---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: csi-snapshotter-psp
  namespace: kube-system
spec:
  allowPrivilegeEscalation: true
  allowedCapabilities:
    - "SYS_ADMIN"
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
    - "configMap"
    - "emptyDir"
    - "secret"
    - "projected"
    - "hostPath"

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-snapshotter-psp
  # replace with non-kube-system namespace name
  namespace: kube-system
rules:
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    verbs: ["use"]
    resourceNames: ["csi-snapshotter-psp"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-snapshotter-psp
  # replace with non-kube-system namespace name
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: snapshot-controller
    # replace with non-kube-system namespace name
    namespace: kube-system
roleRef:
  kind: Role
  name: csi-snapshotter-psp
  apiGroup: rbac.authorization.k8s.io