Add two PodSecurityPolicy resources:
- privileged: for workloads needed more than restricted access
- unprivileged: for all other workloads, and should be the default
Additional things to be set:
- unprivileged mapped to ClusterRole relying on the 'default' service account
- privileged / unprivileged added to all existing ClusterRole resources as appropriate
In addition a new label is available to set an alternative policy to the default account, so that at cluster creation users can override the restricted defaults.