CFP: `cilium connectivity test` to support dropping capabilities

[blackliner]

Cilium Feature Proposal

Thanks for taking time to make a feature proposal for Cilium! If you have usage questions, please try the slack channel and see the FAQ first.

Is your proposed feature related to a problem? It is currently not possible to run cilium connectivity test when admissionControl PodSecurity enforces anything above privileged. This is the case for Talos by default, see https://www.talos.dev/v1.6/kubernetes-guides/configuration/pod-security/

You will get errors like these for the DaemonSets (and no Pods will be created):

pods "host-netns-9bz74" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "host-netns" must not include "NET_RAW" in securityContext.capabilities.add), host namespaces (hostNetwork=true)

or

(container "echo-external-node" must set securityContext.capabilities.drop=["ALL"]; container "echo-external-node" must not include "NET_RAW" in securityContext.capabilities.add)

Describe the feature you'd like

Command line arguments like we have them for the helm chart (securityContext.capabilities.cleanCiliumState and securityContext.capabilities.ciliumAgent) when running cilium connectivity test

Alternative is to disable enforcement for the namespace:

kubectl label namespace cilium-test pod-security.kubernetes.io/enforce=privileged

[squeed]

This is a great suggestion! We should totally thin down the set of privileges required by the connectivity test pods.

[squeed]

FYI, I'm moving this issue over to the https://github.com/cilium/cilium-cli/ repository.