add-fleet-server-kubernetes.html

<!DOCTYPE html>
<html lang="en-us">
  <head>
    
<meta charset="UTF-8">
<title>Deploy Fleet Server on Kubernetes | Fleet and Elastic Agent Guide [8.18] | Elastic</title>
<meta class="elastic" name="content" content="Deploy Fleet Server on Kubernetes | Fleet and Elastic Agent Guide [8.18]">

<link rel="home" href="index.html" title="Fleet and Elastic Agent Guide [8.18]"/>
<link rel="up" href="fleet-deployment-models.html" title="Deployment models"/>
<link rel="prev" href="add-fleet-server-mixed.html" title="Deploy Fleet Server on-premises and Elasticsearch on Cloud"/>
<link rel="next" href="fleet-server-scalability.html" title="Fleet Server scalability"/>
<meta class="elastic" name="product_version" content="8.18"/>
<meta class="elastic" name="product_name" content="Fleet and Elastic Agent"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Fleet/Guide/Elastic Agent/8.18"/>
<meta name="DC.subject" content="Fleet and Elastic Agent"/>
<meta name="DC.identifier" content="8.18"/>

    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
    <meta name="yandex-verification" content="d8a47e95d0972434" />
    <meta name="localized" content="true" />
    <meta name="st:robots" content="follow,index" />
    <meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
    <meta property="og:image:width" content="500" />
    <meta property="og:image:height" content="172" />
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
  </head>

  <!--© 2015-2025 Elasticsearch B.V. -->
  <!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
  <!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!-- Google Tag Manager for GA4 -->
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <!-- End Google Tag Manager for GA4-->

    <div id='elastic-nav' style="display:none;"></div>
    <script src='https://www.elastic.co/elastic-nav.js'></script>

    <div class="main-container">
      <section id="content" >
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container-fluid">
              <div class="row pb-3">
                <div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
                  <!-- The TOC is appended here -->
                </div>

                <div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
                  <!-- start body -->
                  
<div class="navheader">
<span class="prev">
<a href="add-fleet-server-mixed.html">« Deploy Fleet Server on-premises and Elasticsearch on Cloud</a>
</span>
<span class="next">
<a href="fleet-server-scalability.html">Fleet Server scalability »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Fleet and Elastic Agent Guide [8.18]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="fleet-deployment-models.html">Deployment models</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Deploy Fleet Server on Kubernetes</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
    A newer version is available. Check out the <a href="https://www.elastic.co/docs/reference/fleet/add-fleet-server-kubernetes">latest documentation</a>.
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="add-fleet-server-kubernetes"></a>Deploy Fleet Server on Kubernetes</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
</div></div></div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If your Elastic Stack is orchestrated by <a href="/guide/en/cloud-on-k8s/current" class="ulink" target="_top">ECK</a>, we recommend to deploy the Fleet Server through the operator. That simplifies the process, as the operator automatically handles most of the resources configuration and setup steps.</p>
<p>Refer to <a href="/guide/en/cloud-on-k8s/current/k8s-elastic-agent-fleet.html" class="ulink" target="_top">Run Fleet-managed Elastic Agent on ECK</a> for more information.</p>
</div>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>This guide assumes familiarity with Kubernetes concepts and resources, such as <code class="literal">Deployments</code>, <code class="literal">Pods</code>, <code class="literal">Secrets</code>, or <code class="literal">Services</code>, as well as configuring applications in Kubernetes environments.</p>
</div>
</div>
<p>To use Fleet for central management, a <a class="xref" href="fleet-server.html" title="What is Fleet Server?">Fleet Server</a> must
be running and accessible to your hosts.</p>
<p>You can deploy Fleet Server on Kubernetes and manage it yourself.
In this deployment model, you are responsible for high-availability,
fault-tolerance, and lifecycle management of the Fleet Server.</p>
<p>To deploy a Fleet Server on Kubernetes and register it into Fleet you will need the following details:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The <span class="strong strong"><strong>Policy ID</strong></span> of a Fleet policy configured with the Fleet Server integration.
</li>
<li class="listitem">
A <span class="strong strong"><strong>Service token</strong></span>, used to authenticate Fleet Server with Elasticsearch.
</li>
<li class="listitem">
<p>For outgoing traffic:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The <span class="strong strong"><strong>Elasticsearch endpoint URL</strong></span> where the Fleet Server should connect to, configured also in the Elasticsearch output associated to the policy.
</li>
<li class="listitem">
When a private or intermediate Certificate Authority (CA) is used to sign the Elasticsearch certificate, the <span class="strong strong"><strong>Elasticsearch CA file</strong></span> or the <span class="strong strong"><strong>CA fingerprint</strong></span>, configured also in the Elasticsearch output associated to the policy.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>For incoming connections:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
A <span class="strong strong"><strong>TLS/SSL certificate and key</strong></span> for the Fleet Server HTTPS endpoint, used to encrypt the traffic from the Elastic Agents. This certificate has to be valid for the <span class="strong strong"><strong>Fleet Server Host URL</strong></span> that Elastic Agents use when connecting to the Fleet Server.
</li>
</ul>
</div>
</li>
<li class="listitem">
Extra TLS/SSL certificates and configuration parameters in case of requiring <a class="xref" href="mutual-tls.html" title="Elastic Agent deployment models with mutual TLS">mutual TLS</a> (not covered in this document).
