cri-o: Setcap doesn't work with cri-o v1.24.1

What happened?

A test with a non-root container fails on master;

vm-002 ~ # kubectl exec -it alpine-test-kc2c5 -- sh
~ $ id
uid=1000(1000) gid=3000
~ $ getcap /sbin/ip
/sbin/ip cap_net_admin=eip
~ $ /sbin/ip addr add 10.10.10.10/32 dev lo
RTNETLINK answers: Operation not permitted

The /sbin/ip has cap_net_admin=eip and this works on earlier version. We have a requirement on non-root containers but we must use the ip command in multi-network setups.

I thought this was K8s, but it was my upgrade of cri-o, v1.22.0 -> v1.24.1.

Please see https://github.com/kubernetes/kubernetes/issues/111196.

Everything is there and it’s late so I don’t want to repeat it.

What did you expect to happen?

Works as for cri-o v1.22.0

How can we reproduce it (as minimally and precisely as possible)?

Please see https://github.com/kubernetes/kubernetes/issues/111196.

Anything else we need to know?

No response

CRI-O and Kubernetes version

  23:17:59 Server Version: v1.24.3
  23:17:59 Linux 5.18.1 #8 SMP PREEMPT_DYNAMIC Sat Jun 18 12:53:37 CEST 2022
  23:17:59 CNI-plugin; bridge
  23:17:59 Proxy-mode: "ipvs"
  23:17:59 crio version 1.24.1

OS version

Own BusyBox Linux

Additional environment details (AWS, VirtualBox, physical, etc.)

Kvm VMs