apiVersion: v1
kind: Pod
metadata:
  name: goodpod01
  namespace: staging-ns
spec:
  containers:
  - name: container01
    image: nginx:1.1.9
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        add:
        - SYS_ADMIN
        drop:
        - ALL