Tanzu Kubernetes clusters include default PodSecurityPolicy that you can bind to for privileged and restricted workload deployment.

Example 1: RoleBinding to Run a Privileged Set of Workloads

The following kubectl command creates a RoleBinding that grants access to all service accounts within the default namespace to run a privileged set of workloads using the default PSP vmware-system-privileged. See Using Pod Security Policies with Tanzu Kubernetes Clusters.
Note: For the YAML equivalent of this binding, see Kubernetes Guestbook Tutorial: Bind to the Default Privileged Pod Security Policy.
kubectl create rolebinding rolebinding-default-privileged-sa-ns_default 
--namespace=default --clusterrole=psp:vmware-system-privileged 
--group=system:serviceaccounts

Example 2: ClusterRoleBinding to Run a Privileged Set of Workloads

The following kubectl command creates a ClusterRoleBinding that grants access to authenticated users run a privileged set of workloads using the default PSP vmware-system-privileged.
kubectl create clusterrolebinding default-tkg-admin-privileged-binding 
--clusterrole=psp:vmware-system-privileged --group=system:authenticated

Example 3: RoleBinding to Run a Restricted Set of Workloads

The following YAML creates a RoleBinding that grants access to all service accounts within a specific namespace to run a restricted set of workloads using the default PSP vmware-system-restricted. See Using Pod Security Policies with Tanzu Kubernetes Clusters.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: psp:serviceaccounts
  namespace: some-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:vmware-system-restricted

As an alternative to applying YAML, you can run the following kubectl command.

kubectl create rolebinding psp:serviceaccounts 
--clusterrole=psp:vmware-system-restricted --group=system:serviceaccounts

Example 4: ClusterRoleBinding to Run a Restricted Set of Workloads

The following YAML creates a ClusterRoleBinding that grants authenticated users cluster-wide access to run a restricted set of workloads using the default PSP vmware-system-restricted. See Using Pod Security Policies with Tanzu Kubernetes Clusters.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: psp:authenticated
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:vmware-system-restricted

As an alternative to applying YAML, you can run the following kubectl command.

kubectl create clusterrolebinding psp:authenticated 
--clusterrole=psp:vmware-system-restricted --group=system:authenticated