</li>
</ul>
</div>
<p>This document walks you through the complete setup process, organized into the following sections:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-compatibility" title="Compatibility">Compatibility requirements</a>
</li>
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-cert-prereq" title="Fleet Server and SSL/TLS certificates considerations">Fleet Server and SSL/TLS certificates considerations</a>
</li>
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-add-server" title="Add Fleet Server">Fleet preparations</a>
</li>
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-install" title="Fleet Server installation">Fleet Server installation</a>
</li>
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-troubleshoot" title="Troubleshoot Fleet Server">Troubleshoot Fleet Server</a>
</li>
<li class="listitem">
<a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-next" title="Next steps">Next steps</a>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-compatibility"></a>Compatibility</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>Fleet Server is compatible with the following Elastic products:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Elastic Stack 7.13 or later.</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
For version compatibility, Elasticsearch must be at the same or a later version than Fleet Server, and Fleet Server needs to be at the same or a later version than Elastic Agent (not including patch releases).
</li>
<li class="listitem">
Kibana should be on the same minor version as Elasticsearch.
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-prereq"></a>Prerequisites</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>Before deploying Fleet Server, you need to:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Prepare the SSL/TLS configuration, server certificate, <a class="xref" href="fleet-settings.html#fleet-server-hosts-setting" title="Fleet Server host settings">Fleet Server host settings</a>, and needed Certificate Authorities (CAs).
</li>
<li class="listitem">
Ensure components have access to the ports needed for communication.
</li>
</ul>
</div>
<div class="position-relative"><h5><a id="add-fleet-server-kubernetes-cert-prereq"></a>Fleet Server and SSL/TLS certificates considerations</h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>This section shows the minimum requirements in terms of Transport Layer Security (TLS) certificates for the Fleet Server, assuming no mutual TLS (mTLS) is needed. Refer to <a class="xref" href="tls-overview.html" title="One-way and mutual TLS certifications flow">One-way and mutual TLS certifications flow</a> and <a class="xref" href="mutual-tls.html" title="Elastic Agent deployment models with mutual TLS">Elastic Agent deployment models with mutual TLS</a> for more information about the configuration needs of both approaches.</p>
<p>There are two main traffic flows for Fleet Server, each with different TLS requirements:</p>
<div class="position-relative"><h6><a id="add-fleet-server-kubernetes-cert-inbound"></a>[Elastic Agent → Fleet Server] inbound traffic flow</h6><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>In this flow Fleet Server acts as the server and Elastic Agent acts as the client. Therefore, Fleet Server requires a TLS certificate and key, and Elastic Agent will need to trust the CA certificate used to sign the Fleet Server certificate.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>A Fleet Server certificate is not required when installing the server using the <span class="strong strong"><strong>Quick start</strong></span> mode, but should always be used for <span class="strong strong"><strong>production</strong></span> deployments. In <span class="strong strong"><strong>Quick start</strong></span> mode, the Fleet Server uses a self-signed certificate and the Elastic Agents have to be enrolled with the <code class="literal">--insecure</code> option.</p>
</div>
</div>
<p>If your organization already uses the Elastic Stack, you may have a CA certificate that could be used to generate the new cert for the Fleet Server. If you do not have a CA certificate, refer to <a class="xref" href="secure-connections.html#generate-fleet-server-certs" title="Generate a custom certificate and private key for Fleet Server">Generate a custom certificate and private key for Fleet Server</a> for an example to generate a CA and a server certificate using the <code class="literal">elasticsearch-certutil</code> tool.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Before creating the certificate, you need to know and plan in advance the <a class="xref" href="fleet-settings.html#fleet-server-hosts-setting" title="Fleet Server host settings">hostname / URL</a> that the Elastic Agent clients will use to access the Fleet Server. This is important because the <span class="strong strong"><strong>hostname</strong></span> part of the URL needs to be included in the server certificate as an <code class="literal">x.509 Subject Alternative Name (SAN)</code>. If you plan to make your Fleet Server accessible through <span class="strong strong"><strong>multiple hostnames</strong></span> or <span class="strong strong"><strong>FQDNs</strong></span>, add all of them to the server certificate, and take in mind that the <span class="strong strong"><strong>Fleet Server also needs to access the Fleet URL during its bootstrap process</strong></span>.</p>
</div>
</div>
<div class="position-relative"><h6><a id="add-fleet-server-kubernetes-cert-outbound"></a>[Fleet Server → Elasticsearch output] outbound traffic flow</h6><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>In this flow, Fleet Server acts as the client and Elasticsearch acts as the HTTPS server. For the communication to succeed, Fleet Server needs to trust the CA certificate used to sign the Elasticsearch certificate. If your Elasticsearch cluster uses certificates signed by a corporate CA or multiple intermediate CAs you will need to use them during the Fleet Server setup.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If your Elasticsearch cluster is on Elastic Cloud or if it uses a certificate signed by a public and known CA, you won&#8217;t need the Elasticsearch CA during the setup.</p>
</div>
</div>
<p>In summary, you need:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
A <span class="strong strong"><strong>server certificate and key</strong></span>, valid for the Fleet Server URL. The CA used to sign this certificate will be needed by the Elastic Agent clients and the Fleet Server itself.
