diff --git a/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml b/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml
index 2181b6919..841d55524 100644
--- a/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml
+++ b/assets/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml
@@ -33,6 +33,10 @@ spec:
       containers:
       - image: quay.io/kinvolk/calico-hostendpoint-controller:v0.0.4
         name: calico-hostendpoint-controller
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 65534
+          runAsGroup: 65534
         volumeMounts:
         - mountPath: /tmp/
           name: tmp-dir
@@ -43,7 +47,7 @@ spec:
 
 ---
 # rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: calico-hostendpoint-controller-role
@@ -54,15 +58,19 @@ rules:
 - apiGroups: ["crd.projectcalico.org"]
   resources: ["hostendpoints"]
   verbs:
-   - create
-   - get
-   - list
-   - update
-   - delete
-   # To use kubectl apply on resources that already exist
-   - patch
+  - create
+  - get
+  - list
+  - update
+  - delete
+  # To use kubectl apply on resources that already exist
+  - patch
+- apiGroups: ["policy"]
+  resources: ["podsecuritypolicies"]
+  verbs: ["use"]
+  resourceNames: ["calico-hostendpoint-controller-psp"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: calico-hostendpoint-controller-role-binding
diff --git a/assets/charts/control-plane/calico-host-protection/templates/psp.yaml b/assets/charts/control-plane/calico-host-protection/templates/psp.yaml
new file mode 100644
index 000000000..85556049e
--- /dev/null
+++ b/assets/charts/control-plane/calico-host-protection/templates/psp.yaml
@@ -0,0 +1,19 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  name: calico-hostendpoint-controller-psp
+spec:
+  privileged: false
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: MustRunAsNonRoot
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - emptyDir
+  - secret
diff --git a/pkg/assets/generated_assets.go b/pkg/assets/generated_assets.go
index ef06e30b6..78fc68766 100644
--- a/pkg/assets/generated_assets.go
+++ b/pkg/assets/generated_assets.go
@@ -4865,9 +4865,9 @@ var vfsgenAssets = func() http.FileSystem {
 		"/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml": &vfsgen۰CompressedFileInfo{
 			name:             "host-endpoint-controller.yaml",
 			modTime:          time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC),
-			uncompressedSize: 1830,
+			uncompressedSize: 2056,
 
-			compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xa4\x55\x41\x6f\xdb\x3a\x0c\xbe\xfb\x57\x10\xc9\xf5\xc9\x69\x81\x77\x78\xd0\xed\x6d\x1d\x76\xd9\x8a\xa1\x1d\x76\x19\x7a\x60\x64\x26\xd1\x22\x89\x9a\x44\xbb\xf5\x86\xfd\xf7\x41\x76\xe3\xb9\x4b\xd1\xa5\x9d\x4e\x84\x64\xf2\xfb\xf4\x7d\xa4\xbc\x04\x8f\xc1\x6e\x28\x4b\x86\x0d\x27\x30\xec\x23\x07\x0a\x02\x06\x9d\x35\xac\x76\x9c\x85\x42\x13\xd9\x06\x51\x86\x83\x24\x76\x8e\x52\x55\x29\xa5\xaa\x25\x34\x14\x1d\xf7\x9e\x82\xd4\x3d\x7a\x57\x61\xb4\x9f\x28\x65\xcb\x41\x43\x77\x5e\xed\x6d\x68\x34\x5c\x53\xea\xac\xa1\xff\x8d\xe1\x36\x48\xe5\x49\xb0\x41\x41\x5d\x01\x04\xf4\xa4\xff\x84\x35\x7e\x96\x23\x1a\xd2\xb0\x6f\xd7\xa4\x72\x9f\x85\xfc\xc0\x61\x8e\x88\x31\xe6\xd5\x04\x7b\x31\x71\x7b\x00\xe9\x70\x4d\x2e\x97\x08\x4a\xc2\x89\xe8\x2f\x27\x99\x23\x99\x82\x96\x28\x3a\x6b\x30\x6b\x38\xaf\x00\x32\x39\x32\xc2\x69\xe4\xe1\x51\xcc\xee\xdd\x8c\xd8\xa9\xd4\x84\x7c\x74\x28\x74\x5f\x66\x76\xcd\xb2\xdc\x83\x8a\xa7\xd6\x04\x38\x50\x1e\xe2\x07\xe6\x5d\x9e\x26\x45\x59\xc2\x8e\x12\x8a\xe5\x30\x31\x50\xb0\xa7\x5e\x43\xe0\x86\x54\x62\x47\x75\xd1\x29\x05\x12\xca\xb5\xe5\x95\xc7\x2c\x53\x3a\x00\xc7\x92\xcf\x49\xc3\x9b\x3b\x9b\x25\x4f\x07\xb4\xd9\x90\x11\x0d\x97\x7c\x6d\x76\xd4\xb4\x8e\xee\x8f\x0a\x07\xb4\x81\xd2\x0c\xd1\x7a\xdc\x92\x86\xaf\x2d\xf6\x05\x63\x6f\x43\xc7\x6e\xbf\x7a\xfa\x0a\xba\x3b\xab\xcf\xea\x7f\x27\xc4\x13\x3b\x60\x5c\x1d\xbb\xd6\xd3\xfb\x22\xd7\x4c\x7b\x05\xbe\xec\x7c\x40\xd9\x69\x58\x89\x8f\xab\xe9\xe8\x50\x5f\x7c\x54\x8d\x3d\x14\x1a\xcb\x4c\x15\x96\x63\x3e\xd8\x50\xbe\x83\xcc\x70\x4b\x60\x30\x40\xc6\x0d\xb9\x1e\xda\x4c\xb0\x49\xec\x55\x36\xa9\x74\xd3\x78\xf1\x0c\x18\x9a\x15\x27\x48\x84\x8d\xe2\xe0\xfa\x99\x48\x93\x46\x8f\xc1\x03\x90\x8f\xd2\x5f\xd8\xa4\xe1\xfb\x8f\xc3\xbc\xa7\x35\x9a\xe3\x49\x1f\x76\xb1\x95\x1d\x27\xfb\x6d\xb0\xbc\xde\xff\x37\x58\xda\x9d\xaf\x49\xf0\x30\x91\xaf\x5d\x5b\x1c\xbe\x62\x47\xcf\x7e\x05\x86\x86\xa9\x52\xeb\x8a\x24\x0a\x30\xda\xb7\x89\xdb\x98\x35\x7c\x5e\x2c\x6e\x86\xf9\xca\xdc\x26\x43\xc3\x4e\x69\xb1\x3c\x6c\x77\x94\xd6\xc3\xd6\x96\x64\xf1\x0f\x2c\x6e\x8b\x38\x25\x70\x36\xcb\xe2\xe6\xf7\x52\x26\x35\x75\x4c\xfc\x85\x8c\x8c\x7c\x6a\x4e\xdb\xe3\xfa\x73\x92\x73\x9c\x6a\xd0\xd3\x24\x42\xa1\x31\xde\x92\x8c\x41\xc1\x1b\xa3\x36\x36\xd3\x71\x43\x8e\xc6\x78\x09\x1f\x79\x70\xb1\x0c\x85\x11\x57\xa6\xd5\xf5\xc0\xe1\x17\x32\xc8\x0e\x05\xd0\x15\x33\x7b\xa0\xbb\xa9\x62\x2c\x97\x3a\x7a\x0e\x5f\x60\xcb\x2b\x1b\x1a\x1b\xb6\x2f\x73\x47\xad\xef\xb3\x73\xbb\x2e\x02\x0e\x46\x3d\xfa\x0b\xf8\xdb\x37\xb5\xa0\x5d\xd1\xa6\xb0\x3b\xee\xac\xe7\xf4\x13\x4c\xee\x3f\x21\x57\xf5\x33\x00\x00\xff\xff\x04\xc8\x62\x9e\x26\x07\x00\x00"),
