Unable to deploy elastic/eck-operator on RedHat OpenShift 4.11

Uzi_Cohen · September 15, 2022, 7:15pm

When deploying elastic/eck-operator helm chart on OpenShift 4.11, deployment fails, getting:
msg="runc create failed: unable to start container process: exec: "./elastic-operator": stat ./elastic-operator: permission denied"

helm reports the following warning (but then adds the missing properties to the container securityContext , see below):

helm install elastic-operator elastic/eck-operator -n logging --set=installCRDs=false --set=webhook.enabled=false   --set=config.validateStorageClass=false

W0915 14:52:29.426212   70832 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "manager" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

NAME: elastic-operator
LAST DEPLOYED: Thu Sep 15 14:52:27 2022
NAMESPACE: logging
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Inspect the operator logs by running the following command:
   kubectl logs -n logging sts/elastic-operator

Pod fails to create a container:

$ k get pods -n logging
NAME                 READY   STATUS                 RESTARTS   AGE
elastic-operator-0   0/1     CreateContainerError   0          2m21s

Running kubectl describe pods -n logging elastic-operator-0 I see the following event message:

  Warning  Failed          71s                   kubelet            Error: container create failed: time="2022-09-15T18:53:49Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"
  Warning  Failed          32s (x3 over 59s)     kubelet            (combined from similar events): Error: container create failed: time="2022-09-15T18:54:28Z" level=error msg="runc create failed: unable to start container process: exec: \"./elastic-operator\": stat ./elastic-operator: permission denied"

The pod starts using:
Service Account: elastic-operator and:
openshift.io/scc: restricted-v2
seccomp.security.alpha.kubernetes.io/pod: runtime/default

The pod gets scheduled, so it's not an scc issue.
The pod 's securityContext is:

  securityContext:
     fsGroup: 1000670000
     runAsNonRoot: true
     seLinuxOptions:
       level: s0:c26,c10
     seccompProfile:
       type: RuntimeDefault

The container's securityContext is:

      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsUser: 1000670000

Any idea why the container cannot execute ./elastic operator

Uzi_Cohen · September 30, 2022, 5:31pm

See resolution here:
deploying elastic/eck-operator helm chart on OpenShift 4.11 fails with exec: \"./elastic-operator\": stat ./elastic-operator: permission denied · Issue #6017 · elastic/cloud-on-k8s · GitHub

system · October 28, 2022, 5:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot deploy eck elasticsearch cluster after successful operator install Elastic Cloud on Kubernetes (ECK)	3	429	February 21, 2023
PodSecurityPolicy issue with ECK Operator 2.6.1 Elastic Cloud on Kubernetes (ECK)	1	358	March 6, 2023
ECK Quickstart - Elasticsearch fails to start with "permission denied" error Elastic Cloud on Kubernetes (ECK)	2	1333	November 4, 2022
Opening terminal for operator fails on OpenShift Elastic Cloud on Kubernetes (ECK)	2	553	November 4, 2022
Fleet server agent with ECK operator in OpenShift deploying error Elastic Agent fleet	1	72	July 9, 2024

Unable to deploy elastic/eck-operator on RedHat OpenShift 4.11

Related topics