operator RBAC needs podsecuritypolicy to grant it to postgres-pod

charts/postgres-operator/templates/clusterrole.yaml

@@ -134,6 +134,18 @@ rules:
   - get
   - list
   - patch
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
 # to get namespaces operator resources can run in
 - apiGroups:
   - ""
@@ -166,16 +178,13 @@ rules:
   verbs:
   - get
   - create
-# to CRUD cron jobs for logical backups
+# to grant privilege to run privileged pods
 - apiGroups:
-  - batch
+  - extensions
   resources:
-  - cronjobs
+  - podsecuritypolicies
+  resourceNames:
+  - privileged
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+  - use
 {{ end }}

manifests/operator-service-account-rbac.yaml

@@ -135,6 +135,18 @@ rules:
   - get
   - list
   - patch
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
 # to get namespaces operator resources can run in
 - apiGroups:
   - ""
@@ -167,18 +179,15 @@ rules:
   verbs:
   - get
   - create
-# to CRUD cron jobs for logical backups
+# to grant privilege to run privileged pods
 - apiGroups:
-  - batch
+  - extensions
   resources:
-  - cronjobs
+  - podsecuritypolicies
+  resourceNames:
+  - privileged
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+  - use
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1