From d80318301d51b75fc8e4c660f5f87b50c1d7c701 Mon Sep 17 00:00:00 2001
From: r3m8 <remy@tuta.com>
Date: Sun, 14 Dec 2025 04:39:44 +0100
Subject: [PATCH] docs(cilium): update documentation for unprivileged agent
 configuration (#12628)

---
 docs/CNI/cilium.md                                      | 8 ++++++++
 inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/CNI/cilium.md b/docs/CNI/cilium.md
index 94add4e4a..4fc03f573 100644
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@@ -1,5 +1,13 @@
 # Cilium
 
+## Unprivileged agent configuration
+
+By default, Cilium is installed with `securityContext.privileged: false`. You need to set the `kube_owner` variable to `root` in the inventory:
+
+```yml
+kube_owner: root
+```
+
 ## IP Address Management (IPAM)
 
 IP Address Management (IPAM) is responsible for the allocation and management of IP addresses used by network endpoints (container and others) managed by Cilium. The default mode is "Cluster Scope".
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index cb9fa2438..1a18db527 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -22,7 +22,8 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
 
-# This is the user that owns tha cluster installation.
+# This is the user that owns the cluster installation.
+# Note: cilium needs to set kube_owner to root https://kubespray.io/#/docs/CNI/cilium?id=unprivileged-agent-configuration
 kube_owner: kube
 
 # This is the group that the cert creation scripts chgrp the