Issue with elastic-agent-complete on GKE Autopilot Cluster

[b2ronn]

I have a GKE Autopilot Cluster, and I'm using ECK Operator 2.9.0 to install an Elasticsearch cluster version 8.10.4 along with agents in Kubernetes. To configure the agent for synthetic tests, I'm using the following configuration:

apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
  name: synth-tests
spec:
  deployment:
    podTemplate:
      spec:
        containers:
          - image: docker.elastic.co/beats/elastic-agent-complete:8.10.4
            name: agent
            resources:
              limits:
                cpu: '2'
                memory: 2Gi
              requests:
                cpu: '2'
                memory: 2Gi
        volumes:
          - emptyDir: {}
            name: agent-data
    replicas: 1
  fleetServerRef:
    name: fleetserver
  kibanaRef:
    name: kibana
  mode: fleet
  policyID: synthetics
  version: 8.10.4

However, when I try to run it, I encounter the following error:

cp: cannot create regular file '/usr/local/share/ca-certificates/ca.crt': Permission denied

If I run the agent with runAsUser: 0, the tests fail

job could not be initialized: script monitors cannot be run as root

PS
Additionally, GKE Autopilot Cluster doesn't permit host-path . To work around this, I'm using:

        volumes:
          - emptyDir: {}
            name: agent-data

[barkbay]

I'm using ECK Operator 2.9.0
[...]
cp: cannot create regular file '/usr/local/share/ca-certificates/ca.crt': Permission denied

This is fixed in ECK 2.10.0: #6700

PS
Additionally, GKE Autopilot Cluster doesn't permit host-path . To work around this, I'm using:

This is documented here: https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-autopilot-deploy-agent-beats.html#k8s-autopilot-deploy-agent-beats

I'm closing as I think your two comments are already addressed. Feel free to reopen if you think it's not the case.