From 039a96e854cbd22785777bbee554a5327cf1b89e Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Fri, 16 Jan 2026 12:01:30 +0200 Subject: [PATCH 01/18] apply suggestions --- .../elastic-stack-configuration-policies.md | 97 ++++++++++++++++++- 1 file changed, 94 insertions(+), 3 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index b9df848e6d..38db72be3f 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -42,7 +42,15 @@ Additionally with ECK `2.11.0` it is possible to configure {{kib}} as well using * [{{kib}} Configuration](kibana://reference/configuration-reference/general-settings.md) (configuration settings for {{kib}} that will go into `kibana.yml`) * [{{kib}} Secure Settings](../../security/k8s-secure-settings.md) -A policy can be applied to one or more {{es}} clusters or {{kib}} instances in any namespace managed by the ECK operator. Configuration policy settings applied by the ECK operator are immutable through the {{es}} REST API. It is currently not allowed to configure an {{es}} cluster or {{kib}} instance with more than one policy. +A policy can be applied to one or more {{es}} clusters or {{kib}} instances in any namespace managed by the ECK operator. Configuration policy settings applied by the ECK operator are immutable through the {{es}} REST API. + +With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target the same {{es}} cluster and {{kib}} instance. When multiple policies target the same resource, the policy with the lowest `weight` value takes precedence. If multiple policies have the same `weight` value, the operator reports a conflict. + +::::{note} +**Scale considerations** + +There is no hard limit to the maximum number of `StackConfigPolicy` resources that can target the same {{es}} cluster or {{kib}} instance. However, in our experimentation, we observed that when hundreds of `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the total reconciliation time (including the {{es}} cluster or {{kib}} instance and all `StackConfigPolicy` resources) can increase significantly, to the scale of minutes. To maintain fast total reconciliation times, we recommend efficiently utilizing the number of `StackConfigPolicy` resources by consolidating configurations where possible. +:::: ## Define {{stack}} configuration policies [k8s-stack-config-policy-definition] @@ -75,8 +83,9 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a The following fields are optional: -* `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters to which this policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. -* `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters to which this policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters in the namespace(s). +* `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Lower weight values have higher priority. The default value is `0`. When multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. +* `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which this policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. +* `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which this policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). Example of applying a policy that configures snapshot repository, SLM Policies, and cluster settings: @@ -246,6 +255,41 @@ spec: - secretName: kibana-shared-secret ``` +Example showing how multiple `StackConfigPolicy` resources can target the same Elasticsearch cluster, with `weight` determining which policy takes precedence: + +```yaml +# Policy with higher priority (lower weight) +apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 +kind: StackConfigPolicy +metadata: + name: high-priority-policy +spec: + weight: 0 # Lower weight = higher priority + resourceSelector: + matchLabels: + cluster: my-cluster # Both policies target the same cluster + elasticsearch: + clusterSettings: + indices.recovery.max_bytes_per_sec: "200mb" + +--- +# Policy with lower priority (higher weight) +apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 +kind: StackConfigPolicy +metadata: + name: low-priority-policy +spec: + weight: 100 # Higher weight = lower priority + resourceSelector: + matchLabels: + cluster: my-cluster # Both policies target the same cluster + elasticsearch: + clusterSettings: + indices.recovery.max_bytes_per_sec: "100mb" +``` + +In this example, both policies target the same Elasticsearch cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 0) is applied because it has a lower weight value. The `low-priority-policy` (weight: 100) is ignored for that cluster. If both policies have the same `weight` value, the operator reports a conflict. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority. + ## Monitor {{stack}} configuration policies [k8s-stack-config-policy-monitoring] @@ -316,6 +360,53 @@ In order to avoid a conflict between multiple {{es}} clusters writing their snap * appends `-` to `path` for an HDFS repository +## Policy priority and weight [k8s-stack-config-policy-priority-weight] + +When multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the `weight` field determines which policy takes precedence. The policy with the lowest `weight` value has the highest priority and is applied to the resource. Policies with higher `weight` values are ignored when a lower-weight policy also targets the same resource. + +The `weight` field is optional and defaults to `0` if not specified. If multiple policies have the same `weight` value and target the same resource, the