--- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: namespace: vitastor-system name: vitastor-csi-provisioner-psp spec: allowPrivilegeEscalation: true allowedCapabilities: - 'SYS_ADMIN' fsGroup: rule: RunAsAny privileged: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'hostPath' allowedHostPaths: - pathPrefix: '/dev' readOnly: false - pathPrefix: '/sys' readOnly: false - pathPrefix: '/lib/modules' readOnly: true --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: vitastor-system name: vitastor-csi-provisioner-psp rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: ['vitastor-csi-provisioner-psp'] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: vitastor-csi-provisioner-psp namespace: vitastor-system subjects: - kind: ServiceAccount name: vitastor-csi-provisioner namespace: vitastor-system roleRef: kind: Role name: vitastor-csi-provisioner-psp apiGroup: rbac.authorization.k8s.io