values.yaml file:

elasticsearch:
  hosts: ['elasticsearch-master.seldon-logs.svc.cluster.local']
  logstash:
    enabled: true
    prefix: 'kubernetes_cluster'
  auth:
    enabled: false
  scheme: "http"
  sslVerify: false

Ensure Required Namespaces Exist

We'll be installing in the seldon-logs namespace. We'll also set up some config in the seldon-system namespace.

Elasticsearch

Elasticsearch can be installed using Elastic Cloud on Kubernetes (ECK). ECK can be installed using helm:

Then, create an Elasticsearch instance called seldon in the seldon-logs namespace using the following scripts:

Authentication

Security is managed by the ECK operator and cannot be disabled.

The operator will create a secret with the credentials for the elastic user.

We can use this password to provide credentials to other components that need to access Elasticsearch.

To do this, we generate secrets in the seldon-logs (for the request logger) and seldon-system (for Seldon Enterprise Platform) namespaces from the elastic user's password:

Fluentd

We need to modify the fluentd-values.yaml file to point to the Elasticsearch instance we just created, as well as set the appropriate credentials. Retrieve the ELASTIC_PASSWORD:

Make a copy of the values-fluentd.yaml file:

Update the following values in values-elasticsearch-fluentd.yaml:

We can then install Fluentd using helm:

Kibana (optional)

Kibana is useful for creating visualizations and dashboards for Elasticsearch. It is not required for Seldon Enterprise Platform, however users may choose to install it for debugging purposes:

As we are using ECK, we can install Kibana with the following script:

Configure Seldon Enterprise Platform

The following Helm values need to be set in install-values.yaml.

If you did not install Knative Eventing, requestLogger.trigger.create has to be set to false.

As the Elasticsearch instance has authentication enabled, we set elasticsearch.basicAuth to true.

We also provide the name of the secret containing the elastic user's credentials in the elasticsearch.secret section.

Authorization

The Seldon Enterprise Platform setup needs authorization on the Elasticsearch cluster to create, manage, and search indexes for prediction logging and other monitoring features. The following security privileges are mandatory for proper functioning of the current Seldon Enterprise Platform features. Read more about Elasticsearch security privileges here.

Seldon Enterprise Platform user security privileges

Seldon Request Logger user security Privileges

Configure EFK Ingress (Optional)

Kibana

It can be useful to access Kibana's UI without having to port-forward.

To expose Kibana externally it needs to have its own path.

This means that we need to modify our kibana.yaml to include an extra spec.config and spec.http section:

The base path is required as Kibana be default runs behind a proxy that adds a random path component to its URL

The tls section is required to disable the self-signed certificate that Kibana uses by default, so that we can use our own certificate.

Then reapply the kibana.yaml:

Next, configure either an Istio VirtualService . The following VirtualService for Kiban`, created in kibana-vs.yaml, enables its ingress:

Apply the configuration using the command kubectl apply -f kibana-vs.yaml.

You can access Kibana at <your-ingress>/kibana.