The current tech preview integration between NetObserv and eBPF Manager/bpfman requires that the ebpf-agent run as privileged.  One of stated goals of eBPF Manager is to allow applications to drop caps and run as unprivileged.   We need to investigate why this restriction had to be kept in place and see if there is an opportunity to remove it.

========================================================

From Mohamed Mahmoud, the original developer of the bpfman integration:

BPFMAN was presented by our PM as a Red Hat–centralized manager responsible for securing, signing, and managing eBPF programs and related resources on OpenShift nodes, across multiple eBPF consumers. One of the primary objectives of this integration was to reduce privileges—specifically, to drop kernel capabilities for the various applications using eBPF.

In practice, however, due to a combination of issues encountered throughout the development and integration phases, we were not able to fully drop kernel capabilities for the NetObserv eBPF agent by the time we reached the final stages. The relevant permissions logic can be found here for reference:
https://github.com/netobserv/network-observability-operator/blob/main/internal/controller/ebpf/internal/permissions/permissions.go#L205

I am not sure whether this direction or positioning has changed recently. I tried to stay engaged with the BPFMAN upstream work, but my involvement was not consistent, so I eventually lost track of the latest developments.
Dropping privileges was explicitly requested by customers, so this remained an important requirement throughout the effort.