diff --git a/samples/DisallowNewCapabilities.md b/samples/DisallowNewCapabilities.md
new file mode 100644
index 0000000000..a6aa3be642
--- /dev/null
+++ b/samples/DisallowNewCapabilities.md
@@ -0,0 +1,38 @@
+# Disallow new capabilities
+
+Linux allows defining fine-grained permissions using
+capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+level of kernel access and allow other potentially dangerous behaviors. This policy 
+enforces that pods cannot add new capabilities. Other policies can be used to set 
+default capabilities. 
+
+## Policy YAML
+
+[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null
+````
diff --git a/samples/best_practices/disallow_new_capabilities.yaml b/samples/best_practices/disallow_new_capabilities.yaml
new file mode 100644
index 0000000000..d197ca4ac7
--- /dev/null
+++ b/samples/best_practices/disallow_new_capabilities.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null
\ No newline at end of file