From d2a64fd67736816b959c321c6199c3b7ccdc6502 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Alvarez=20Pi=C3=B1eiro?=
 <95703246+emilioalvap@users.noreply.github.com>
Date: Thu, 1 Sep 2022 10:38:18 +0200
Subject: [PATCH] Add cap_net_raw requirements to heartbeat docs (#32816)

(cherry picked from commit 2aeefb90ad9ae3cb500c759cdf339720fce4ebce)
---
 heartbeat/docs/running-on-docker.asciidoc     | 12 ++++++++++++
 heartbeat/docs/running-on-kubernetes.asciidoc | 19 +++++++++++++++++++
 libbeat/docs/shared-docker.asciidoc           |  2 ++
 3 files changed, 33 insertions(+)

diff --git a/heartbeat/docs/running-on-docker.asciidoc b/heartbeat/docs/running-on-docker.asciidoc
index dbfcce5b489..2347e937d73 100644
--- a/heartbeat/docs/running-on-docker.asciidoc
+++ b/heartbeat/docs/running-on-docker.asciidoc
@@ -1 +1,13 @@
 include::{libbeat-dir}/shared-docker.asciidoc[]
+
+[float]
+==== Required network capabilities
+
+Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
+network capabilities to operate correctly. Ensure that the +NET_RAW+
+capability is available to the container.
+
+["source","sh",subs="attributes"]
+----
+docker run --cap-add=NET_RAW {dockerimage}
+----
\ No newline at end of file
diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc
index 87b5c4bb395..528f0c0b45b 100644
--- a/heartbeat/docs/running-on-kubernetes.asciidoc
+++ b/heartbeat/docs/running-on-kubernetes.asciidoc
@@ -74,3 +74,22 @@ $ kubectl --namespace=kube-system get deployment/{beatname_lc}
 NAME        READY   UP-TO-DATE   AVAILABLE   AGE
 {beatname_lc}   1/1     1            1           1m
 ------------------------------------------------
+
+[float]
+==== Running {beatname_uc} as unprivileged user
+
+Under Kubernetes, {beatname_uc} can run as a non-root user, but requires some privileged
+network capabilities to operate correctly. Ensure that the +NET_RAW+
+capability is available to the container.
+
+["source","yaml",subs="attributes"]
+----
+containers:
+- name: heartbeat
+  image: {dockerimage}
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    capabilities:
+      add: [ NET_RAW ]
+----
diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
index deff7df6a27..a4a01be88a2 100644
--- a/libbeat/docs/shared-docker.asciidoc
+++ b/libbeat/docs/shared-docker.asciidoc
@@ -74,6 +74,7 @@ ifeval::["{beatname_lc}"=="heartbeat"]
 ["source", "sh", subs="attributes"]
 --------------------------------------------
 docker run \
+--cap-add=NET_RAW \
 {dockerimage} \
 setup -E setup.kibana.host=kibana:5601 \
 -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
@@ -206,6 +207,7 @@ docker run -d \
   --name={beatname_lc} \
   --user={beatname_lc} \
   --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
+  --cap-add=NET_RAW \
   {dockerimage} \
   --strict.perms=false -e \
   -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>