[NEW] Openshift 4 - Fleet and Elastic Agent permission denied

demon86rm · April 26, 2023, 12:58pm

Hi,

I'd like to reopen the old post from splitmessage88 as I'm facing the exact same issue while trying to configure an Elastic Agent on an ARO cluster. I've followed all the existing instructions for deploy the ECK operator on Openshift but in the end the only result is that the daemonSet is not able to mkdir the /usr/share/elastic-agent/state hostPath directory even with privileged scc serviceAccount or runAsUser:0 securityContext.

Has anyone ever achieved deploying successfully on Openshift or on Managed Openshift service (like ARO/ROSA) an elastic-agent daemonSet running?

If it's not possibile, can be specified on the docs that ECK can't be deployed successfully on managed platforms or that it hasn't been tested at least so it might not work even if the steps on the docs are followed?

michael.morello · April 26, 2023, 1:24pm

IIRC being in the privileged scc is not enough, could you also check that the container is privileged:

    podTemplate:
      spec:
        securityContext:
          runAsUser: 0
        containers:
          - name: agent
            securityContext:
              runAsUser: 0
              privileged: true

demon86rm · April 27, 2023, 3:56pm

Thank you for your answer, that worked like a charm!

system · May 25, 2023, 3:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.