</li>
<li class="listitem">
The <span class="strong strong"><strong>CA certificate</strong></span> (or certificates) associated to your Elasticsearch cluster, except if you are sure your Elasticsearch certificate is fully trusted publicly.
</li>
</ul>
</div>
<div class="position-relative"><h5><a id="default-port-assignments-kubernetes"></a>Default port assignments</h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>When Elasticsearch or Fleet Server are deployed, components communicate over well-defined, pre-allocated ports.
You may need to allow access to these ports. Refer to the following table for default port assignments:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1"/>
<col class="col_2"/>
</colgroup>
<tbody>
<tr>
<td align="left" valign="top"><p>Component communication</p></td>
<td align="left" valign="top"><p>Default port</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Elastic Agent → Fleet Server</p></td>
<td align="left" valign="top"><p>8220</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Fleet Server → Elasticsearch</p></td>
<td align="left" valign="top"><p>9200</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Fleet Server → Kibana (optional, for Fleet setup)</p></td>
<td align="left" valign="top"><p>5601</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Elastic Agent → Elasticsearch</p></td>
<td align="left" valign="top"><p>9200</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Elastic Agent → Logstash</p></td>
<td align="left" valign="top"><p>5044</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Elastic Agent → Kibana (optional, for Fleet setup)</p></td>
<td align="left" valign="top"><p>5601</p></td>
</tr>
</tbody>
</table>
</div>
<p>In Kubernetes environments, you can adapt these ports without modifying the listening ports of the Fleet Server or other applications, as traffic is managed by Kubernetes <code class="literal">Services</code>. This guide includes an example where Elastic Agents connect to the Fleet Server through port <code class="literal">443</code> instead of the default <code class="literal">8220</code>.</p>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-add-server"></a>Add Fleet Server</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>A Fleet Server is an Elastic Agent that is enrolled in a Fleet Server policy. The policy configures the agent to operate in a special mode to serve as a Fleet Server in your deployment.</p>
<div class="position-relative"><h5><a id="add-fleet-server-kubernetes-preparations"></a>Fleet preparations</h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you already have a Fleet policy with the Fleet Server integration, you know its ID, and you know how to generate an <a href="/guide/en/elasticsearch/reference/8.18/service-tokens-command.html" class="ulink" target="_top">Elasticsearch service token</a> for the Fleet Server, skip directly to <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-install" title="Fleet Server installation">Fleet Server installation</a>.</p>
<p>Also note that the <code class="literal">service token</code> required by the Fleet Server is different from the <code class="literal">enrollment tokens</code> used by Elastic Agents to enroll to Fleet.</p>
</div>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>In Kibana, open <span class="strong strong"><strong>Fleet → Settings</strong></span> and ensure the <span class="strong strong"><strong>Elasticsearch output</strong></span> that will be used by the Fleet Server policy is correctly configured, paying special attention that:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The <span class="strong strong"><strong>hosts</strong></span> field includes a valid URL that will be reachable by the Fleet Server Pod(s).
</li>
<li class="listitem">
<p>If your Elasticsearch cluster uses certificates signed by private or intermediate CAs not publicly trusted, you have added the trust information in the <span class="strong strong"><strong>Elasticsearch CA trusted fingerprint</strong></span> field or in the <span class="strong strong"><strong>advanced configuration</strong></span> section through the <code class="literal">ssl.certificate_authorities</code> setting. For an example, refer to <a href="https://elastic.co/guide/en/fleet/current/secure-connections.html#_encrypt_traffic_between_elastic_agents_fleet_server_and_elasticsearch" class="ulink" target="_top">Secure Connections</a> documentation.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>This validation step is critical. The Elasticsearch host URL and CA information has to be added <span class="strong strong"><strong>in both the Elasticsearch output and the environment variables</strong></span> provided to the Fleet Server. It&#8217;s a common mistake to ignore the output settings believing that the environment variables will prevail, when the environment variables are only used during the bootstrap of the Fleet Server.</p>
<p>If the URL that Fleet Server will use to access Elasticsearch is different from the Elasticsearch URL used by other clients, you may want to create a dedicated <span class="strong strong"><strong>Elasticsearch output</strong></span> for Fleet Server.</p>
</div>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Go to <span class="strong strong"><strong>Fleet → Agent Policies</strong></span> and select <span class="strong strong"><strong>Create agent policy</strong></span> to create a policy for the Fleet Server:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Set a <span class="strong strong"><strong>name</strong></span> for the policy, for example <code class="literal">Fleet Server Policy Kubernetes</code>.
</li>
<li class="listitem">
Do <span class="strong strong"><strong>not</strong></span> select the option <span class="strong strong"><strong>Collect system logs and metrics</strong></span>. This option adds the System integration to the Elastic Agent policy. Because Fleet Server will run as a Kubernetes Pod without any visibility to the Kubernetes node, there won&#8217;t be a system to monitor.
</li>
<li class="listitem">
Select the <span class="strong strong"><strong>output</strong></span> that the Fleet Server needs to use to contact Elasticsearch. This should be the output that you verified in the previous step.
</li>
<li class="listitem">
Optionally, you can set the <span class="strong strong"><strong>inactivity timeout</strong></span> and <span class="strong strong"><strong>inactive agent unenrollment timeout</strong></span> parameters to automatically unenroll and invalidate API keys after the Fleet Server agents become inactive. This is especially useful in Kubernetes environments, where Fleet Server Pods are ephemeral, and new Elastic Agents appear in Fleet UI after Pod recreations.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Open the created policy, and from the <span class="strong strong"><strong>Integrations</strong></span> tab select <span class="strong strong"><strong>Add integration</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Search for and select the Fleet Server integration.
