add test case (currently fails)

pkg/testrunner/testrunner_test.go

@@ -115,3 +115,7 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }
+
+func Test_validate_disallow_new_capabilities(t *testing.T) {
+	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
+}

test/resources/disallow_new_capabilities.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: mypod
+spec:
+ containers:
+   - name: add-new-capabilities
+     image: "ubuntu:18.04"
+     command:
+       - /bin/sleep
+       - "300"
+     securityContext:
+       capabilities:
+         add:
+           - NET_ADMIN

test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:  
+  policy: samples/best_practices/disallow_new_capabilities.yaml
+  resource: test/resources/disallow_new_capabilities.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-new-capabilities
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: "add-new-capabilities"
+      rules:
+        - name: deny-new-capabilities
+          type: Validation
+          message: Validation rule 'deny-new-capabilities' failed at '/spec/containers/securityContext/capabilities/add' for resource Pod//capabilities. Capabilities cannot be added
+          success: false