Yes, this error message comes from the cilium eBPF library – what’s happening is that bpf(BPF_LOAD_PROG) is blocked so the eBPF program loading fails. The issue is that runc has a hard requirement for devices cgroup restrictions since it’s a fairly core security feature (we do the same for cgroupv1).
On paper we could loosen the requirement under user namespaces but I would need to think about it a little bit more.