Hi @NerdSec, thanks for moving to Discuss.
When I glanced over Calico I was under an impression that it's a k8s distribution and I worded my response like it mattered. Apologies!
To reiterate - ECK operator does not create Pods directly (privileged or not). Instead, we create a StatefulSet resource. There is a built-in StatefulSet controller in k8s that creates Pods based on that StatefulSet resource. This is important, because it means that elastic-operator is not the right Service Account to give use permission for a PSP.
So what's the right way? Well, there are two:
- give the
usepermission to the StatefulSet controller - have the Pods use
serviceAccountthat has the rightusepermission
As you correctly noted, the first one is more permissive than needed. I suggested that one as I felt it can help unblocking and verifying if that's really the issue. I think that my response might've lacked context 
The second way is preferred, but requires to create a Service Account, the right Binding and providing it in the Elasticsearch manifest podTemplate.
Our E2E test suite runs on PSP enabled clusters and the PSP is in our repo, if you'd like to take a look.
Btw, where you able to check kubernetes.io/psp annotation on the Pod? It should tell you which PSP was the Pod created with.
Let me know if the above allowed you to unblock, I'll be happy to help further if not.