Current required caps are:

• CAP_BPF
• CAP_PERFMON
• CAP_NET_ADMIN
• CAP_SYS_RESOURCE

But we don't document exactly why we need them / what doesn't work without them. We should do that, not only for users to understand the requirements, but also for ourselves, to make it easier to re-evaluate if they are still needed after code changes.

So we should document that, probably here: https://github.com/netobserv/netobserv-ebpf-agent/blob/1168beeb1cae55f34d8bf4d656098d41ad645592/README.md?plain=1#L85

For instance, it was asked recently why NET_ADMIN would be needed - in my understanding, this is required for the TC hooks: even though we just observe without changing anything in the network, we could do it via the TC hook, and thus this capability is involved regardless of what is done in that hook.

Also I'm not sure if PERFMON is always needed - wondering if it's just needed by the CLI for pcap