/usr/local/bin/docker-entrypoint: line 8: /usr/share/heartbeat/heartbeat: Operation not permitted

Elastic Stack Beats
,
1

Hi,

we are are running Elastic Cloud on Kubernetes 2.11 in an Openshift 4.12 environment. All images use version 8.12.1

I am having issues to get heatbeat running. I followed the Elastic Docs

Created a service account. Changed the scc policy to privileged. Added the heartbeat config part to my eck yaml.

After rolling it out, the heartbeat pod keeps failing with the following errror message.

/usr/local/bin/docker-entrypoint: line 8: /usr/share/heartbeat/heartbeat: Operation not permitted

What do I miss?

Regards,
Marius

2

Hi @WookWook,

It's likely the container is running with insufficient permissions to run heartbeat executable. Are you using openshift's dynamic uid? Please make sure the container is running with fsGroup: 0 and supplementalGroups: [0].

Hope that helps!

3

I try to add fsGroup: 0 and supplementalGroups: [0], this error still occurs:
/usr/local/bin/docker-entrypoint: line 8: /usr/share/heartbeat/heartbeat: Operation not permitted

Here is my yaml file:

apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat 
metadata:  
  name: heartbeat
spec:      
  type: heartbeat
  version: 8.13.4
  elasticsearchRef:
    name: elasticsearch-sample
  config:  
    heartbeat.monitors:
    - type: tcp
      schedule: '@every 5s'
      hosts: ["elasticsearch-sample-es-http:9200"]
    - type: tcp
      schedule: '@every 5s'
      hosts: ["kibana-sample-kb-http:5601"]
  deployment:
    replicas: 1
    podTemplate:
      spec:
        serviceAccountName: heartbeat
        securityContext:
          runAsUser: 0
          fsGroup: 0
          supplementalGroups: [0]
4

Sorry for the late reply. My working configuration looks as follows

  deployment:
    replicas: 1
    podTemplate:
      spec:
        containers:
        - name: heartbeat
          securityContext:
            capabilities:
              add: ["NET_RAW", "SYS_CHROOT"]
        serviceAccountName: heartbeat
        securityContext:
          runAsUser: 0
        volumes:
          - name: beat-data
            emptyDir: {}