When deploying elastic/eck-operator helm chart on OpenShift 4.11, deployment fails, getting:
msg="runc create failed: unable to start container process: exec: "./elastic-operator": stat ./elastic-operator: permission denied"
helm reports the following warning (but then adds the missing properties to the container securityContext , see below):
helm install elastic-operator elastic/eck-operator -n logging --set=installCRDs=false --set=webhook.enabled=false --set=config.validateStorageClass=false
W0915 14:52:29.426212 70832 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: elastic-operator
LAST DEPLOYED: Thu Sep 15 14:52:27 2022
NAMESPACE: logging
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Inspect the operator logs by running the following command:
kubectl logs -n logging sts/elastic-operator
Pod fails to create a container:
$ k get pods -n logging
NAME READY STATUS RESTARTS AGE
elastic-operator-0 0/1 CreateContainerError 0 2m21s
Running kubectl describe pods -n logging elastic-operator-0 I see the following event message:
Warning Failed 71s kubelet Error: container create failed: time="2022-09-15T18:53:49Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"
Warning Failed 32s (x3 over 59s) kubelet (combined from similar events): Error: container create failed: time="2022-09-15T18:54:28Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"
The pod starts using:
Service Account: elastic-operator and:
openshift.io/scc: restricted-v2
seccomp.security.alpha.kubernetes.io/pod: runtime/default
The pod gets scheduled, so it's not an scc issue.
The pod 's securityContext is:
securityContext:
fsGroup: 1000670000
runAsNonRoot: true
seLinuxOptions:
level: s0:c26,c10
seccompProfile:
type: RuntimeDefault
The container's securityContext is:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsUser: 1000670000
Any idea why the container cannot execute ./elastic operator