</li>
<li class="listitem">
<p>Select <span class="strong strong"><strong>Add Fleet Server</strong></span> to add the integration to the Elastic Agent policy.</p>
<p>At this point you can configure the integration settings per <a class="xref" href="fleet-server-scalability.html" title="Fleet Server scalability">Fleet Server scalability</a>.</p>
</li>
<li class="listitem">
When done, select <span class="strong strong"><strong>Save and continue</strong></span>. Do not add an Elastic Agent at this stage.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Open the configured policy, which now includes the Fleet Server integration, and select <span class="strong strong"><strong>Actions</strong></span> → <span class="strong strong"><strong>Add Fleet Server</strong></span>. In the next dialog:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Confirm that the <span class="strong strong"><strong>policy for Fleet Server</strong></span> is properly selected.
</li>
<li class="listitem">
<p><span class="strong strong"><strong>Choose a deployment mode for security</strong></span>:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If you select <span class="strong strong"><strong>Quick start</strong></span>, the Fleet Server generates a self-signed TLS certificate, and subsequent agents should be enrolled using the <code class="literal">--insecure</code> flag.
</li>
<li class="listitem">
If you select <span class="strong strong"><strong>Production</strong></span>, you provide a TLS certificate, key and CA to the Fleet Server during the deployment, and subsequent agents will need to trust the certificate&#8217;s CA.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Add your <span class="strong strong"><strong>Fleet Server Host</strong></span> information. This is the URL that clients (Elastic Agents) will use to connect to the Fleet Server:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
In <span class="strong strong"><strong>Production</strong></span> mode, the Fleet Server certificate must include the hostname part of the URL as an <code class="literal">x509 SAN</code>, and the Fleet Server itself will need to access that URL during its bootstrap process.
</li>
<li class="listitem">
On Kubernetes environments this could be the name of the <code class="literal">Kubernetes service</code> or reverse proxy that exposes the Fleet Server Pods.
</li>
<li class="listitem">
In the provided example we use <code class="literal">https://fleet-svc.&lt;namespace&gt;</code> as the URL, which corresponds to the Kubernetes service DNS resolution.
</li>
</ul>
</div>
</li>
<li class="listitem">
Select <span class="strong strong"><strong>generate service token</strong></span> to create a token for the Fleet Server.
</li>
<li class="listitem">
<p>From <span class="strong strong"><strong>Install Fleet Server to a centralized host → Linux</strong></span>, take note of the values of the following settings that will be needed for the Fleet Server installation:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Service token(specified by <code class="literal">--fleet-server-service-token</code> parameter).
</li>
<li class="listitem">
Fleet policy ID (specified by <code class="literal">--fleet-server-policy</code> parameter).
</li>
<li class="listitem">
Elasticsearch URL (specified by <code class="literal">--fleet-server-es</code> parameter).
</li>
</ul>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Keep the Kibana browser window open and continue with the <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-install" title="Fleet Server installation">Fleet Server installation</a>.</p>
<p>When the Fleet Server installation has succeeded, the <span class="strong strong"><strong>Confirm Connection</strong></span> UI will show a <span class="strong strong"><strong>Connected</strong></span> status.</p>
</li>
</ol>
</div>
<div class="position-relative"><h5><a id="add-fleet-server-kubernetes-install"></a>Fleet Server installation</h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<div class="position-relative"><h6><a id="add-fleet-server-kubernetes-install-overview"></a>Installation overview</h6><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>To deploy Fleet Server on Kubernetes and enroll it into Fleet you need the following details:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Policy ID</strong></span> of the Fleet policy configured with the Fleet Server integration.
</li>
<li class="listitem">
<span class="strong strong"><strong>Service token</strong></span>, that you can generate following the <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-preparations" title="Fleet preparations">Fleet preparations</a> or manually using the <a href="/guide/en/elasticsearch/reference/8.18/service-tokens-command.html" class="ulink" target="_top">Elasticsearch-service-tokens command</a>.
</li>
<li class="listitem">
<span class="strong strong"><strong>Elasticsearch endpoint URL</strong></span>, configured in both the Elasticsearch output associated to the policy and in the Fleet Server as an environment variable.
</li>
<li class="listitem">
<span class="strong strong"><strong>Elasticsearch CA certificate file</strong></span>, configured in both the Elasticsearch output associated to the policy and in the Fleet Server.
</li>
<li class="listitem">
Fleet Server <span class="strong strong"><strong>certificate and key</strong></span> (for <span class="strong strong"><strong>Production</strong></span> deployment mode only).
</li>
<li class="listitem">
Fleet Server <span class="strong strong"><strong>CA certificate file</strong></span> (for <span class="strong strong"><strong>Production</strong></span> deployment mode only).
</li>
<li class="listitem">
Fleet Server URL (for <span class="strong strong"><strong>Production</strong></span> deployment mode only).
