Tanzu Kubernetes clusters require pod security policy (PSP) to deploy workloads. If you define your own PSP, you must create a Role or ClusterRole that references the PSP.

Example Role for PodSecurityPolicy

To demonstrate a role that references a PSP, consider the example Contour ingress controller deployment.

To deploy the Contour ingress controller, create a role named contour-leaderelection. In the role definition, grant the contour-leaderelection role the use verb to a custom PSP resource that you define. Alternatively, use one of the default PSPs. Then, create a binding.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: contour-leaderelection
  namespace: projectcontour
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - get
  - list
  - watch
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch
- apiGroups: 
  - extensions
  resourceNames:
  - CUSTOM-OR-DEFAULT-PSP
  resources:
  - podsecuritypolicies
  verbs:
  - use