operator reports a conflict and neither policy is applied until the conflict is resolved. + +This allows you to create a hierarchy of policies, for example: +* Base policies with higher weights (e.g., `weight: 100`) that provide default configurations +* Override policies with lower weights (e.g., `weight: 0`) that provide environment-specific or cluster-specific configurations + +Example of using `weight` to create a policy hierarchy: + +```yaml +# Base policy with default settings (lower priority) +apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 +kind: StackConfigPolicy +metadata: + name: base-policy +spec: + weight: 100 # Higher weight = lower priority + resourceSelector: + matchLabels: + env: production + elasticsearch: + clusterSettings: + indices.recovery.max_bytes_per_sec: "50mb" + +--- +# Override policy with production-specific settings (higher priority) +apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 +kind: StackConfigPolicy +metadata: + name: production-override-policy +spec: + weight: 0 # Lower weight = higher priority + resourceSelector: + matchLabels: + env: production + tier: critical + elasticsearch: + clusterSettings: + indices.recovery.max_bytes_per_sec: "200mb" +``` + +In this example, clusters labeled with both `env: production` and `tier: critical` use the `production-override-policy` (weight: 0) settings, while other production clusters use the `base-policy` (weight: 100) settings. + + ## Specifics for secret mounts [k8s-stack-config-policy-specifics-secret-mounts] ECK `2.11.0` introduces `spec.elasticsearch.secretMounts` as a new field. This field allows users to specify a user created secret and a mountPath to indicate where this secret should be mounted in the {{es}} Pods that are managed by the {{stack}} configuration policy. This field can be used to add additional secrets to the {{es}} Pods that may be needed for example for sensitive files required to configure {{es}} security realms. The secret should be created by the user in the same namespace as the {{stack}} configuration policy. The operator reads this secret and copies it over to the namespace of {{es}} so that it can be mounted by the {{es}} Pods. Example of configuring secret mounts in the {{stack}} configuration policy: From 333d4338a61b6c72cb5f2fca183c9261de4face6 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Fri, 16 Jan 2026 17:27:40 +0200 Subject: [PATCH 02/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 38db72be3f..378aa3b3b1 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -85,7 +85,7 @@ The following fields are optional: * `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Lower weight values have higher priority. The default value is `0`. When multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. * `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which this policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. -* `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which this policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). +* `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). Example of applying a policy that configures snapshot repository, SLM Policies, and cluster settings: From 09f56c1a58b998ea0537f17ee50e89072fbb24e9 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Fri, 16 Jan 2026 17:27:50 +0200 Subject: [PATCH 03/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 378aa3b3b1..0d7a72de83 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -84,7 +84,7 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a The following fields are optional: * `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Lower weight values have higher priority. The default value is `0`. When multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. -* `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which this policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. +* `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which the policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. * `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). Example of applying a policy that configures snapshot repository, SLM Policies, and cluster settings: From 158803cb3eb195651282aa37e5408a3c0b539a96 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Fri, 16 Jan 2026 17:48:23 +0200 Subject: [PATCH 04/18] reword policies weight and conflict --- .../elastic-stack-configuration-policies.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 0d7a72de83..28ed3285fd 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -83,7 +83,7 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a The following fields are optional: -* `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Lower weight values have higher priority. The default value is `0`. When multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. +* `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. [introduced in ECK `3.3.0` - See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for details] * `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which the policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. * `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). @@ -288,7 +288,7 @@ spec: indices.recovery.max_bytes_per_sec: "100mb" ``` -In this example, both policies target the same Elasticsearch cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 0) is applied because it has a lower weight value. The `low-priority-policy` (weight: 100) is ignored for that cluster. If both policies have the same `weight` value, the operator reports a conflict. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority. +In this example, both policies target the same Elasticsearch cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 0) settings take precedence and overwrite the `low-priority-policy` (weight: 100) settings. The `low-priority-policy` settings are applied first, then the `high-priority-policy` settings overwrite them. If both policies have the same `weight` value, a conflict occurs and no policies are applied to the cluster until the conflict is resolved. See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority and conflict resolution. ## Monitor {{stack}} configuration policies [k8s-stack-config-policy-monitoring] @@ -362,13 +362,19 @@ In order to avoid a conflict between multiple {{es}} clusters writing their snap ## Policy priority and weight [k8s-stack-config-policy-priority-weight] -When multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the `weight` field determines which policy takes precedence. The policy with the lowest `weight` value has the highest priority and is applied to the resource. Policies with higher `weight` values are ignored when a lower-weight policy also targets the same resource. +The `weight` field is an integer that determines the priority of a policy when multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance. When multiple policies target the same resource, policies are evaluated in order of their `weight` values (from highest to lowest). Settings from policies with lower `weight` values take precedence and overwrite settings from policies with higher `weight` values. The policy with the lowest `weight` value has the highest priority. -The `weight` field is optional and defaults to `0` if not specified. If multiple policies have the same `weight` value and target the same resource, the operator reports a conflict and neither policy is applied until the conflict is resolved. +The `weight` field is optional and defaults to `0` if not specified. Lower weight values have higher priority. + +::::{important} +**Conflict resolution** + +If multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. When a conflict occurs, **no policies are applied to that resource**—this includes not only the conflicting policies but also any other policies that target the same resource. The target resource remains unconfigured by any `StackConfigPolicy` until the conflict is resolved by adjusting the `weight` values of the conflicting policies. +:::: This allows you to create a hierarchy of policies, for example: * Base policies with higher weights (e.g., `weight: 100`) that provide default configurations -* Override policies with lower weights (e.g., `weight: 0`) that provide environment-specific or cluster-specific configurations +* Override policies with lower weights (e.g., `weight: 0`) that provide environment-specific or cluster-specific configurations and overwrite the base policy settings Example of using `weight` to create a policy hierarchy: @@ -404,7 +410,7 @@ spec: indices.recovery.max_bytes_per_sec: "200mb" ``` -In this example, clusters labeled with both `env: production` and `tier: critical` use the `production-override-policy` (weight: 0) settings, while other production clusters use the `base-policy` (weight: 100) settings. +In this example, clusters labeled with both `env: production` and `tier: critical` have the `production-override-policy` (weight: 0) settings applied, which overwrite the `base-policy` (weight: 100) settings. Other production clusters use only the `base-policy` (weight: 100) settings. ## Specifics for secret mounts [k8s-stack-config-policy-specifics-secret-mounts] From 2cefcf08c78aa864cbee0bbfc2304d0627980019 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:04:57 +0200 Subject: [PATCH 05/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../cloud-on-k8s/elastic-stack-configuration-policies.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 28ed3285fd..d4a0d22491 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -361,6 +361,10 @@ In order to avoid a conflict between multiple {{es}} clusters writing their snap ## Policy priority and weight [k8s-stack-config-policy-priority-weight] +```{applies_to} +deployment: + eck: ga 3.3+ +``` The `weight` field is an integer that determines the priority of a policy when multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance. When multiple policies target the same resource, policies are evaluated in order of their `weight` values (from highest to lowest). Settings from policies with lower `weight` values take precedence and overwrite settings from policies with higher `weight` values. The policy with the lowest `weight` value has the highest priority. From ace4a5c3cbdbe55aa05fddb7ee7195ea7c0117b0 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:07 +0200 Subject: [PATCH 06/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../cloud-on-k8s/elastic-stack-configuration-policies.