</li>
</ul>
</div>
<p>If you followed the <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-cert-prereq" title="Fleet Server and SSL/TLS certificates considerations">Fleet Server and SSL/TLS certificates considerations</a> and <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-preparations" title="Fleet preparations">Fleet preparations</a> you should have everything ready to proceed with the Fleet Server installation.</p>
<p>The suggested deployment method for the Fleet Server consists of:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>A Kubernetes Deployment manifest that relies on two Secrets for its configuration:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
A Secret named <code class="literal">fleet-server-config</code> with the main configuration parameters, such as the service token, the Elasticsearch URL and the policy ID.
</li>
<li class="listitem">
A Secret named <code class="literal">fleet-server-ssl</code> with all needed certificate files and the Fleet Server URL.
</li>
</ul>
</div>
</li>
<li class="listitem">
A Kubernetes ClusterIP Service named <code class="literal">fleet-svc</code> that exposes the Fleet Server on port 443, making it available at URLs like <code class="literal">https://fleet-svc</code>, <code class="literal">https://fleet-svc.&lt;namespace&gt;</code> and <code class="literal">https://fleet-svc.&lt;namespace&gt;.svc</code>.
</li>
</ul>
</div>
<p>Adapt and change the suggested manifests and deployment strategy to your needs, ensuring you feed the Fleet Server with the needed configuration and certificates. For example, you can customize:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
CPU and memory <code class="literal">requests</code> and <code class="literal">limits</code>. Refer to <a class="xref" href="fleet-server-scalability.html" title="Fleet Server scalability">Fleet Server scalability</a> for more information about Fleet Server resources utilization.
</li>
<li class="listitem">
Scheduling configuration, such as <code class="literal">affinity rules</code> or <code class="literal">tolerations</code>, if needed in your environment.
</li>
<li class="listitem">
Number of replicas, to scale the Fleet Server horizontally.
</li>
<li class="listitem">
Use an Elasticsearch CA fingerprint instead of a CA file.
</li>
<li class="listitem">
Configure other <a class="xref" href="agent-environment-variables.html" title="Elastic Agent environment variables">Environment variables</a>.
</li>
</ul>
</div>
<div class="position-relative"><h6><a id="add-fleet-server-kubernetes-install-steps"></a>Installation Steps</h6><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Create the Secret for the Fleet Server configuration.</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl create secret generic fleet-server-config \
--from-literal=elastic_endpoint='&lt;ELASTICSEARCH_HOST_URL&gt;' \
--from-literal=elastic_service_token='&lt;SERVICE_TOKEN&gt;' \
--from-literal=fleet_policy_id='&lt;POLICY_ID&gt;'</pre>
</div>
<p>When running the command, substitute the following values:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">&lt;ELASTICSEARCH_HOST_URL&gt;</code>: Replace this with the URL of your Elasticsearch host, for example <code class="literal">'https://monitoring-es-http.default.svc:9200'</code>.
</li>
<li class="listitem">
<code class="literal">&lt;SERVICE_TOKEN&gt;</code>: Use the service token provided by Kibana in the Fleet UI.
</li>
<li class="listitem">
<code class="literal">&lt;POLICY_ID&gt;</code>: Replace this with the ID of the created policy, for example <code class="literal">'dee949ac-403c-4c83-a489-0122281e4253'</code>.
</li>
</ul>
</div>
<p>If you prefer to obtain a <span class="strong strong"><strong>yaml manifest</strong></span> of the Secret to create, append <code class="literal">--dry-run=client -o=yaml</code> to the command and save the output to a file.</p>
</li>
<li class="listitem">
<p>Create the Secret for the TLS/SSL configuration:</p>
<div class="tabs" data-tab-group="fleet-k8s">
  <div role="tablist" aria-label="Fleet Server on Kubernetes">
    <button role="tab"
            aria-selected="true"
            aria-controls="quickstart-tab"
            id="quickstart">
      Quick start
    </button>
    <button role="tab"
            aria-selected="false"
            aria-controls="production-tab"
            id="production"
            tabindex="-1">
      Production
    </button>
  </div>
  <div tabindex="0"
       role="tabpanel"
       id="quickstart-tab"
       aria-labelledby="quickstart">
<p>The following command assumes you have the Elasticsearch CA available as a local file.</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl create secret generic fleet-server-ssl \
  --from-file=es-ca.crt=&lt;PATH_TO_ES_CA_CERT_FILE&gt;</pre>
</div>
<p>When running the command, substitute the following values:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">&lt;PATH_TO_ES_CA_CERT_FILE&gt;</code> with your local file containing the Elasticsearch CA(s).
</li>
</ul>
</div>
<p>If you prefer to obtain a <span class="strong strong"><strong>yaml manifest</strong></span> of the Secret to create, append <code class="literal">--dry-run=client -o=yaml</code> to the command and save the output to a file.</p>
  </div>
  <div tabindex="0"
       role="tabpanel"
       id="production-tab"
       aria-labelledby="production"
       hidden="">
<p>The following command assumes you have the Elasticsearch CA and the Fleet Server certificate, key and CA available as local files.</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl create secret generic fleet-server-ssl \
  --from-file=es-ca.crt=&lt;PATH_TO_ES_CA_CERT_FILE&gt; \
  --from-file=fleet-ca.crt=&lt;PATH_TO_FLEET_CA_CERT_FILE&gt; \
  --from-file=fleet-server.crt=&lt;PATH_TO_FLEET_SERVER_CERT&gt; \
  --from-file=fleet-server.key=&lt;PATH_TO_FLEET_SERVER_CERT_KEY&gt; \
  --from-literal=fleet_url='&lt;FLEET_URL&gt;'</pre>
</div>
<p>When running the command, substitute the following values:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">&lt;PATH_TO_ES_CA_CERT_FILE&gt;</code> with your local file containing the Elasticsearch CA(s).
