diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
index dfcada4d585..1631c0d57e3 100644
--- a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
+++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
@@ -32,3 +32,20 @@ subjects:
 - kind: ServiceAccount
   name: metadata-agent
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:metadata-agent
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+  - kind: ServiceAccount
+    name: metadata-agent
+    namespace: kube-system