- op: add
  path: "/spec/template/spec/containers/0/securityContext"
  value:
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    readOnlyRootFilesystem: true
    runAsNonRoot: true