</li>
<li class="listitem">
<code class="literal">&lt;PATH_TO_FLEET_CA_CERT_FILE&gt;</code> with your local file containing the Fleet Server CA.
</li>
<li class="listitem">
<code class="literal">&lt;PATH_TO_FLEET_SERVER_CERT&gt;</code> with your local file containing the server TLS certificate for the Fleet Server.
</li>
<li class="listitem">
<code class="literal">&lt;PATH_TO_FLEET_SERVER_CERT_KEY&gt;</code> with your local file containing the server TLS key for the Fleet Server.
</li>
<li class="listitem">
<code class="literal">&lt;FLEET_URL&gt;</code> with the URL that points to the Fleet Server, for example <code class="literal">https://fleet-svc</code>. This URL will be used by the Fleet Server during its bootstrap, and its hostname must be included in the server certificate’s x509 Subject Alternative Name (SAN) list.
</li>
</ul>
</div>
<p>If you prefer to obtain a <span class="strong strong"><strong>yaml manifest</strong></span> of the Secret to create, append <code class="literal">--dry-run=client -o=yaml</code> to the command and save the output to a file.</p>
  </div>
</div>
<p>If your Elasticsearch cluster runs on Elastic Cloud or if it uses a publicly trusted CA, remove the <code class="literal">es-ca.crt</code> key from the proposed secret.</p>
</li>
<li class="listitem">
<p>Save the proposed Deployment manifest locally, for example as <code class="literal">fleet-server-dep.yaml</code>, and adapt it to your needs:</p>
<div class="tabs" data-tab-group="fleet-k8s">
  <div role="tablist" aria-label="Fleet Server on Kubernetes">
    <button role="tab"
            aria-selected="true"
            aria-controls="quickstart-dep-tab"
            id="quickstart-dep">
      Quick start
    </button>
    <button role="tab"
            aria-selected="false"
            aria-controls="production-dep-tab"
            id="production-dep"
            tabindex="-1">
      Production
    </button>
  </div>
  <div tabindex="0"
       role="tabpanel"
       id="quickstart-dep-tab"
       aria-labelledby="quickstart-dep">
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">apiVersion: v1
kind: Service
metadata:
  name: fleet-svc
spec:
  type: ClusterIP
  selector:
    app: fleet-server
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8220
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fleet-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fleet-server
  template:
    metadata:
      labels:
        app: fleet-server
    spec:
      automountServiceAccountToken: false
      containers:
      - name: elastic-agent
        image: docker.elastic.co/beats/elastic-agent:8.18.0
        env:
          - name: FLEET_SERVER_ENABLE
            value: "true"
          - name: FLEET_SERVER_ELASTICSEARCH_HOST
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_endpoint
          - name: FLEET_SERVER_SERVICE_TOKEN
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_service_token
          - name: FLEET_SERVER_POLICY_ID
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: fleet_policy_id
          - name: ELASTICSEARCH_CA
            value: /mnt/certs/es-ca.crt
        ports:
        - containerPort: 8220
          protocol: TCP
        resources: {}
        volumeMounts:
        - name: certs
          mountPath: /mnt/certs
          readOnly: true
      volumes:
      - name: certs
        secret:
          defaultMode: 420
          optional: false
          secretName: fleet-server-ssl</pre>
</div>
  </div>
  <div tabindex="0"
       role="tabpanel"
       id="production-dep-tab"
       aria-labelledby="production-dep"
       hidden="">
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">apiVersion: v1
kind: Service
metadata:
  name: fleet-svc
spec:
  type: ClusterIP
  selector:
    app: fleet-server
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8220
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fleet-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fleet-server
  template:
    metadata:
      labels:
        app: fleet-server
    spec:
      automountServiceAccountToken: false
      containers:
      - name: elastic-agent
        image: docker.elastic.co/beats/elastic-agent:8.18.0
        env:
          - name: FLEET_SERVER_ENABLE
            value: "true"
          - name: FLEET_SERVER_ELASTICSEARCH_HOST
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_endpoint
          - name: FLEET_SERVER_SERVICE_TOKEN
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_service_token
          - name: FLEET_SERVER_POLICY_ID
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: fleet_policy_id
          - name: ELASTICSEARCH_CA
            value: /mnt/certs/es-ca.crt
          - name: FLEET_SERVER_CERT
            value: /mnt/certs/fleet-server.crt
          - name: FLEET_SERVER_CERT_KEY
            value: /mnt/certs/fleet-server.key
          - name: FLEET_CA
            value: /mnt/certs/fleet-ca.crt
          - name: FLEET_URL
            valueFrom:
              secretKeyRef:
                name: fleet-server-ssl
                key: fleet_url
          - name: FLEET_SERVER_TIMEOUT
            value: '60s'
          - name: FLEET_SERVER_PORT
            value: '8220'
        ports:
        - containerPort: 8220
          protocol: TCP
        resources: {}
        volumeMounts:
        - name: certs
          mountPath: /mnt/certs
          readOnly: true
      volumes:
      - name: certs
        secret:
          defaultMode: 420
          optional: false
          secretName: fleet-server-ssl</pre>
</div>
  </div>
</div>
<p>Manifest considerations:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If your Elasticsearch cluster runs on Elastic Cloud or if it uses a publicly trusted CA, remove the <code class="literal">ELASTICSEARCH_CA</code> environment variable from the manifest.
