Explicitly document the capabilities a non-root container needs to run the Kubernetes and System integrations

[cmacknz]

We frequently get asked for the configuration of the Elastic Agent container that requires the least amount of privileges for a given application. The first problem is we run as the root user by default in our reference manifests, bypassing the need to think about capabilities.

Running as root is required for several security applications, but not common observability applications. We should create or document the configuration needed to run the Kubernetes and System integrations as a non-root user in our reference YAML so we can stop having to answer these questions.

elastic-agent/deploy/kubernetes/elastic-agent-managed/elastic-agent-managed-daemonset.yaml

Lines 68 to 83 in a1fd2c9

	# The following capabilities are needed for 'Defend for containers' integration (cloud-defend)
	# If you are using this integration, please uncomment these lines before applying.
	#capabilities:
	# add:
	# - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
	# - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
	# - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
	########################################################################################
	# The following capabilities are needed for Universal Profiling.
	# More fine graded capabilities are only available for newer Linux kernels.
	# If you are using the Universal Profiling integration, please uncomment these lines before applying.
	#procMount: "Unmasked"
	#privileged: true
	#capabilities:
	# add:
	# - SYS_ADMIN

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)