OPA — mutations gatekeeper assigns pod securityContext

apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
  name: security-context-all
spec:
  applyTo:
  - groups: [""]
    kinds: ["Pod"]
    versions: ["v1"]
  match:
    labelSelector:
      matchExpressions:
      - key: skip-opa
        operator: DoesNotExist
    excludedNamespaces:
    - kube-system
    - gatekeeper-system
    scope: Namespaced
    kinds:
    - apiGroups: ["*"]
      kinds: ["Pod"]
    namespaces: ["secure1"]
  location: "spec.containers[name:*].securityContext"
  parameters:
    assign:
      value:
          allowPrivilegeEscalation: false
          capabilities:
            drop: [ALL]
            add: [SETPCAP, MKNOD, AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, NET_BIND_SERVICE, SYS_CHROOT, SETFCAP, SYS_PTRACE]
          readOnlyRootFilesystem: true
          seccompProfile:
            type: RuntimeDefault

it is what it is…