1. Background

A DPDK container

2. Business Impact

• Security Risk: Running containers with root privileges contradicts best practices for container security and increases the attack surface, particularly in multi-tenant or production environments.

• Deployment Challenges: Air-gapped and secure environments often mandate rootless container operation.

A solution is needed that enables this functionality without sacrificing container isolation or compliance with industry-standard security practices.

3. Requirements

Partner requires a method to have a non-privileged container modify runtime systctl

• net.mpls.platform_labels
• net.ipv6.route.max_size
• net.mpls.conf.[InterfaceName].input
• net.ipv4.conf.[InterfaceName].arp_accept

This is done in one of their DPDK container which manages routing between network providers for efficient traffic flow.

4. Affected Components

• DPDK Container
• OpenShift/Kubernetes SecurityContext Policies
• Container Runtime Capabilities (CRI-O, Podman, etc.)

• Node Configuration/Access Control (e.g., host mounts, SELinux, AppArmor)

5. Rationale