</li>
<li class="listitem">
Check the <code class="literal">image</code> version to ensure its aligned with the rest of your Elastic Stack.
</li>
<li class="listitem">
Keep <code class="literal">automountServiceAccountToken</code> set to <code class="literal">false</code> to disable the <a class="xref" href="kubernetes-provider.html" title="Kubernetes Provider">Kubernetes Provider</a>.
</li>
<li class="listitem">
Consider configuring requests and limits always as a best practice. Refer to <a class="xref" href="fleet-server-scalability.html" title="Fleet Server scalability">Fleet Server scalability</a> for more information about resources utilization of the Fleet Server.
</li>
<li class="listitem">
You can change the listening <code class="literal">port</code> of the service to any port of your choice, but do not change the <code class="literal">targetPort</code>, as the Fleet Server Pods will listen on port 8220.
</li>
<li class="listitem">
If you want to expose the Fleet Server externally, consider changing the service type to <code class="literal">LoadBalancer</code>.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Deploy the configured manifest to create the Fleet Server and service:</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl apply -f fleet-server-dep.yaml</pre>
</div>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Ensure the <code class="literal">Service</code>, the <code class="literal">Deployment</code> and all the referenced <code class="literal">Secrets</code> are created in the <span class="strong strong"><strong>same Namespace</strong></span>.</p>
</div>
</div>
</li>
<li class="listitem">
<p>Check the Fleet Server Pod logs for errors and confirm in Kibana that the Fleet Server agent appears as <code class="literal">Connected</code> and <code class="literal">Healthy</code> in <span class="strong strong"><strong>Kibana → Fleet</strong></span>.</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl logs fleet-server-69499449c7-blwjg</pre>
</div>
<p>It can take a couple of minutes for Fleet Server to fully start. If you left the Kibana browser window open during <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-preparations" title="Fleet preparations">Fleet preparations</a> it will show <span class="strong strong"><strong>Connected</strong></span> when everything has gone well.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>In <span class="strong strong"><strong>Production mode</strong></span>, during Fleet Server bootstrap process, the Fleet Server might be unable to access its own <code class="literal">FLEET_URL</code>. This is usually a temporary issue caused by the Kubernetes Service not forwarding traffic to the Pod(s).</p>
<p>If the issue persists consider using <code class="literal">https://localhost:8220</code> as the <code class="literal">FLEET_URL</code> for the Fleet Server configuration, and ensure that <code class="literal">localhost</code> is included in the certificate&#8217;s SAN.</p>
</div>
</div>
</li>
</ol>
</div>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-expose"></a>Expose the Fleet Server to Elastic Agents</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>This may include the creation of a Kubernetes <code class="literal">service</code>, an <code class="literal">ingress</code> resource, and / or DNS registers for FQDNs resolution. There are multiple ways to expose applications in Kubernetes.</p>
<p>Considerations when exposing Fleet Server:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If your environment requires the Fleet Server to be reachable through multiple hostnames or URLs, you can create multiple <span class="strong strong"><strong>Fleet Server Hosts</strong></span> in <span class="strong strong"><strong>Fleet → Settings</strong></span>, and create different policies for different groups of agents.
</li>
<li class="listitem">
Remember that in <span class="strong strong"><strong>Production</strong></span> mode, the <span class="strong strong"><strong>hostnames</strong></span> used to access the Fleet Server must be part of the Fleet Server certificate as <code class="literal">x.509 Subject Alternative Names</code>.
</li>
<li class="listitem">
<span class="strong strong"><strong>Align always the service listening port to the URL</strong></span>. If you configure the service to listen in port 8220 use a URL like <code class="literal">https://service-name:8220</code>, and if it listens in <code class="literal">443</code> use a URL like <code class="literal">https://service-name</code>.
</li>
</ul>
</div>
<p>Below is an end to end example of how to expose the server to external and internal clients using a LoadBalancer service. For this example we assume the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
The Fleet Server runs in a namespace called <code class="literal">elastic</code>.
</li>
<li class="listitem">
External clients will access Fleet Server using a URL like <code class="literal">https://fleet.example.com</code>, which will be resolved in DNS to the external IP of the Load Balancer.
</li>
<li class="listitem">
Internal clients will access Fleet Server using the Kubernetes service directly <code class="literal">https://fleet-svc-lb.elastic</code>.
</li>
<li class="listitem">
The server certificate has both hostnames (<code class="literal">fleet.example.com</code> and <code class="literal">fleet-svc-lb.elastic</code>) in its SAN list.
</li>
</ul>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Create the <code class="literal">LoadBalancer</code> Service</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">kubectl expose deployment fleet-server --name fleet-svc-lb --type LoadBalancer --port 443 --target-port 8220</pre>
</div>
<p>That command creates a service named <code class="literal">fleet-svc-lb</code>, listening on port <code class="literal">443</code> and forwarding the traffic to the <code class="literal">fleet-server</code> deployment&#8217;s Pods on port <code class="literal">8220</code>. The listening <code class="literal">--port</code> (and the consequent URL) of the service can be customized, but the <code class="literal">--target-port</code> must remain on the default port (<code class="literal">8220</code>), because it&#8217;s the port used by the Fleet Server application.</p>
</li>
<li class="listitem">
Add <code class="literal">https://fleet-server.example.com</code> and <code class="literal">https://fleet-svc-lb.elastic</code> as a new <span class="strong strong"><strong>Fleet Server Hosts</strong></span> in <span class="strong strong"><strong>Fleet → Settings</strong></span>. Align the port of the URLs if you configured something different from <code class="literal">443</code> in the Load Balancer.
