diff --git a/deploy/kubernetes/base/cluserrole.yaml b/deploy/kubernetes/base/cluserrole.yaml
new file mode 100644
index 00000000..7f50aeaa
--- /dev/null
+++ b/deploy/kubernetes/base/cluserrole.yaml
@@ -0,0 +1,10 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cadvisor
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - cadvisor
diff --git a/deploy/kubernetes/base/cluserrolebinding.yaml b/deploy/kubernetes/base/cluserrolebinding.yaml
new file mode 100644
index 00000000..e343135c
--- /dev/null
+++ b/deploy/kubernetes/base/cluserrolebinding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cadvisor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cadvisor
+subjects:
+- kind: ServiceAccount
+  name: cadvisor
+  namespace: cadvisor
diff --git a/deploy/kubernetes/base/daemonset.yaml b/deploy/kubernetes/base/daemonset.yaml
index 7482b9ad..275b3db9 100644
--- a/deploy/kubernetes/base/daemonset.yaml
+++ b/deploy/kubernetes/base/daemonset.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         name: cadvisor
     spec:
+      serviceAccountName: cadvisor
       containers:
       - name: cadvisor
         image: k8s.gcr.io/cadvisor:v0.30.2
diff --git a/deploy/kubernetes/base/kustomization.yaml b/deploy/kubernetes/base/kustomization.yaml
index 8bdeb6bc..bc091711 100644
--- a/deploy/kubernetes/base/kustomization.yaml
+++ b/deploy/kubernetes/base/kustomization.yaml
@@ -1,5 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cadvisor
 commonLabels:
   app: cadvisor
 resources:
-- namespace.yaml
+- cluserrole.yaml
+- cluserrolebinding.yaml
 - daemonset.yaml
+- namespace.yaml
+- podsecuritypolicy.yaml
+- serviceaccount.yaml
diff --git a/deploy/kubernetes/base/podsecuritypolicy.yaml b/deploy/kubernetes/base/podsecuritypolicy.yaml
new file mode 100644
index 00000000..4dcfc425
--- /dev/null
+++ b/deploy/kubernetes/base/podsecuritypolicy.yaml
@@ -0,0 +1,21 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cadvisor
+spec:
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  allowedHostPaths:
+  - pathPrefix: "/"
+  - pathPrefix: "/var/run"
+  - pathPrefix: "/sys"
+  - pathPrefix: "/var/lib/docker"
+  - pathPrefix: "/dev/disk"
diff --git a/deploy/kubernetes/base/serviceaccount.yaml b/deploy/kubernetes/base/serviceaccount.yaml
new file mode 100644
index 00000000..baef7270
--- /dev/null
+++ b/deploy/kubernetes/base/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cadvisor
+  namespace: cadvisor