Unable to deploy elastic/eck-operator on RedHat OpenShift 4.11

When deploying elastic/eck-operator helm chart on OpenShift 4.11, deployment fails, getting:
msg="runc create failed: unable to start container process: exec: "./elastic-operator": stat ./elastic-operator: permission denied"

helm reports the following warning (but then adds the missing properties to the container securityContext , see below):

helm install elastic-operator elastic/eck-operator -n logging --set=installCRDs=false --set=webhook.enabled=false   --set=config.validateStorageClass=false

W0915 14:52:29.426212   70832 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

NAME: elastic-operator
LAST DEPLOYED: Thu Sep 15 14:52:27 2022
NAMESPACE: logging
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Inspect the operator logs by running the following command:
   kubectl logs -n logging sts/elastic-operator

Pod fails to create a container:

$ k get pods -n logging
NAME                 READY   STATUS                 RESTARTS   AGE
elastic-operator-0   0/1     CreateContainerError   0          2m21s

Running kubectl describe pods -n logging elastic-operator-0 I see the following event message:

  Warning  Failed          71s                   kubelet            Error: container create failed: time="2022-09-15T18:53:49Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"
  Warning  Failed          32s (x3 over 59s)     kubelet            (combined from similar events): Error: container create failed: time="2022-09-15T18:54:28Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"

The pod starts using:
Service Account: elastic-operator and:
openshift.io/scc: restricted-v2
seccomp.security.alpha.kubernetes.io/pod: runtime/default

The pod gets scheduled, so it's not an scc issue.
The pod 's securityContext is:

  securityContext:
     fsGroup: 1000670000
     runAsNonRoot: true
     seLinuxOptions:
       level: s0:c26,c10
     seccompProfile:
       type: RuntimeDefault

The container's securityContext is:

      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsUser: 1000670000

Any idea why the container cannot execute ./elastic operator

See resolution here:
deploying elastic/eck-operator helm chart on OpenShift 4.11 fails with exec: \"./elastic-operator\": stat ./elastic-operator: permission denied · Issue #6017 · elastic/cloud-on-k8s · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.