On 9/4/19 8:16 AM, Daniel Borkmann wrote: > opening/creating BPF maps" error="Unable to create map > /run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted" > subsys=daemon > 2019-09-04T14:11:47.28178666Z level=fatal msg="Error while creating > daemon" error="Unable to create map > /run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted" > subsys=daemon Ok. We have to include caps in both cap_sys_admin and cap_bpf then. > And /same/ deployment with reverted patches, hence no CAP_BPF gets it up > and running again: > > # kubectl get pods --all-namespaces -o wide Can you share what this magic commands do underneath? What user do they pick to start under? and what caps are granted?
