fix: correct capabilities drop value to "ALL" for PodSecurity restricted compliance

[RTJoe]

<!-- Please use this template for your pull request. -->
<!-- Please use the sections that you need and delete other sections -->

## This PR

Fixes the injected `flagd` sidecar container failing admission under Kubernetes PodSecurity `restricted` policy.

When the operator injects the `flagd` sidecar via `generateBasicFlagdContainer()`, the `getSecurityContext()` function set `capabilities.drop` to `"all"` (lowercase):

```go
Capabilities: &corev1.Capabilities{
    Drop: []corev1.Capability{
        "all",  // ❌ lowercase — PSA rejects this
    },
},

The Kubernetes Pod Security Admission controller performs a case-sensitive comparison against the constant capabilityAll = "ALL" in check_capabilities_restricted.go:

if c == capabilityAll { // exact match: "ALL" != "all"

This means any namespace enforcing pod-security.kubernetes.io/enforce: restricted rejects all pods with an injected flagd sidecar with:

pods "<name>" is forbidden: violates PodSecurity "restricted:v1.24":
unrestricted capabilities (container "flagd" must set securityContext.capabilities.drop=["ALL"])

This PR changes the drop value to uppercase "ALL" to match the exact value required by the PSA restricted policy check:

Capabilities: &corev1.Capabilities{
    Drop: []corev1.Capability{
        "ALL",  // ✅ matches capabilityAll constant in PSA
    },
},

Related Issues

Notes
This affects all users running clusters with PodSecurity restricted enforcement on namespaces where the operator injects the flagd sidecar. There is no behaviour change to flagd itself — capabilities were always intended to be fully dropped, per the existing comment in the code.

How to test
Create a namespace with pod-security.kubernetes.io/enforce: restricted
Deploy a pod with the openfeature.dev/enabled: "true" annotation so the operator injects the flagd sidecar
Confirm the pod is admitted successfully and the flagd container has securityContext.capabilities.drop=["ALL"]

[gemini-code-assist]

Summary of Changes

Hello @RTJoe, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue where the flagd sidecar, when injected by the operator, failed Kubernetes Pod Security Admission (PSA) under the restricted policy. The failure was due to a case-sensitive mismatch in the capabilities.drop value, which was incorrectly set to "all" instead of the required "ALL". This fix ensures that pods with the injected flagd sidecar are successfully admitted in restricted namespaces, maintaining the intended security posture without functional changes to flagd itself.

Highlights

• PodSecurity Restricted Compliance: Corrected the capabilities.drop value from lowercase "all" to uppercase "ALL" in the flagd sidecar injection logic to ensure compliance with Kubernetes Pod Security Admission restricted policy.

Changelog

• internal/common/flagdinjector/flagdinjector.go
  • Updated the capabilities.drop value from "all" to "ALL" to meet Kubernetes Pod Security Admission restricted policy requirements.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly fixes the capabilities.drop value to "ALL" to comply with Kubernetes PodSecurity restricted policy. The change is well-explained in the description. However, the associated unit tests in internal/common/flagdinjector/flagdinjector_test.go have not been updated to reflect this change, which will cause the test suite to fail. Please update the tests to ensure they pass and validate the new behavior.

[RTJoe]

/Gemini can you create an Issue for this PR to get a little more exposure?

[gemini-code-assist]

Hello @RTJoe, I appreciate you reaching out! However, I am unable to create an issue for this pull request. My current capabilities are limited to providing code reviews, summarizing pull requests, and responding to comments when explicitly tagged. You can find a list of supported commands in the "Using Gemini Code Assist" section above or by using the /gemini help command. If you'd like to create an issue, you would need to do so manually through the GitHub interface.

[RTJoe]

/gemini can you re-run the E2E Tests now that i have fixed the unit tests?

[gemini-code-assist]

Hello @RTJoe, I appreciate you reaching out! However, I am unable to re-run E2E tests. My current capabilities are limited to providing code reviews, summarizing pull requests, and responding to comments when explicitly tagged. You can find a list of supported commands in the "Using Gemini Code Assist" section above or by using the /gemini help command. If you'd like to re-run tests, you would need to do so manually through your CI/CD system or GitHub Actions interface.