(Molecule) Find a way to run tests in an unprivileged Docker container

[Frzk]

All my attempts to run tests in an unprivileged container were unsuccessful.
I tried to run with:

capabilities:
  - SYS_ADMIN
  - SYS_TIME
privileged: false

which should be sufficient (?)
But we get this result:

TASK [frzk.chrony : Set up timezone] *******************************************
[WARNING]: timedatectl command was found but not usable: Failed to query
server: Connection timed out . using other method.
fatal: [instance]: FAILED! => changed=false 
  msg: |-
    Error message:
    tried to configure name using a file "/etc/sysconfig/clock", but could not write to it

PLAY RECAP *********************************************************************
instance                   : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

CRITICAL Ansible return code was 2, command was: ansible-playbook --diff --inventory /home/runner/.cache/molecule/frzk.chrony/default/inventory --skip-tags molecule-notest,notest /home/runner/work/ansible-role-chrony/ansible-role-chrony/frzk.chrony/molecule/default/converge.yml
WARNING  An error occurred during the test sequence action: 'converge'. Cleaning up.

I sadly don't have time to dive into Docker internals and whatever. So we'll run in privileged mode for now.
Any help appreciated :-)

[Frzk]

Considering https://github.com/Frzk/ansible-role-chrony/runs/2771707126?check_suite_focus=true, it seems like the given capabilities (SYS_ADMIN + SYS_TIME are not enough).

That might be a good lead.