</li>
<li class="listitem">
Create a Fleet policy for external clients using the <code class="literal">https://fleet-server.example.com</code> Fleet Server URL.
</li>
<li class="listitem">
Create a Fleet policy for internal clients using the <code class="literal">https://fleet-svc-lb.elastic</code> Fleet Server URL.
</li>
<li class="listitem">
You are ready now to enroll external and internal agents to the relevant policies. Refer to <a class="xref" href="add-fleet-server-kubernetes.html#add-fleet-server-kubernetes-next" title="Next steps">Next steps</a> for more details.
</li>
</ol>
</div>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-troubleshoot"></a>Troubleshoot Fleet Server</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<div class="position-relative"><h5><a id="add-fleet-server-kubernetes-troubleshoot-common"></a>Common Problems</h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>The following issues may occur when Fleet Server settings are missing or configured incorrectly:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>Fleet Server is trying to access Elasticsearch at <code class="literal">localhost:9200</code> even though the <code class="literal">FLEET_SERVER_ELASTICSEARCH_HOST</code> environment variable is properly set.</p>
<p>This problem occurs when the <code class="literal">output</code> of the policy associated to the Fleet Server is not correctly configured.</p>
</li>
<li class="listitem">
<p>TLS certificate trust issues occur even when the <code class="literal">ELASTICSEARCH_CA</code> environment variable is properly set during deployment.</p>
<p>This problem occurs when the <code class="literal">output</code> of the policy associated to the Fleet Server is not correctly configured. Add the <span class="strong strong"><strong>CA certificate</strong></span> or <span class="strong strong"><strong>CA trusted fingerprint</strong></span> to the Elasticsearch output associated to the Fleet Server policy.</p>
</li>
<li class="listitem">
<p>In <span class="strong strong"><strong>Production mode</strong></span>, Fleet Server enrollment fails due to <code class="literal">FLEET_URL</code> not being accessible, showing something similar to:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">Starting enrollment to URL: https://fleet-svc/
1st enrollment attempt failed, retrying enrolling to URL: https://fleet-svc/ with exponential backoff (init 1s, max 10s)
Error: fail to enroll: fail to execute request to fleet-server: dial tcp 34.118.226.212:443: connect: connection refused
Error: enrollment failed: exit status 1</pre>
</div>
<p>If the service and URL are correctly configured, this is usually a temporary issue caused by the Kubernetes Service not forwarding traffic to the Pod, and it should be cleared in a couple of restarts.</p>
<p>As a workaround, consider using <code class="literal">https://localhost:8220</code> as the <code class="literal">FLEET_URL</code> for the Fleet Server configuration, and ensure that <code class="literal">localhost</code> is included in the certificate&#8217;s SAN.</p>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="add-fleet-server-kubernetes-next"></a>Next steps</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/ingest-docs/edit/8.18/docs/en/ingest-management/fleet/add-fleet-server-kubernetes.asciidoc">edit</a></div>
<p>Now you&#8217;re ready to add Elastic Agents to your host systems.
To learn how, refer to <a class="xref" href="install-fleet-managed-elastic-agent.html" title="Install Fleet-managed Elastic Agents">Install Fleet-managed Elastic Agents</a>, or <a class="xref" href="running-on-kubernetes-managed-by-fleet.html" title="Run Elastic Agent on Kubernetes managed by Fleet">Run Elastic Agent on Kubernetes managed by Fleet</a> if your Elastic Agents will also run on Kubernetes.</p>
<p>When you connect Elastic Agents to Fleet Server, remember to use the <code class="literal">--insecure</code> flag if the <span class="strong strong"><strong>quick start</strong></span> mode was used, or to provide to the Elastic Agents the CA certificate associated to the Fleet Server certificate if <span class="strong strong"><strong>production</strong></span> mode was used.</p>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="add-fleet-server-mixed.html">« Deploy Fleet Server on-premises and Elasticsearch on Cloud</a>
</span>
<span class="next">
<a href="fleet-server-scalability.html">Fleet Server scalability »</a>
</span>
</div>

                  <!-- end body -->
                </div>

                <div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
                  <div id="sticky_content">
                    <!-- The OTP is appended here -->
                    <div class="row">
                      <div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
                      <div class="col-12 col-md-8 col-lg-12">
                        <div id="rtpcontainer">
                          <div class="mktg-promo" id="most-popular">
                            <p class="aside-heading">Most Popular</p>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
                                <p class="mb-0">Get Started with Elasticsearch</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
                                <p class="mb-0">Intro to Kibana</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
                                <p class="mb-0">ELK for Logs & Metrics</p>
                              </a>
                            </div>
                          </div>
                        </div>

                        <!-- Feedback widget -->
                        <div id="feedbackWidgetContainer"></div>
                      </div>
                    </div>
                  </div>
                </div>