[Bug]: requiredDropCapabilities transation to Kyverno Policies seems incorrect

[okhotnikov-aa]

What happened?

PSP with such an option as below, afaik don't require to strict drop of capabilities in Pod manifest. It just prevents creating Pods with such capabilities.

requiredDropCapabilities:
  - CHOWN

Policy created with psp-migrator for Kyverno - require to strict drop capability in Pod manifest

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: tenant-nonroot-psp-requireddropcapabilities
spec:
  rules:
    - validate:
        pattern:
          spec:
            containers:
              - securityContext:
                  capabilities:
                    drop:
                      - CHOWN

So there is a significant difference in logic between the original PSP and migrated Kyverno Policy
(Or maybe I just misunderstood something?)

What policy engine were you generating a policy for

Kyverno

Relevant log output

No response