[Proposal] Support adjustment LinuxCapability #185
Description
Background
We want to ensure that some capabilities (e.g. SYS_NICE) enabled when using certain devices.
The capabilities to enable depends on a kind of devices and it is hard to manage them in Kubernetes Pod Security Standard or other policies.
It will be nice to manage capabilities on runtime-side depending on the actual attached device, not mutating pod's manifests.
Also, it will be helpful to forcibly drop capabilities as runtime operators want.
Proposal
- Supporting adjustment LinuxCapabilities in
CreateContainer - The fields to adjust will follow runtime-spec https://github.com/opencontainers/runtime-spec/blob/main/config.md#linux-process