Adjust kernel capabilities when ebpf mgr is in use

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>

Author: msherif1234

controllers/ebpf/internal/permissions/permissions.go

@@ -19,6 +19,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+// AllowedCapabilities description of what capabilities netobserv requires when running w/o ebpf manager
+// BPF: Allows netobserv to use eBPF programs and maps.
+// PERFMON: Allows access to perf monitoring and profiling features.
+// NET_ADMIN: required for TC programs to attach/detach to/from qdisc and for TCX hooks.
+// SYS_RESOURCE: allows a process to override resource limits and manage system-wide resource usage.
 var AllowedCapabilities = []v1.Capability{"BPF", "PERFMON", "NET_ADMIN", "SYS_RESOURCE"}
 
 // Reconciler reconciles the different resources to enable the privileged operation of the
@@ -164,6 +169,10 @@ func (c *Reconciler) reconcileOpenshiftPermissions(
 	if desired.Privileged {
 		scc.AllowPrivilegedContainer = true
 		scc.AllowHostDirVolumePlugin = true
+		scc.ReadOnlyRootFilesystem = true
+		if helper.IsAgentFeatureEnabled(desired, flowslatest.EbpfManager) {
+			scc.RequiredDropCapabilities = []v1.Capability{"ALL"}
+		}
 	} else {
 		scc.AllowedCapabilities = AllowedCapabilities
 	}