On 9/4/19 8:16 AM, Daniel Borkmann wrote:

opening/creating BPF maps" error="Unable to create map 
/run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted" 
subsys=daemon
2019-09-04T14:11:47.28178666Z level=fatal msg="Error while creating 
daemon" error="Unable to create map 
/run/cilium/bpffs/tc/globals/cilium_lxc: operation not permitted" 
subsys=daemon

Ok. We have to include caps in both cap_sys_admin and cap_bpf then.

And /same/ deployment with reverted patches, hence no CAP_BPF gets it up 
and running again:

# kubectl get pods --all-namespaces -o wide

Can you share what this magic commands do underneath?

What user do they pick to start under? and what caps are granted?