From b24bf0c5e2ff24ff900a169d9065268e5d5c4ee8 Mon Sep 17 00:00:00 2001
From: Davide Belloni <davidebelloni@users.noreply.github.com>
Date: Tue, 26 Jun 2018 14:06:32 +0200
Subject: [PATCH] =?UTF-8?q?Enable=20=E2=80=9CKubernetes=20Monitoring?=
 =?UTF-8?q?=E2=80=9D=20and=20=E2=80=9CPodSecurityPolicies=E2=80=9D=20on=20?=
 =?UTF-8?q?the=20same=20cluster?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without that the daemonset "metadata-agent" return:

```pods "metadata-agent-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.containers[0].hostPort: Invalid value: 8799: Host port 8799 is not allowed to be used. Allowed ports: []]```
---
 .../stackdriver/metadata-agent-rbac.yaml        | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
index dfcada4d585..1631c0d57e3 100644
--- a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
+++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
@@ -32,3 +32,20 @@ subjects:
 - kind: ServiceAccount
   name: metadata-agent
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gce:podsecuritypolicy:metadata-agent
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:podsecuritypolicy:privileged
+subjects:
+  - kind: ServiceAccount
+    name: metadata-agent
+    namespace: kube-system