Kubernetes configuration
This section outlines how to configure Wazuh components within a Kubernetes cluster, including the manager, indexer, and dashboard. It describes the resource requirements, storage setup, and controller types used for each component.
Pre-requisites
Before you begin, ensure that the following requirements are met:
A running Kubernetes cluster.
An Amazon EBS CSI driver IAM role for Amazon EKS deployments using Kubernetes version 1.23 and later. The CSI driver requires that you assign an IAM role to work properly. For detailed instructions, refer to AWS documentation on Creating the Amazon EBS CSI driver IAM role. You need to install the CSI driver for both new and old deployments. The CSI driver is an essential Kubernetes feature.
Resource Requirement
Your cluster must have at least the following resources available:
2 CPU units
3 Gi of memory
2 Gi of storage
Overview
StatefulSet and Deployment controllers
A StatefulSet manages pods based on identical container specifications. Unlike Deployments, StatefulSets maintain a persistent identity for each pod. Pods are created from the same specification, but are not interchangeable. Each pod retains a persistent identifier that survives rescheduling.
StatefulSets are useful for stateful applications like databases that save data to persistent storage. Wazuh manager and Wazuh indexer components maintain their states, so we use StatefulSets to ensure state persistence across Pod restarts.
Deployments are intended for stateless applications and are lightweight. The Wazuh dashboard doesn't need to maintain state, so it is deployed using a Deployment controller.
Persistent volumes (PV) are storage resources in the cluster. They have a lifecycle independent of any individual pod that uses them. This API object captures storage implementation details for NFS, iSCSI, or cloud-provider-specific storage systems.
We use persistent volumes to store data from both the Wazuh manager and the Wazuh indexer.
For more information, see the Kubernetes persistent volumes documentation.
Pods
A Pod is the smallest and most fundamental deployable unit in Kubernetes. It represents a single instance of a running process in your cluster. You can view how we build Wazuh Docker containers in our repository.
Wazuh master
The master pod contains the master node of the Wazuh server cluster. The master node centralizes and coordinates worker nodes. It ensures critical data remains consistent across the Wazuh server cluster. Management operations occur only on this node, so the agent enrollment service (authd) runs here.
Image |
Controller |
|---|---|
wazuh/wazuh-manager |
StatefulSet |
Wazuh worker
The Wazuh worker pods contain the worker nodes of the Wazuh server cluster. They receive agent events.
Image |
Controller |
|---|---|
wazuh/wazuh-manager |
StatefulSet |
Wazuh indexer
The Wazuh indexer pod ingests events received from Filebeat.
Image |
Controller |
|---|---|
wazuh/wazuh-indexer |
StatefulSet |
Wazuh dashboard
The Wazuh dashboard pod provides visualization of Wazuh indexer data, Wazuh agent information, and Wazuh server configuration.
Image |
Controller |
|---|---|
wazuh/wazuh-dashboard |
Deployment |
Services
Wazuh indexer and dashboard
Name |
Description |
|---|---|
wazuh-indexer |
Communication for Wazuh indexer nodes. |
indexer |
This is the Wazuh indexer API used by the Wazuh dashboard to read/write alerts. |
dashboard |
Wazuh dashboard service. https://wazuh.<YOUR_DOMAIN>.com:443 |
Wazuh server
Name |
Description |
|---|---|
wazuh-master |
Wazuh API: wazuh-master.<YOUR_DOMAIN>.com:55000 |
Agent registration service ( |
|
wazuh-workers |
Reporting service: wazuh-manager.<YOUR_DOMAIN>.com:1514 |
wazuh-cluster |
Communication for Wazuh manager nodes. |