When trying to create opensearch container in OpenShift the issue with privileged is appeared

[thtarstar]

Describe the bug
After trying to create opensearch container in OpenShift(OKD cluster) had an error:
Warning Failed 95m (x1075 over 5h38m) kubelet (combined from similar events): Error: container create failed: time="2023-12-20T15:56:36+02:00" level=error msg="runc create failed: unable to start container process: exec: "./opensearch-docker-entrypoint.sh": stat ./opensearch-docker-entrypoint.sh: permission denied

Looks like OpenShift is crying for OpenSearch running as privileged container in cluster.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Chart Name
Specify the Chart which is affected?

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• Helm Version: [e.g. 3.7.2]
• OpenShift

Additional context
Add any other context about the problem here.

[tdominguezm]

Interested to know if there are any updates to this, as i'm having the same issue trying to deploy Opensearch in an Openshift cluster without privileged access and I'm facing the same error "runc create failed: unable to start container process: exec: "./opensearch-docker-entrypoint.sh": stat ./opensearch-docker-entrypoint.sh: permission denied.

If someone has managed to make it work, I would appreciate more insight.

[prudhvigodithi]

There are some open issues with respect to OpenShift cluster running the OpenSearch help chart.
#369
#384
#480
#512

It would be great someone can refactor the chart to make it work with OpenShift.

[gsmith-sas]

@prudhvigodithi The first 2 issues (#369 and #384) are NOT OpenShift-specific; they are related to Kubernetes security best-practices. Even the 3rd issue (#480) is more a K8s security best practices issue than an OpenShift issue (although OpenShift is mentioned). These issue may crop up on OpenShift because it enforces/requires some of these best-practices but the underlying issue is that the OpenSearch container image is not configured securely. This is surprising since I suspect the AWS OpenSearch service has resolved these same issues. Unfortunately, some of these cannot be fixed via Helm chart changes and must be addressed in the container image itself.

[prudhvigodithi]

Thanks @gsmith-sas, what I was trying to say was it would be great if we can refactor the chart/docker-image or show us some pointers on how to still make it work with OpenShift enforcements. @gsmith-sas can you please elaborate more or open to contribute? to make sure there are no issues with OpenShift and works the same like other clusters.

We can ignore this issue #369 as its more related to PA plugin writing logs to the read-only filesystem.

Adding @bbarani @peterzhuamazon @TheAlgo