Create a SA and a binding to the psp:privileged role, then creates a deployment with hostmount

Create a privileged Deployment with PSP.md

PSP are evaluated only when a pod is created directly; when a Deployment or a Daemonset creates a pod, does so using the default serviceaccount of that namespace. Thus, you need to give that SA (or a purposefully create SA) a binding to the appropriate PSP.

nginx-privileged.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-privileged
spec:
  selector:
    matchLabels:
      name: nginx-privileged
  template:
    metadata:
      labels:
        name: nginx-privileged
    spec:
      containers:
        - name: nginx-privileged
          image: nginx:1.14.2
          securityContext:
            privileged: true
          volumeMounts:
          - name: root-volume
            mountPath: /mnt/rootnode
      serviceAccountName: default-privileged
      volumes:
        - hostPath:
            path: /
          name: root-volume

psp-sa0default-privileged.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: default-privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: default:privileged
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: psp:privileged
subjects:
- kind: ServiceAccount
  namespace: default
  name: default-privileged