Elastic Agent in Fleet mode has to run as root, and in the same namespace as the Elasticsearch cluster it connects to.

Due to current configuration limitations on Fleet/Elastic Agent side, ECK needs to establish trust between Elastic Agents and Elasticsearch. ECK can fetch the required Elasticsearch CA correctly if both resources are in the same namespace. To establish trust, the Pod needs to update the CA store via a call to update-ca-trust before Elastic Agent runs. To call it successfully, the Pod needs to run with elevated privileges.

Running Endpoint Security integration is not yet supported in containerized environments, like Kubernetes. This is not an ECK limitation, but the limitation of the integration itself. Note that you can use ECK to deploy Elasticsearch, Kibana and Fleet Server, and add Endpoint Security integration to your policies if Elastic Agents running those policies are deployed in non-containerized environments.