ovs-cni-marker privileges

[vkatabat]

Hi,
To limit ovs-cni pod securityContext. We removed privileges=true for ovs-cni-marker. We are tried with capabilities : CAP_IPC_LOCK/CAP_NET_BIND/CAP_NET_RAW which i think are required to connect to OVS DB. Could you please suggest what the minimum capability required for ovs-cni-marker container to work?
Error Seen:
F1206 07:05:08.670471 1 main.go:84] Failed to create a new marker object: Error creating the ovsdb connection: failed to connect to ovsdb error: failed to connect to ovsdb error: failed to connect to endpoints ["unix:/host/var/run/openvswitch/db.sock"]: dial unix /host/var/run/openvswitch/db.sock: connect: permission denied

[phoracek]

Hello.

The network capabilities should not be needed. The marker observes available bridges through the socket only.

Regarding the error, it may be due to the container running under a regular user while the socket is only accessible for openvswitch/root. Could you share ls -lZ /var/run/openvswitch from your host, so we could check who owns the file and selinux context? On top of that, if you could share the Pod spec generated by the DaemonSet, it should tell us more about the user under which the process runs.

[kfox1111]

Is the marker required or optional?

[phoracek]

@kfox1111 it is entirely optional