In order to use hostPath volumes, containers in kubernetes must be started with the privileged flag set. This is because this flag toggles an SELinux boolean that cannot be toggled by enabling any particular capability. (Empirical testing shows the same restriction does not apply to emptyDir volumes.)

Since the baremetal components rely on a hostPath volumes for an number of purposes, this prevents many of them from running unprivileged.

However, there are a number of containers that do not use any hostPath volumes and need only an added capability, if anything. These should be specified explicitly instead of just setting privileged mode to enable everything.