Enable netns mount for privileged pods

Signed-off-by: msherif1234 <mmahmoud@redhat.com>

controllers/ebpf/agent_controller.go

@@ -67,6 +67,8 @@ const (
 	averageMessageSize = 100
 	bpfTraceMountName  = "bpf-kernel-debug"
 	bpfTraceMountPath  = "/sys/kernel/debug"
+	bpfNetNSMountName  = "var-run-netns"
+	bpfNetNSMountPath  = "/var/run/netns"
 )
 
 type reconcileAction int
@@ -185,6 +187,25 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 	volumeMounts := c.volumes.GetMounts()
 	volumes := c.volumes.GetVolumes()
 
+	if coll.Spec.Agent.EBPF.Privileged {
+		volume := corev1.Volume{
+			Name: bpfNetNSMountName,
+			VolumeSource: corev1.VolumeSource{
+				HostPath: &corev1.HostPathVolumeSource{
+					Type: newHostPathType(corev1.HostPathDirectory),
+					Path: bpfNetNSMountPath,
+				},
+			},
+		}
+		volumes = append(volumes, volume)
+		volumeMount := corev1.VolumeMount{
+			Name:             bpfNetNSMountName,
+			MountPath:        bpfNetNSMountPath,
+			MountPropagation: newMountPropagationMode(corev1.MountPropagationBidirectional),
+		}
+		volumeMounts = append(volumeMounts, volumeMount)
+	}
+
 	if helper.IsPktDropEnabled(&coll.Spec) || helper.IsDNSTrackingEnabled(&coll.Spec) {
 		if !coll.Spec.Agent.EBPF.Privileged {
 			rlog.Error(fmt.Errorf("invalid configuration"),

controllers/ebpf/internal/permissions/permissions.go

@@ -152,6 +152,7 @@ func (c *Reconciler) reconcileOpenshiftPermissions(
 	}
 	if desired.Privileged {
 		scc.AllowPrivilegedContainer = true
+		scc.AllowHostDirVolumePlugin = true
 	} else {
 		scc.AllowedCapabilities = AllowedCapabilities
 	}