I want to set AllowPrivilegeEscalation to false in a nonprivileged container but running with CAP_SYS_ADMIN capability. As per docs "AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN." . In this case it will be set to true or false ?
As you already found in the docs:
AllowPrivilegeEscalation
: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether theno_new_privs
flag gets set on the container process.AllowPrivilegeEscalation
is true always when the container is: 1) run as Privileged OR 2) hasCAP_SYS_ADMIN
.
In your case the container has CAP_SYS_ADMIN
so it would have the AllowPrivilegeEscalation
set to true
.
This behavior is also explained in more detail in the AllowPrivilegeEscalation design document.