Pod Security Policy for kube-controller not working

General Discussions
1

Cluster information:

Kubernetes version:1.20
Cloud being used: Running on VMWare
Installation method: kubeadm
Host OS: CentOS 8
CNI and version:
CRI and version:

I have enabled podSecurityPolicy. However I am seeing the following error:
kubelet[532501]: E0106 09:11:00.744805 532501 kubelet.go:1635] Failed creating a mirror pod for “kube-controller-manager-nalshsvrk8ss02.railcarmgt.com_kube-system(b60a14116d6e59f58251bb5629f44a45)”: pods “kube-controller-manager-nalshsvrk8ss02.railcarmgt.com” is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.volumes[0]: Invalid value: “hostPath”: hostPath volumes are not allowed to be used spec.volumes[1]: Invalid value: “hostPath”: hostPath volumes are not allowed to be used spec.volumes[2]: Invalid value: “hostPath”: hostPath volumes are not allowed to be used spec.volumes[3]: Invalid value: “hostPath”: hostPath volumes are not allowed to be used spec.volumes[4]: Invalid value: “hostPath”: hostPath volumes are not allowed to be used]

I have a Policy that should allow this and I added a clusterRole and clusterRoleBinding. NOt sure what I am missing:

$ kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
privileged-psp true * RunAsAny RunAsAny RunAsAny RunAsAny false *
restricted-psp false RunAsAny MustRunAsNonRoot MustRunAs MustRunAs false configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged-psp
spec:
allowedCapabilities:

  • ‘*’
    allowPrivilegeEscalation: true
    fsGroup:
    rule: ‘RunAsAny’
    hostIPC: true
    hostNetwork: true
    hostPID: true
    hostPorts:
  • min: 0
    max: 65535
    privileged: true
    readOnlyRootFilesystem: false
    runAsUser:
    rule: ‘RunAsAny’
    seLinux:
    rule: ‘RunAsAny’
    supplementalGroups:
    rule: ‘RunAsAny’
    volumes:
  • ‘*’

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: privileged-psp
rules:

  • apiGroups:
    • policy
      resourceNames:
    • privileged-psp
      resources:
    • podsecuritypolicies
      verbs:
    • use

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: privileged-psp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp
subjects: