# NOTE: kubectl get clusterrolebinding | grep vmware-system
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: contour-system-privileged
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
    - "*"
  fsGroup:
    rule: RunAsAny
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
    - max: 65535
      min: 0
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
    - "*"

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: contour-system-privileged
rules:
  - apiGroups:
      - policy
      - extensions
    resources:
      - podsecuritypolicies
    resourceNames:
      - contour-system-privileged
      - vmware-system-privileged
    verbs:
      - use

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: contour
  namespace: projectcontour
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: contour-system-privileged
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: system:serviceaccounts
  - kind: ServiceAccount
    name: default
    namespace: contour
  - kind: ServiceAccount
    name: contour-contour-certgen
    namespace: contour