Behaviour of drop capabilities using ALL

[qu1queee]

Quick question, if we want to set the ALL entry for the capabilities.drop , is there a difference on using ALL vs all . On PSP definitions, we use to set all, but it seems PSA is opinionated on allowing only ALL. Is there any context you can provide on this?

[joebowbeer]

The PSS/restricted spec does explicitly require 'ALL' and the Pod Security Admission controller implementation requires 'ALL' as well.

My understanding is as follows based on correspondence with @tallclair

• In practice, cri-o and containerd appear to do case-insensitive matching for the ALL keyword, but this is not guaranteed to work for other runtimes.
• Until a stricter CRI capabilities spec is championed in SIG-Node, it's preferable and arguably more correct for the PSS policies to stick to the canonical ALL capitalization. That way they will be consistent with each other as well as their own spec.
• It is very unlikely that the PSA implementation will change without a corresponding change to the CRI capabilities spec.

This is one of the axes I grind, e.g., kyverno/policies#450

[qu1queee]

@joebowbeer thanks for the prompt response.

The provided context is sufficient for my use case and general doubts, please feel free to close this issue.