Le 29/08/2019 à 19:30, Alexei Starovoitov a écrit : [snip] > These are the links that showing that k8 can delegates caps. > Are you saying that you know of folks who specifically > delegate cap_sys_admin and cap_net_admin _only_ to a container to run bpf in there? > Yes, we need cap_sys_admin only to load bpf: tc filter add dev eth0 ingress matchall action bpf obj ./tc_test_kern.o sec test I'm not sure to understand why cap_net_admin is not enough to run the previous command (ie why load is forbidden). I want to avoid sys_admin, thus cap_bpf will be ok. But we need to manage the backward compatibility. Regards, Nicolas
