k3s/examples/podsecuritypolicy/rbac/bindings.yaml

# privilegedPSP gives the privilegedPSP role
# to the group privileged.
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
    name: privileged-psp-users
subjects:
- kind: Group
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  name: privileged-psp-users
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: privileged-psp-user
---
# restrictedPSP grants the restrictedPSP role to
# the groups restricted and privileged.
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
    name: restricted-psp-users
subjects:
- kind: Group
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  name: restricted-psp-users
- kind: Group
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  name: privileged-psp-users
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: restricted-psp-user
---
# edit grants edit role to system:authenticated.
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
    name: edit
subjects:
- kind: Group
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  name: privileged-psp-users
- kind: Group
  apiVersion: rbac.authorization.k8s.io/v1alpha1
  name: restricted-psp-users
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: edit