If RBAC is enabled in your cluster, you might get the following error when trying to create a Defender DaemonSet.
Error creating: pods "twistlock-defender-ds-" is forbidden: unable to validate against any pod security policy ..Privileged containers are not allowed
If you get this error, then you must create a Role and RoleBinding so that Defender can run with the privileges it needs. Create a Role and RoleBinding for the twistlock namespace. You can use the following example Role and RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: twistlock-role namespace: twistlock rules: - apiGroups: - extensions resourceNames: - privileged resources: - podsecuritypolicies verbs: - use
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: twistlock-rolebinding namespace: twistlock roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: twistlock-role subjects: - kind: ServiceAccount name: twistlock-service namespace: twistlock