Add Drop Unused Capabilities Policy

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

generic/kyverno/kyverno-drop-unused-capabilities.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: drop-unused-capabilities
+  namespace: default
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: drop-unused-capabilities
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      preconditions:
+        all:
+          - key: "{{ request.operation || 'BACKGROUND' }}"
+            operator: NotEquals
+            value: DELETE
+      validate:
+        message: "Unused capabilities 'CAP-1', 'CAP-2' should be dropped."
+        deny:
+          conditions:
+            all:
+              - key: [ "CAP-1", "CAP-2" ]
+                operator: AnyNotIn
+                value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.drop[] }}"