ELK Stack Deployment Guide: Docker Compose, Kubernetes, and Production Patterns
Country Manager, Sweden
AI, DevOps, Security, and Cloud Solutioning. 12+ years leading enterprise cloud transformation across Scandinavia
ELK Stack Deployment Guide: Docker Compose, Kubernetes, and Production Patterns
You can run an ELK Stack three ways: a tutorial setup on your laptop with Docker Compose, a Kubernetes-managed deployment via the official Elastic Cloud on Kubernetes (ECK) operator, or a vendor-managed cloud service like Elastic Cloud or AWS OpenSearch Service. Each is appropriate for different stages and scales, and customers regularly run all three in parallel: laptops for development, ECK for self-managed production, and managed cloud for SaaS-friendly workloads.
This guide walks through each deployment path with working configuration, then covers the production patterns that matter regardless of how you deploy.
Path 1: Docker Compose for Development
For local development, Docker Compose runs a single-node Elastic Stack in five minutes. The only purpose is iteration speed; never run this configuration in production.
version: '3.8'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.13.0
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- ES_JAVA_OPTS=-Xms2g -Xmx2g
ports: ['9200:9200']
volumes: ['esdata:/usr/share/elasticsearch/data']
kibana:
image: docker.elastic.co/kibana/kibana:8.13.0
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
ports: ['5601:5601']
depends_on: [elasticsearch]
logstash:
image: docker.elastic.co/logstash/logstash:8.13.0
volumes: ['./pipeline:/usr/share/logstash/pipeline']
ports: ['5044:5044']
depends_on: [elasticsearch]
volumes:
esdata:
Bring it up with docker compose up -d, point Kibana at http://localhost:5601, and you have a working stack for testing pipelines and dashboards. Disable security only for local use.
Path 2: ECK on Kubernetes for Self-Managed Production
Elastic Cloud on Kubernetes (ECK) is the operator-based deployment pattern for production self-managed clusters. The operator handles cluster provisioning, version upgrades, certificate management, and node-pool topology declaratively. The pattern fits naturally with argocd gitops services deployment workflows.
A minimal Elasticsearch cluster definition with role separation:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: prod
spec:
version: 8.13.0
nodeSets:
- name: master
count: 3
config:
node.roles: ['master']
podTemplate:
spec:
containers:
- name: elasticsearch
resources:
requests: { memory: 4Gi, cpu: 1 }
limits: { memory: 4Gi, cpu: 2 }
- name: hot
count: 6
config:
node.roles: ['data_hot','data_content','ingest']
volumeClaimTemplates:
- metadata: { name: elasticsearch-data }
spec:
accessModes: ['ReadWriteOnce']
resources: { requests: { storage: 1Ti } }
storageClassName: gp3
podTemplate:
spec:
containers:
- name: elasticsearch
resources:
requests: { memory: 32Gi, cpu: 4 }
limits: { memory: 32Gi, cpu: 8 }
- name: warm
count: 4
config:
node.roles: ['data_warm']
volumeClaimTemplates:
- metadata: { name: elasticsearch-data }
spec:
accessModes: ['ReadWriteOnce']
resources: { requests: { storage: 4Ti } }
storageClassName: st1
The same operator pattern applies to Kibana and Beats (Elastic Agent). ECK manages certificate rotation, rolling upgrades, and shard rebalancing during node replacement.
Need expert help with elk stack deployment guide?
Our cloud architects can help you with elk stack deployment guide — from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Path 3: Managed Cloud Services
For teams who do not want to operate the cluster, three options dominate:
- Elastic Cloud — first-party managed Elastic Stack on AWS, Azure, or GCP. Strongest feature parity with self-managed
- AWS OpenSearch Service — managed OpenSearch on AWS. Strong integration with AWS-native sources (CloudWatch, Kinesis, S3)
- Aiven for OpenSearch / Elasticsearch — multi-cloud managed service with strong SOC 2 / ISO 27001 posture
Pricing model is per-cluster-hour plus storage. For deployments under 1 TB/day, managed services are usually cheaper than self-hosting once you factor in the operational headcount required to run the cluster well.
Production Patterns That Apply Everywhere
Regardless of where the cluster runs, six patterns separate well-operated ELK deployments from troubled ones:
- Index Lifecycle Management (ILM) — automated rollover from hot to warm to cold tiers based on age and size. Without ILM, indices grow unboundedly and shard counts explode
- Snapshots to object storage — daily snapshots to S3 / GCS / blob, retained 30+ days. The only real disaster recovery for an Elasticsearch cluster
- Index templates with explicit mappings — never let mapping drift create field type conflicts. Define field types in templates and let unmapped fields fail loudly
- Cluster monitoring with a separate cluster — monitor Elasticsearch with metricbeat shipping to a different Elasticsearch cluster. Self-monitoring breaks during outages
- Authentication and field-level security — RBAC with SAML / OIDC integration, field-level redaction for PII, audit logs
- Capacity headroom — target 60-70% disk utilisation on hot tier. Above 85% the cluster starts refusing writes (flood-stage watermark)
Sizing in 60 Seconds
The rough sizing arithmetic for a self-managed deployment:
- Daily ingest GB × retention days × 1.3 (replication overhead) = total disk required
- Hot tier disk = roughly 7-14 days of ingest, on SSD
- Warm tier disk = remaining retention, on cheaper disk
- JVM heap = 50% of RAM, never more than 31 GB (compressed-pointer threshold)
- Hot data nodes = ceil(daily ingest / 50 GB indexing per node per hour)
For 2 TB/day ingest with 90-day retention: roughly 6 hot nodes (32 GB heap, 1 TB SSD each), 4 warm nodes (16 GB heap, 4 TB disk each), 3 dedicated masters, total cluster cost on AWS roughly $8-12k/month before storage tiering optimisations.
How Opsio Helps
Opsio runs ELK and OpenSearch deployments under managed-service contracts on AWS, Azure, GCP, and on-premise. Our Opsio's elk stack service covers ECK-based deployment, ILM design, snapshot strategy, RBAC and SAML integration, and 24/7 SRE operations. We also offer managed containerization services for the wider Kubernetes platform that hosts the cluster.
About the Author
Country Manager, Sweden
Johan leads Opsio's Sweden operations, driving AI adoption, DevOps transformation, security strategy, and cloud solutioning for Nordic enterprises. With 12+ years in enterprise cloud infrastructure, he has delivered 200+ projects across AWS, Azure, and GCP — specialising in Well-Architected reviews, landing zone design, and multi-cloud strategy.
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.