From 7c611890c36283c8bc3b490f299c8a0fa9374299 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Thu, 6 Mar 2025 15:55:50 +0800
Subject: [PATCH] Fix: CRI-O default capabilities follow with the upstream
 (#12018)

* Fix: CRI-O default capabilities follow with the upstream

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

* Docs: CRI-O default capabilities follow with upstream

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

---------

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 docs/CRI/cri-o.md                              | 2 --
 roles/container-engine/cri-o/defaults/main.yml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/docs/CRI/cri-o.md b/docs/CRI/cri-o.md
index b566ed0ac..c1db2ee43 100644
--- a/docs/CRI/cri-o.md
+++ b/docs/CRI/cri-o.md
@@ -88,12 +88,10 @@ crio_default_capabilities:
   - DAC_OVERRIDE
   - FSETID
   - FOWNER
-  - NET_RAW
   - SETGID
   - SETUID
   - SETPCAP
   - NET_BIND_SERVICE
-  - SYS_CHROOT
   - KILL
 ```
 
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 2ff6d73e9..b25142ecc 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -106,10 +106,8 @@ crio_default_capabilities:
   - DAC_OVERRIDE
   - FSETID
   - FOWNER
-  - NET_RAW
   - SETGID
   - SETUID
   - SETPCAP
   - NET_BIND_SERVICE
-  - SYS_CHROOT
   - KILL