Added capability in the podsecuritypolicy template to bind individual
serviceaccounts to clusterroles to enable enforcing psp at
serviceaccount level.
The idea is that the default psp can be tuned to be restrictive for all
serviceaccounts; and new psp, clusterroles, and clusterrolebindings are
defined to bind specific serviceaccounts or namespaces to permissive
podsecuritypolicies, based on the security requirements of a deployment.
Change-Id: I1b13c0e324b9a756a07d36b6e53786303f4a9f89
798303eb88