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index d4a0d22491..935fcaf36d 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -370,8 +370,7 @@ The `weight` field is an integer that determines the priority of a policy when m The `weight` field is optional and defaults to `0` if not specified. Lower weight values have higher priority. -::::{important} -**Conflict resolution** +::::{important} - Conflict resolution If multiple policies have the same `weight` value and target the same resource, the operator reports a conflict. When a conflict occurs, **no policies are applied to that resource**—this includes not only the conflicting policies but also any other policies that target the same resource. The target resource remains unconfigured by any `StackConfigPolicy` until the conflict is resolved by adjusting the `weight` values of the conflicting policies. :::: From 3d089403e4d35bbb31aae47248cafe873faf9652 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:20 +0200 Subject: [PATCH 07/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../cloud-on-k8s/elastic-stack-configuration-policies.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 935fcaf36d..16d7fefae3 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -46,8 +46,7 @@ A policy can be applied to one or more {{es}} clusters or {{kib}} instances in a With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target the same {{es}} cluster and {{kib}} instance. When multiple policies target the same resource, the policy with the lowest `weight` value takes precedence. If multiple policies have the same `weight` value, the operator reports a conflict. -::::{note} -**Scale considerations** +::::{admonition} Scale considerations There is no hard limit to the maximum number of `StackConfigPolicy` resources that can target the same {{es}} cluster or {{kib}} instance. However, in our experimentation, we observed that when hundreds of `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the total reconciliation time (including the {{es}} cluster or {{kib}} instance and all `StackConfigPolicy` resources) can increase significantly, to the scale of minutes. To maintain fast total reconciliation times, we recommend efficiently utilizing the number of `StackConfigPolicy` resources by consolidating configurations where possible. :::: From 2bf19e4e7b2bcf44bb429ed2d3c947fa846e1a8a Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:28 +0200 Subject: [PATCH 08/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 16d7fefae3..2678a19061 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -48,7 +48,7 @@ With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target ::::{admonition} Scale considerations -There is no hard limit to the maximum number of `StackConfigPolicy` resources that can target the same {{es}} cluster or {{kib}} instance. However, in our experimentation, we observed that when hundreds of `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the total reconciliation time (including the {{es}} cluster or {{kib}} instance and all `StackConfigPolicy` resources) can increase significantly, to the scale of minutes. To maintain fast total reconciliation times, we recommend efficiently utilizing the number of `StackConfigPolicy` resources by consolidating configurations where possible. +There is no hard limit to the maximum number of `StackConfigPolicy` resources that can target the same {{es}} cluster or {{kib}} instance. However, in testing, we observed that when hundreds of `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the total reconciliation time (including the {{es}} cluster or {{kib}} instance and all `StackConfigPolicy` resources) can increase significantly, sometimes to several minutes. To maintain fast total reconciliation times, we recommend consolidating configurations where possible. :::: From e7ba4f8ba7880151715d056ecc9f65a3fe47fe9b Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:39 +0200 Subject: [PATCH 09/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 2678a19061..ab05e424b5 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -82,7 +82,7 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a The following fields are optional: -* `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. [introduced in ECK `3.3.0` - See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for details] +* {applies_to}`eck: ga 3.3+``weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for details. * `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which the policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. * `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). From f0139cd9b9835afbc4e64057cb5f527abca28adb Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:49 +0200 Subject: [PATCH 10/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index ab05e424b5..d5afdc8c80 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -95,6 +95,7 @@ metadata: name: test-stack-config-policy # namespace: elastic-system or test-namespace spec: + weight: 0 <1> resourceSelector: matchLabels: env: my-label From 2c0ed25907b3fc74b46a72b55cc1d83670da3f6d Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:05:59 +0200 Subject: [PATCH 11/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index d5afdc8c80..442b44ba13 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -254,6 +254,7 @@ spec: secureSettings: - secretName: kibana-shared-secret ``` +1. {applies_to}`eck: ga 3.3+` Optional: determines priority when multiple policies target the same resource Example showing how multiple `StackConfigPolicy` resources can target the same Elasticsearch cluster, with `weight` determining which policy takes precedence: From 4997294496dad640f5090bb3f26d06f7f888ec7c Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:18:06 +0200 Subject: [PATCH 12/18] fix: more than one content block between code block with annotations --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 