apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gce:podsecuritypolicy:unprivileged-addon
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  - policy
  resourceNames:
  - gce.unprivileged-addon
  resources:
  - podsecuritypolicies
  verbs:
  - use