All the CNI plugins are only invoked during pod creation and deletion. If your workload needs perform any operations mentioned above at runtime, the NET_ADMIN capability is required.
There are some other functionalities that are not currently supported by any of the OpenShift components which also require NET_ADMIN capability:
-
Link state modification at runtime
-
IP/MAC modification at runtime
-
Manipulate pod’s route table or firewall rules at runtime
-
SR/IOV VF setting at runtime
-
Netlink configuration
-
For example,
ethtoolcan be used to configure things like rxvlan, txvlan, gso, tso, etc. -
Multicast
NoteIf your application works as a receiving member of IGMP groups, you need to specify the NET_ADMIN capability in the pod manifest. So that the app is allowed to assign multicast addresses to the pod interface and join an IGMP group.
-
Set
SO_PRIORITYto a socket to manipulate the 802.1p priority in ethernet frames -
Set
IP_TOSto a socket to manipulate the DSCP value of IP packets