kubernetes/cluster/addons/kube-network-policies/kube-network-policies-rbac.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: system:network-policies
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
  - apiGroups: [""]
    resources:
      - pods
      - nodes
      - namespaces
    verbs:
      - get
      - watch
      - list
  # Watch for changes to Kubernetes NetworkPolicies.
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - watch
      - list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-network-policies
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:network-policies
subjects:
- kind: ServiceAccount
  name: kube-network-policies
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-network-policies
  namespace: kube-system
  labels:
    k8s-app: kube-network-policies
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile