Cannot deploy ECK 2.7.0 with PSP

sebastianboelling · April 25, 2023, 1:11pm

Hi,

I tried to deploy ECK 2.7.0 on my Tanzu Kubernetes environment and get the following error message:

Warning  Failed     5m6s (x2 over 5m7s)  kubelet            Error: container has runAsNonRoot and image will run as root (pod: "elastic-operator-0_srv247(2ddfe704-c0e9-4a5a-b916-5c5e646c6c4d)", container: manager)

I am using PSP and configured it the operator.yaml and crds.yaml accordingly. With ECK 2.6.1 everything runs without any errors.

The container spec in the operator.yaml is as follows:

containers:
      - image: "myownrepo/eck/eck-operator:2.7.0"
        imagePullPolicy: IfNotPresent
        name: manager
        args:
        - "manager"
        - "--config=/conf/eck.yaml"
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
        env:

Are there changes to the 2.7.0 image which break my definition?

Regards

Sebastian

michael.morello · April 25, 2023, 1:50pm

ECK 2.7.0 is supposed to run as user 65532 (which actually inherits it from Distroless I guess):

docker inspect docker.elastic.co/eck/eck-operator:2.7.0:

       "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "65532",

docker inspect docker.elastic.co/eck/eck-operator:2.6.1 returns the same as above.

Could you check what is the value of Config.User for your image myownrepo/eck/eck-operator:2.7.0?

sebastianboelling · April 25, 2023, 2:52pm

It is

 "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",

Regards

sebastianboelling · April 27, 2023, 11:09am

I've found the issue. The image was faulty imported to the repo. After new import the ECK 2.7.0 works fine.

system · May 25, 2023, 11:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.