diff --git a/authz/psp.go b/authz/psp.go
index 1d988fb3..a8cd0632 100644
--- a/authz/psp.go
+++ b/authz/psp.go
@@ -21,16 +21,16 @@ func ApplyDefaultPodSecurityPolicy(ctx context.Context, kubeConfigPath string, k
 	return nil
 }
 
-func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath string, k8sWrapTransport k8s.WrapTransport) error {
-	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding")
+func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath, namespace string, k8sWrapTransport k8s.WrapTransport) error {
+	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding in %s", namespace)
 	k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
 	if err != nil {
 		return err
 	}
-	if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole); err != nil {
+	if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole, namespace); err != nil {
 		return err
 	}
-	if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding); err != nil {
+	if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding, namespace); err != nil {
 		return err
 	}
 	log.Infof(ctx, "[authz] Default PodSecurityPolicy Role and RoleBinding applied successfully")
diff --git a/cluster/addons.go b/cluster/addons.go
index 4a514560..f23863a3 100644
--- a/cluster/addons.go
+++ b/cluster/addons.go
@@ -13,8 +13,10 @@ import (
 	"strings"
 
 	"github.com/rancher/rke/addons"
+	"github.com/rancher/rke/authz"
 	"github.com/rancher/rke/k8s"
 	"github.com/rancher/rke/log"
+	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/util"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v2"
@@ -490,6 +492,12 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
 	if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, false); err != nil {
 		return err
 	}
+	// ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP
+	if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
+		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil {
+			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
+		}
+	}
 	log.Infof(ctx, "[ingress] ingress controller %s deployed successfully", c.Ingress.Provider)
 	return nil
 }
diff --git a/cluster/cluster.go b/cluster/cluster.go
index ec3b4b6c..16f4067a 100644
--- a/cluster/cluster.go
+++ b/cluster/cluster.go
@@ -84,6 +84,8 @@ const (
 	WorkerThreads = util.WorkerThreads
 
 	serviceAccountTokenFileParam = "service-account-key-file"
+
+	SystemNamespace = "kube-system"
 )
 
 func (c *Cluster) DeployControlPlane(ctx context.Context, svcOptions *v3.KubernetesServicesOptions) error {
@@ -325,7 +327,7 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
 		if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
 		}
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
+		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
 		}
 	}
diff --git a/k8s/role.go b/k8s/role.go
index 4fb696ca..bccf42ce 100644
--- a/k8s/role.go
+++ b/k8s/role.go
@@ -6,11 +6,12 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml string) error {
+func UpdateRoleBindingFromYaml(k8sClient *kubernetes.Clientset, roleBindingYaml, namespace string) error {
 	roleBinding := rbacv1.RoleBinding{}
 	if err := decodeYamlResource(&roleBinding, roleBindingYaml); err != nil {
 		return err
 	}
+	roleBinding.Namespace = namespace
 	return retryTo(updateRoleBinding, k8sClient, roleBinding, DefaultRetries, DefaultSleepSeconds)
 }
 
@@ -27,11 +28,12 @@ func updateRoleBinding(k8sClient *kubernetes.Clientset, rb interface{}) error {
 	return nil
 }
 
-func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml string) error {
+func UpdateRoleFromYaml(k8sClient *kubernetes.Clientset, roleYaml, namespace string) error {
 	role := rbacv1.Role{}
 	if err := decodeYamlResource(&role, roleYaml); err != nil {
 		return err
 	}
+	role.Namespace = namespace
 	return retryTo(updateRole, k8sClient, role, DefaultRetries, DefaultSleepSeconds)
 }
 
diff --git a/templates/authz.go b/templates/authz.go
index 100a4286..aec08943 100644
--- a/templates/authz.go
+++ b/templates/authz.go
@@ -69,7 +69,6 @@ apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: default-psp
-  namespace: kube-system
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
 spec:
@@ -99,7 +98,6 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: default-psp-role
-  namespace: kube-system
 rules:
 - apiGroups: ['extensions']
   resources: ['podsecuritypolicies']
@@ -112,7 +110,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: default-psp-rolebinding
-  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role