A Kubernetes operator for managing Wazuh clusters, providing a declarative way to deploy and configure Wazuh security monitoring platforms.
- Declarative Cluster Management - Define your entire Wazuh cluster using Kubernetes custom resources
- Automated Deployment - Automatically provisions Manager, Indexer, and Dashboard components
- Rule & Decoder Management - Manage Wazuh detection rules and log decoders as CRDs
- OpenSearch Security CRDs - Manage users, roles, role mappings, and tenants declaratively
- Index Lifecycle Management - Configure ISM policies, index templates, and snapshot policies
- Backup & Restore - OpenSearch snapshots and Wazuh Manager backups to S3, GCS, Azure, HDFS
- TLS Automation - Auto-generated certificates with hot reload support (Wazuh 4.9+)
- High Availability - Multi-node deployments with pod disruption budgets
- Monitoring Ready - Prometheus metrics and ServiceMonitor integration
- OpenTelemetry Tracing - Distributed tracing support for observability
graph LR
subgraph WazuhCluster
manager["Wazuh manager<br/>Master + Workers"]
indexer["Wazuh indexer<br/>(Modified OpenSearch)"]
dashboard["Wazuh dashboard<br/>(Modified OpenSearch dashboard)"]
end
- Kubernetes 1.25+
- kubectl configured
- 16GB+ RAM recommended
# Install the operator
helm install wazuh-operator oci://ghcr.io/maximewewer/charts/wazuh-operator \
-n wazuh-system --create-namespace
# Deploy a Wazuh cluster
helm install wazuh-cluster oci://ghcr.io/maximewewer/charts/wazuh-cluster \
-n wazuh-system
# Check status
kubectl get wazuhcluster -n wazuhkubectl port-forward svc/wazuh-cluster-dashboard -n wazuh 5601:5601Open https://localhost:5601 - Credentials are auto-generated in secrets.
See Quick Start Guide for detailed instructions.
| Wazuh | OpenSearch | Notes |
|---|---|---|
| 4.12.x - 4.14.x | 2.19.1 | Automatic TLS certificate hot reload (file-watch). |
| 4.10.x - 4.11.x | 2.16.0 | |
| 4.9.x | 2.13.0 | TLS certificate hot reload via API call. Minimum version supported by the operator. |
| < 4.9.0 | Not supported | Might work, but it hasn't been tested. |
API Group: resources.wazuh.com/v1
| Category | CRDs | Short Names |
|---|---|---|
| Wazuh Core | WazuhCluster, WazuhManager, WazuhWorker | wc, wmgr, wwork |
| Wazuh Config | WazuhRule, WazuhDecoder, WazuhCertificate, WazuhFilebeat | wrule, wdecoder, wzcert, wfb |
| Wazuh Backup | WazuhBackup, WazuhRestore | wbak, wrest |
| OpenSearch Core | OpenSearchIndexer, OpenSearchDashboard | osidxr, osdash |
| OpenSearch Security | OpenSearchUser, OpenSearchRole, OpenSearchRoleMapping, OpenSearchActionGroup, OpenSearchTenant, OpenSearchAuthConfig | osuser, osrole, osrmap, osag, ostenant, osauth |
| OpenSearch Index | OpenSearchIndex, OpenSearchIndexTemplate, OpenSearchComponentTemplate, OpenSearchPolicy, OpenSearchSnapshotPolicy | osidx, osidxt, osctpl, osism, ossnap |
| OpenSearch Backup | OpenSearchSnapshotRepository, OpenSearchSnapshot, OpenSearchRestore | osrepo, ossnapshot, osrestore |
See CRD Reference for complete API documentation.
| Topic | Description |
|---|---|
| Installation | How to install the operator |
| Quick Start | Deploy your first cluster |
| Credentials | Auto-generated passwords, secrets |
| TLS Configuration | Certificate management |
| Monitoring | Prometheus integration |
| Backup & Restore | Data protection (S3, GCS, Azure, HDFS) |
| Repository Plugins | Auto plugin install & keystore |
| Advanced Topology | NodePools, dedicated roles |
| Examples | Configuration examples |
| Troubleshooting | Common issues and debugging |
| Topic | Description |
|---|---|
| Architecture | Overall design |
| Testing Guide | How to run and write tests |
| Contributing | How to contribute |
# Generate manifests and code
make manifests generate
# Build and test
make build test
# Build Docker image
make docker-build IMG=myregistry/wazuh-operator:dev
# Run locally
make install runSee Testing Guide for complete testing instructions.
We welcome contributions! Please see CONTRIBUTING.md for details.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- Built with Kubebuilder
- Inspired by opensearch-k8s-operator
- Based on Wazuh security platform