Background
We want to ensure that some capabilities (e.g. SYS_NICE) enabled when using certain devices.
The capabilities to enable depends on a kind of devices and it is hard to manage them in Kubernetes Pod Security Standard or other policies.
It will be nice to manage capabilities on runtime-side depending on the actual attached device, not mutating pod's manifests.
Also, it will be helpful to forcibly drop capabilities as runtime operators want.
Proposal
Background
We want to ensure that some capabilities (e.g. SYS_NICE) enabled when using certain devices.
The capabilities to enable depends on a kind of devices and it is hard to manage them in Kubernetes Pod Security Standard or other policies.
It will be nice to manage capabilities on runtime-side depending on the actual attached device, not mutating pod's manifests.
Also, it will be helpful to forcibly drop capabilities as runtime operators want.
Proposal
CreateContainer