diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
index 6d5c6e3..d01c4da 100644
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@@ -14,6 +14,10 @@ Deploy the service to listen for JVB UDP traffic on all cluster nodes port 30300
 
 `kubectl create -f jvb-service.yaml`
 
+If PodSecurityPolicies were enabled, we would then install a PSP and Role for jitsi:
+
+`kubectl create -f rbac.yaml`
+
 Now we can deploy the rest of the application. First modify the `DOCKER_HOST_ADDRESS` env value in deployment.yaml to point to one of nodes in your cluster (or load-balancer for all nodes if you have one), and then deploy it:
 
 `kubectl create -f deployment.yaml`
diff --git a/examples/kubernetes/deployment.yaml b/examples/kubernetes/deployment.yaml
index e246689..05d27d8 100644
--- a/examples/kubernetes/deployment.yaml
+++ b/examples/kubernetes/deployment.yaml
@@ -1,3 +1,10 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jitsi
+  namespace: jitsi
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -143,3 +150,4 @@ spec:
               value: jvbbrewery
             - name: TZ
               value: America/Los_Angeles
+      serviceAccountName: jitsi
diff --git a/examples/kubernetes/rbac.yaml b/examples/kubernetes/rbac.yaml
new file mode 100644
index 0000000..e25723b
--- /dev/null
+++ b/examples/kubernetes/rbac.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: jitsi-privileged
+spec:
+  allowPrivilegeEscalation: true
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: true
+  hostPID: true
+  hostPorts:
+  - max: 65535
+    min: 0
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jitsi-privileged
+  namespace: jitsi
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - jitsi-privileged
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jitsi-privileged
+  namespace: jitsi
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jitsi-privileged
+subjects:
+- kind: ServiceAccount
+  name: jitsi