Related to this: flyte seems to always add a SYS_PTRACE capability to the "primary" container. Although I can remove the capability by specifying drop=SYS_PTRACE (as in the definition above), the add-statement will nevertheless remain in the final pod manifest and k8s admission controller will complain about it and won't accept the pod definition (if enforce=restricted or enforce=baseline policy is activated). Is there a way to control the final pod manifests without modifying the source code?