442b44ba13..b04bbdfd95 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -123,6 +123,7 @@ spec: min_count: 1 max_count: 20 ``` +1. {applies_to}`eck: ga 3.3+` Optional: determines priority when multiple policies target the same resource Another example of configuring role mappings, ingest pipelines, ILM and index templates: @@ -254,7 +255,6 @@ spec: secureSettings: - secretName: kibana-shared-secret ``` -1. {applies_to}`eck: ga 3.3+` Optional: determines priority when multiple policies target the same resource Example showing how multiple `StackConfigPolicy` resources can target the same Elasticsearch cluster, with `weight` determining which policy takes precedence: From 3051ef5266e49a7d72781d53af9aeda82d1c6a9a Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:24:38 +0200 Subject: [PATCH 13/18] fix: flip weight semantics --- .../elastic-stack-configuration-policies.md | 38 +++++++++---------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index b04bbdfd95..cde4db2da2 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -44,7 +44,7 @@ Additionally with ECK `2.11.0` it is possible to configure {{kib}} as well using A policy can be applied to one or more {{es}} clusters or {{kib}} instances in any namespace managed by the ECK operator. Configuration policy settings applied by the ECK operator are immutable through the {{es}} REST API. -With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target the same {{es}} cluster and {{kib}} instance. When multiple policies target the same resource, the policy with the lowest `weight` value takes precedence. If multiple policies have the same `weight` value, the operator reports a conflict. +With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target the same {{es}} cluster and {{kib}} instance. When multiple policies target the same resource, the policy with the highest `weight` value takes precedence. If multiple policies have the same `weight` value, the operator reports a conflict. ::::{admonition} Scale considerations @@ -86,7 +86,7 @@ The following fields are optional: * `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which the policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. * `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). -Example of applying a policy that configures snapshot repository, SLM Policies, and cluster settings: +Example of applying a policy that configures snapshot repository, {{slm-init}} Policies, and cluster settings: ```yaml apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 @@ -125,7 +125,7 @@ spec: ``` 1. {applies_to}`eck: ga 3.3+` Optional: determines priority when multiple policies target the same resource -Another example of configuring role mappings, ingest pipelines, ILM and index templates: +Another example of configuring role mappings, ingest pipelines, {{ilm-init}} and index templates: ```yaml apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 @@ -256,16 +256,16 @@ spec: - secretName: kibana-shared-secret ``` -Example showing how multiple `StackConfigPolicy` resources can target the same Elasticsearch cluster, with `weight` determining which policy takes precedence: +Example showing how multiple `StackConfigPolicy` resources can target the same {{es}} cluster, with `weight` determining which policy takes precedence: ```yaml -# Policy with higher priority (lower weight) +# Policy with higher priority (higher weight) apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 kind: StackConfigPolicy metadata: name: high-priority-policy spec: - weight: 0 # Lower weight = higher priority + weight: 100 # Higher weight = higher priority resourceSelector: matchLabels: cluster: my-cluster # Both policies target the same cluster @@ -274,13 +274,13 @@ spec: indices.recovery.max_bytes_per_sec: "200mb" --- -# Policy with lower priority (higher weight) +# Policy with lower priority (lower weight) apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 kind: StackConfigPolicy metadata: name: low-priority-policy spec: - weight: 100 # Higher weight = lower priority + weight: 0 # Lower weight = lower priority resourceSelector: matchLabels: cluster: my-cluster # Both policies target the same cluster @@ -289,7 +289,7 @@ spec: indices.recovery.max_bytes_per_sec: "100mb" ``` -In this example, both policies target the same Elasticsearch cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 0) settings take precedence and overwrite the `low-priority-policy` (weight: 100) settings. The `low-priority-policy` settings are applied first, then the `high-priority-policy` settings overwrite them. If both policies have the same `weight` value, a conflict occurs and no policies are applied to the cluster until the conflict is resolved. See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority and conflict resolution. +In this example, both policies target the same {{es}} cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 100) settings take precedence and overwrite the `low-priority-policy` (weight: 0) settings. The `low-priority-policy` settings are applied first, then the `high-priority-policy` settings overwrite them. If both policies have the same `weight` value, a conflict occurs and no policies are applied to the cluster until the conflict is resolved. See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority and conflict resolution. ## Monitor {{stack}} configuration policies [k8s-stack-config-policy-monitoring] @@ -341,11 +341,7 @@ kubectl get -n b scp test-err-stack-config-policy -o