apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gce:podsecuritypolicy:unprivileged-addon
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gce:podsecuritypolicy:unprivileged-addon
subjects:
- kind: Group
  # All service accounts in the kube-system namespace are allowed to use this.
  name: system:serviceaccounts:kube-system
  apiGroup: rbac.authorization.k8s.io