Add default capability drop mutation policy

Feature Request

Why

Dropping capabilities from a pod or container is an excellent way to reduce the attack surface of the container if compromised. Big Bang by default includes a Kyverno policy that restricts pods from starting when they don't drop ALL capabilities. This is a good policy and achieves the desired security outcome, but does require all pod (or container) securityContexts to be updated to include this capability drop, often leading to forking of upstream helm charts when they don't expose this in their values.

Proposed Solution

Similar to the issue of adding a default securityContext to pods, a policy can be written to explicitly add capabilites.drop['ALL'] when the pod or container does not otherwise specify any capability drops. Unfortunately, unlike that issue, the upstream Kyverno policy repo does not have an example, so a policy will have to be defined from scratch.