From dfd193af73d686148a701865a39445d7d6d13271 Mon Sep 17 00:00:00 2001
From: Oleksandr Turytsia <italexx.cz@gmail.com>
Date: Wed, 26 Nov 2025 10:36:10 +0100
Subject: [PATCH] chore: replaced privileged with fine grained capabilities

---
 deploy/helm/templates/obi/daemon-set.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/deploy/helm/templates/obi/daemon-set.yaml b/deploy/helm/templates/obi/daemon-set.yaml
index 6e7e363a..9e562a56 100644
--- a/deploy/helm/templates/obi/daemon-set.yaml
+++ b/deploy/helm/templates/obi/daemon-set.yaml
@@ -32,7 +32,21 @@ spec:
           image: "{{ include "common.image" (tuple . .Values.network_topology (tuple "image" "obi")) }}"
           imagePullPolicy: {{ .Values.network_topology.image.pullPolicy }}
           securityContext:
-            privileged: true
+            runAsUser: 0
+            readOnlyRootFilesystem: true
+            capabilities:
+              add:
+                - BPF
+                - PERFMON
+                - DAC_READ_SEARCH
+                - CHECKPOINT_RESTORE
+                - NET_RAW
+                - NET_ADMIN
+                - SYS_PTRACE
+                - SYS_ADMIN
+                - SYS_RESOURCE
+              drop:
+                - ALL
           ports:
           {{- if .Values.network_topology.config.prometheus_export }}
           - name: metrics