I want to set AllowPrivilegeEscalation to false in a nonprivileged container but running with CAP_SYS_ADMIN capability. As per docs "AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN." . In this case it will be set to true or false ?
As you already found in the docs:
AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether theno_new_privsflag gets set on the container process.AllowPrivilegeEscalationis true always when the container is: 1) run as Privileged OR 2) hasCAP_SYS_ADMIN.
In your case the container has CAP_SYS_ADMIN so it would have the AllowPrivilegeEscalation set to true.
This behavior is also explained in more detail in the AllowPrivilegeEscalation design document.