fix: drop capability shoud be tested without case sensitivity

artifacthub/library/pod-security-policy/capabilities/1.1.2/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.2
+name: k8spspcapabilities
+displayName: Capabilities
+createdAt: "2025-07-25T08:00:24Z"
+description: Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+digest: 862a61c24e3b515def0bdd6cee47e2f777f62d8187e92c8048de6ee891c1e331
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/capabilities
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Capabilities
+    Controls Linux capabilities on containers. Corresponds to the `allowedCapabilities` and `requiredDropCapabilities` fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/capabilities/1.1.2/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/pod-security-policy/capabilities/1.1.2/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPCapabilities
+metadata:
+  name: capabilities-demo
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+      - "default"
+  parameters:
+    allowedCapabilities: ["something"]
+    requiredDropCapabilities: ["must_drop"]

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/disallowed_ephemeral.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  ephemeralContainers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      securityContext:
+        capabilities:
+          add: ["disallowedcapability"]
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/example_allowed.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      securityContext:
+        capabilities:
+          add: ["something"]
+          drop: ["must_drop", "another_one"]
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/example_disallowed.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      securityContext:
+        capabilities:
+          add: ["disallowedcapability"]
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/example_drop_all.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-drop-all
+  labels:
+    owner: me.agilebank.demo
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"
+      securityContext:
+        capabilities:
+          drop: ["ALL", "all"]
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

artifacthub/library/pod-security-policy/capabilities/1.1.2/samples/capabilities-demo/update.yaml

@@ -0,0 +1,26 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1beta1
+request:
+  operation: "UPDATE"
+  object:
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: opa-disallowed
+      labels:
+        owner: me.agilebank.demo
+    spec:
+      containers:
+        - name: opa
+          image: openpolicyagent/opa:0.9.2
+          args:
+            - "run"
+            - "--server"
+            - "--addr=localhost:8080"
+          securityContext:
+            capabilities:
+              add: ["disallowedcapability"]
+          resources:
+            limits:
+              cpu: "100m"
+              memory: "30Mi"

artifacthub/library/pod-security-policy/capabilities/1.1.2/suite.yaml

@@ -0,0 +1,25 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: capabilities
+tests:
+  - name: capabilities
+    template: template.yaml
+    constraint: samples/capabilities-demo/constraint.yaml
+    cases:
+      - name: example-disallowed
+        object: samples/capabilities-demo/example_disallowed.yaml
+        assertions:
+          - violations: yes
+      - name: example-allowed
+        object: samples/capabilities-demo/example_allowed.yaml
+        assertions:
+          - violations: no
+      - name: disallowed-ephemeral
+        object: samples/capabilities-demo/disallowed_ephemeral.yaml
+        assertions:
+          - violations: yes
+      - name: update
+        object: samples/capabilities-demo/update.yaml
+        assertions:
+          - violations: no