From 824365299e01dad12920a911a9f6f6ede3266151 Mon Sep 17 00:00:00 2001
From: Phil Gebhardt <phil@gremlin.com>
Date: Thu, 25 Jul 2024 16:07:56 -0700
Subject: [PATCH] update description of CAP_NET_RAW capability requirement

This capability was required for Gremlin versions older than 2.18.2, because we would inherit the default capabilities of the container runtime, which sometimes included `CAP_NET_RAW`.

Incidentally, we've depended on `CAP_NET_RAW` since [2.40.1][1] for another purpose: dependency discovery (when `gremlin.collect.dns=true`). Update the description for when and why this capability is needed.

[1]: https://www.gremlin.com/docs/release-notes-linux#2-40-1
---
 gremlin/values.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gremlin/values.yaml b/gremlin/values.yaml
index b7115f9..9687f08 100644
--- a/gremlin/values.yaml
+++ b/gremlin/values.yaml
@@ -166,9 +166,9 @@ gremlin:
       - SYS_CHROOT      # Required by container drivers: docker-runc, crio-runc, containerd-runc
                         #   to create and enter new namespaces for Gremlin attack sidecars
 
-      - NET_RAW         # Required by container drivers: docker-runc, crio-runc, containerd-runc
-                        #   Not actively used by Gremlin but requested by sidecars
-                        #   This capability will be removed in a later release
+      - NET_RAW         # Required when gremlin.collect.dns=true, provides Gremlin the ability to
+                        #   look at DNS traffic for dependency discovery. 
+                        #   See https://www.gremlin.com/blog/how-dependency-discovery-works-in-gremlin
 
     # gremlin.podSecurity.seLinuxOptions -
     # Specifies SELinux options to apply to the Gremlin Daemonset container securityContext.