apiVersion: v1
kind: Pod
metadata:
  name: alpine-sleep-netperm
spec:
  securityContext:
    sysctls:
        - name: net.ipv6.conf.all.forwarding
          value: "1"
  containers:
  - name: alpine
    image: alpine:3.15
    args:
    - sleep
    - "1000000"
    securityContext:
      capabilities:
        # NET_ADMIN for wg
        # NET_RAW for iptables
        add: ["NET_ADMIN", "NET_RAW" ]

# [12:31] nb3:generic% kubectl get pods -n testnico -w
# NAME                             READY   STATUS            RESTARTS   AGE
# alpine-sleep-netperm             0/1     SysctlForbidden   0          49s