jsonpath="{.status}" | jq . } ``` -Important events are also reported through Kubernetes events, such as when two config policies conflict or you don’t have the appropriate license: - -```sh -54s Warning Unexpected stackconfigpolicy/config-test conflict: resource Elasticsearch ns1/cluster-a already configured by StackConfigpolicy default/config-test-2 -``` +Important events are also reported through {{k8s}} events, such as when you don't have the appropriate license: ```sh 17s Warning ReconciliationError stackconfigpolicy/config-test StackConfigPolicy is an enterprise feature. Enterprise features are disabled @@ -367,9 +363,9 @@ deployment: eck: ga 3.3+ ``` -The `weight` field is an integer that determines the priority of a policy when multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance. When multiple policies target the same resource, policies are evaluated in order of their `weight` values (from highest to lowest). Settings from policies with lower `weight` values take precedence and overwrite settings from policies with higher `weight` values. The policy with the lowest `weight` value has the highest priority. +The `weight` field is an integer that determines the priority of a policy when multiple `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance. When multiple policies target the same resource, policies are evaluated in order of their `weight` values (from lowest to highest). Settings from policies with higher `weight` values take precedence and overwrite settings from policies with lower `weight` values. The policy with the highest `weight` value has the highest priority. -The `weight` field is optional and defaults to `0` if not specified. Lower weight values have higher priority. +The `weight` field is optional and defaults to `0` if not specified. Higher weight values have higher priority. ::::{important} - Conflict resolution @@ -377,8 +373,8 @@ If multiple policies have the same `weight` value and target the same resource, :::: This allows you to create a hierarchy of policies, for example: -* Base policies with higher weights (e.g., `weight: 100`) that provide default configurations -* Override policies with lower weights (e.g., `weight: 0`) that provide environment-specific or cluster-specific configurations and overwrite the base policy settings +* Base policies with lower weights (e.g., `weight: 0`) that provide default configurations +* Override policies with higher weights (e.g., `weight: 100`) that provide environment-specific or cluster-specific configurations and overwrite the base policy settings Example of using `weight` to create a policy hierarchy: @@ -389,7 +385,7 @@ kind: StackConfigPolicy metadata: name: base-policy spec: - weight: 100 # Higher weight = lower priority + weight: 0 # Lower weight = lower priority resourceSelector: matchLabels: env: production @@ -404,7 +400,7 @@ kind: StackConfigPolicy metadata: name: production-override-policy spec: - weight: 0 # Lower weight = higher priority + weight: 100 # Higher weight = higher priority resourceSelector: matchLabels: env: production @@ -414,7 +410,7 @@ spec: indices.recovery.max_bytes_per_sec: "200mb" ``` -In this example, clusters labeled with both `env: production` and `tier: critical` have the `production-override-policy` (weight: 0) settings applied, which overwrite the `base-policy` (weight: 100) settings. Other production clusters use only the `base-policy` (weight: 100) settings. +In this example, clusters labeled with both `env: production` and `tier: critical` have the `production-override-policy` (weight: 100) settings applied, which overwrite the `base-policy` (weight: 0) settings. Other production clusters use only the `base-policy` (weight: 0) settings. ## Specifics for secret mounts [k8s-stack-config-policy-specifics-secret-mounts] From b6dda473dc837004bf8d5b2b37d2188e0fe11f50 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 15:28:32 +0200 Subject: [PATCH 14/18] fix: remove redundant example of multiple stack config policies --- .../elastic-stack-configuration-policies.md | 35 +------------------ 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index cde4db2da2..9a17cba344 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -256,40 +256,7 @@ spec: - secretName: kibana-shared-secret ``` -Example showing how multiple `StackConfigPolicy` resources can target the same {{es}} cluster, with `weight` determining which policy takes precedence: - -```yaml -# Policy with higher priority (higher weight) -apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 -kind: StackConfigPolicy -metadata: - name: high-priority-policy -spec: - weight: 100 # Higher weight = higher priority - resourceSelector: - matchLabels: - cluster: my-cluster # Both policies target the same cluster - elasticsearch: - clusterSettings: - indices.recovery.max_bytes_per_sec: "200mb" - ---- -# Policy with lower priority (lower weight) -apiVersion: stackconfigpolicy.k8s.elastic.co/v1alpha1 -kind: StackConfigPolicy -metadata: - name: low-priority-policy -spec: - weight: 0 # Lower weight = lower priority - resourceSelector: - matchLabels: - cluster: my-cluster # Both policies target the same cluster - elasticsearch: - clusterSettings: - indices.recovery.max_bytes_per_sec: "100mb" -``` - -In this example, both policies target the same {{es}} cluster (using the `cluster: my-cluster` label). The `high-priority-policy` (weight: 100) settings take precedence and overwrite the `low-priority-policy` (weight: 0) settings. The `low-priority-policy` settings are applied first, then the `high-priority-policy` settings overwrite them. If both policies have the same `weight` value, a conflict occurs and no policies are applied to the cluster until the conflict is resolved. See [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more details on how weight determines policy priority and conflict resolution. +Multiple `StackConfigPolicy` resources can target the same {{es}} cluster or {{kib}} instance, with `weight` determining which policy takes precedence. Refer to [Policy priority and weight](k8s-stack-config-policy-priority-weight) for more information. ## Monitor {{stack}} configuration policies [k8s-stack-config-policy-monitoring] From 1a5f3b9794f1874be017e3e2904ddff38c4cca33 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Mon, 19 Jan 2026 18:29:43 +0200 Subject: [PATCH 15/18] fix: link --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 9a17cba344..21ac4c2aba 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -256,7 +256,7 @@ spec: - secretName: kibana-shared-secret ``` -Multiple `StackConfigPolicy` resources can target the same {{es}} cluster or {{kib}} instance, with `weight` determining which policy takes precedence. Refer to [Policy priority and weight](k8s-stack-config-policy-priority-weight) for more information. +Multiple `StackConfigPolicy` resources can target the same {{es}} cluster or {{kib}} instance, with `weight` determining which policy takes precedence. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for more information. ## Monitor {{stack}} configuration policies [k8s-stack-config-policy-monitoring] From d8913b69ff29204c3c6b363903c4a780f4672743 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Tue, 20 Jan 2026 10:06:34 +0200 Subject: [PATCH 16/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 21ac4c2aba..0a82458cff 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -82,7 +82,7 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a The following fields are optional: -* {applies_to}`eck: ga 3.3+``weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for details. +* {applies_to}`eck: ga 3.3+` `weight` is an integer that determines the priority of this policy when multiple policies target the same resource. Refer to [Policy priority and weight](#k8s-stack-config-policy-priority-weight) for details. * `namespace` is the namespace of the `StackConfigPolicy` resource and used to identify the {{es}} clusters and {{kib}} instances to which the policy applies. If it equals to the operator namespace, the policy applies to all namespaces managed by the operator, otherwise the policy only applies to the namespace of the policy. * `resourceSelector` is a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to identify the {{es}} clusters and {{kib}} instances to which the policy applies in combination with the namespace(s). No `resourceSelector` means all {{es}} clusters and {{kib}} instances in the namespace(s). From 83b083a51f44f887fb0de8a866342a9e59e9c23b Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Tue, 20 Jan 2026 10:49:51 +0200 Subject: [PATCH 17/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: Peter Brachwitz --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 0a82458cff..62db9950be 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -48,7 +48,7 @@ With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target ::::{admonition} Scale considerations -There is no hard limit to the maximum number of `StackConfigPolicy` resources that can target the same {{es}} cluster or {{kib}} instance. However, in testing, we observed that when hundreds of `StackConfigPolicy` resources target the same {{es}} cluster or {{kib}} instance, the total reconciliation time (including the {{es}} cluster or {{kib}} instance and all `StackConfigPolicy` resources) can increase significantly, sometimes to several minutes. To maintain fast total reconciliation times, we recommend consolidating configurations where possible. +While there is no hard limit on how many `StackConfigPolicy` resources can target the same {{es}} cluster or {{kib}} instance, targeting a single resource with more than 100 policies can increase total reconciliation time to several minutes. For optimal performance, combine related settings into fewer policies rather than creating many granular ones. :::: From c0e4f12b868e9a3a095ba20bd7fef904c0cfe300 Mon Sep 17 00:00:00 2001 From: Panos Koutsovasilis Date: Tue, 20 Jan 2026 11:50:17 +0200 Subject: [PATCH 18/18] Update deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md Co-authored-by: Peter Brachwitz --- .../deploy/cloud-on-k8s/elastic-stack-configuration-policies.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 62db9950be..bda13d12b5 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -49,6 +49,8 @@ With ECK `3.3.0` and later, multiple {{stack}} configuration policies can target ::::{admonition} Scale considerations While there is no hard limit on how many `StackConfigPolicy` resources can target the same {{es}} cluster or {{kib}} instance, targeting a single resource with more than 100 policies can increase total reconciliation time to several minutes. For optimal performance, combine related settings into fewer policies rather than creating many granular ones. + +Additionally, the total size of settings configured through `StackConfigPolicy` resources for a given {{es}} cluster or {{kib}} instance is limited to 1MB due to Kubernetes secret size constraints. ::::