For other map types, applications using bpfman can run in unprivileged mode; however, perf event arrays require some capabilities. What is the minimum set of Linux capabilities required for a pod to access a perf event array mounted by bpfman? It was expected that CAP_PERFMON would be sufficient, but it doesn't seem to work without a privileged pod.
Is this a kernel bug, just the way it is, or something unique in the way that the Cillium code accesses the maps?
Since one of the goals of bpfman is to allow eBPF-based applications to drop capabilities, we need to understand how it works now and whether anything can be done in the future.
For other map types, applications using bpfman can run in unprivileged mode; however, perf event arrays require some capabilities. What is the minimum set of Linux capabilities required for a pod to access a perf event array mounted by bpfman? It was expected that CAP_PERFMON would be sufficient, but it doesn't seem to work without a privileged pod.
Is this a kernel bug, just the way it is, or something unique in the way that the Cillium code accesses the maps?
Since one of the goals of bpfman is to allow eBPF-based applications to drop capabilities, we need to understand how it works now and whether anything can be done in the future.