diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json
new file mode 100644
index 000000000..f7a14511d
--- /dev/null
+++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json	
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Mutate K8s Container to drop all capabilities",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/c873b3ba-c605-42e4-a64b-a142a93826fc",
+  "name": "c873b3ba-c605-42e4-a64b-a142a93826fc"
+}
\ No newline at end of file
diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json
new file mode 100644
index 000000000..f5d3d73a3
--- /dev/null
+++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json	
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Mutate K8s Init Container to drop all capabilities",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/c812272d-7488-495f-a505-047d34b83f58",
+  "name": "c812272d-7488-495f-a505-047d34b83f58"
+}
\ No newline at end of file
diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json
new file mode 100644
index 000000000..c29c906b9
--- /dev/null
+++ b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Mutate K8s Container to drop all capabilities",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/c873b3ba-c605-42e4-a64b-a142a93826fc",
+  "name": "c873b3ba-c605-42e4-a64b-a142a93826fc"
+}
\ No newline at end of file
diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json
new file mode 100644
index 000000000..1ae114fd9
--- /dev/null
+++ b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Mutate K8s Init Container to drop all capabilities",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/c812272d-7488-495f-a505-047d34b83f58",
+  "name": "c812272d-7488-495f-a505-047d34b83f58"
+}
\ No newline at end of file