+			compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xa4\x55\xc1\x6e\xdb\x38\x10\xbd\xeb\x2b\x06\xf6\x75\x25\x27\xd8\x64\xb1\xe0\x2d\x9b\x2c\xf6\xb2\x0d\x8a\xa4\xed\xa5\xc8\x81\xa6\xc6\x36\x6b\x92\xc3\x92\x43\x27\x6a\xd1\x7f\x2f\x48\xc5\x8a\x6c\x07\xa9\x93\xfa\x62\x82\xc3\x99\xf7\xf8\xe6\x71\x34\x05\x2b\x9d\x5e\x60\xe4\x08\x0b\x0a\xa0\xc8\x7a\x72\xe8\x18\x94\x34\x5a\x51\xbd\xa2\xc8\xe8\x5a\x4f\xda\x71\xad\xc8\x71\x20\x63\x30\x54\x55\x5d\xd7\xd5\x14\x5a\xf4\x86\x3a\x8b\x8e\x9b\x4e\x5a\x53\x49\xaf\x3f\x61\x88\x9a\x9c\x80\xcd\x69\xb5\xd6\xae\x15\x70\x8b\x61\xa3\x15\x5e\x28\x45\xc9\x71\x65\x91\x65\x2b\x59\x8a\x0a\xc0\x49\x8b\xe2\x57\x58\xfd\xb1\xe8\xa5\x42\x01\xeb\x34\xc7\x3a\x76\x91\xd1\x16\x0e\x63\x44\xe9\x7d\x9c\x0d\xb0\x57\x03\xb7\x1d\x48\x23\xe7\x68\x62\x5e\x41\x4e\x38\x12\xfd\xed\x24\xa3\x47\x95\xd1\x02\x7a\xa3\x95\x8c\x02\x4e\x2b\x80\x88\x06\x15\x53\xe8\x79\x58\xc9\x6a\xf5\xff\x88\xd8\xb1\xd4\x18\xad\x37\x92\xf1\xb1\xcc\xe8\x9a\xf9\x67\x76\x2a\x1e\x5b\x13\x60\x4b\xb9\xac\x77\x9a\x77\x7d\x9c\x14\xf9\xc7\x64\x30\x48\xd6\xe4\x06\x06\x35\xac\xb1\x13\xe0\xa8\xc5\x3a\x90\xc1\x26\xeb\x14\x1c\x32\xc6\x46\xd3\xcc\xca\xc8\x43\x3a\x00\xf9\x9c\x4f\x41\xc0\xbf\x0f\x3a\x72\x1c\x02\xb8\x58\xa0\x62\x01\xd7\x74\xab\x56\xd8\x26\x83\x8f\xa1\xcc\x41\x6a\x87\x61\x84\xa8\xad\x5c\xa2\x80\xaf\x49\x76\x19\x63\xad\xdd\x86\xcc\x7a\xf6\xf2\x15\xc4\xe6\xa4\x39\x69\xce\x06\xc4\x23\x1d\xb0\x55\x4c\xa5\xa0\xb9\xbb\x24\xc7\xf8\xc0\x4f\xf2\x03\x84\xe4\x2e\xe2\x35\xb9\x1b\x22\x16\xc0\x21\xe1\x7e\xf0\x63\xc4\x20\xe0\xaf\xf3\xf3\x3f\xcf\xf6\x43\xff\x05\x4a\x7e\x3f\xb6\x21\x93\x2c\xbe\xcb\xbd\x19\x35\xba\x06\x9b\x77\xde\x4b\x5e\x09\x98\xb1\xf5\xb3\x51\xb1\xfe\x32\x6c\x7d\xdd\xea\x2d\xeb\xbe\xcc\x50\x61\xda\xe7\x83\x76\xf9\x1c\x44\x82\x7b\x04\x25\x1d\x44\xb9\x40\xd3\x41\x8a\x08\x8b\x40\xb6\x8e\x2a\x64\xeb\xf6\x2a\x47\x90\xae\x9d\x51\x80\x80\xb2\xad\xc9\x99\x6e\xd4\x91\xa1\x21\xcf\xc1\x03\xa0\xf5\xdc\x5d\xe9\x20\xe0\xfb\x8f\xed\x70\x09\x73\xa9\x0e\xc7\x4a\xd9\x95\x89\x57\x14\xf4\xb7\xe2\xaf\x66\xfd\x77\xf1\xcf\xf0\xf2\x2f\x4d\xca\x4e\xba\x21\x83\xaf\x9e\x36\xc5\x98\x55\x48\x26\xab\x51\x83\xf4\xba\xe8\x1e\x05\x7c\x9e\x4c\xee\xca\x3b\x8e\x94\x82\xc2\xb2\x93\xad\x1c\xcb\xf6\x06\xc3\xbc\x6c\x2d\x91\x27\x7f\xc0\xe4\x3e\xeb\x92\x17\x46\x47\x9e\xdc\xed\x97\x52\xa1\x6d\x7c\xa0\x2f\xa8\xb8\xe7\xd3\x50\x58\x1e\xd6\x1f\x93\x1c\xe3\x54\x59\x49\x15\x50\x32\x96\xe5\x12\xb9\xfc\x67\xb0\xb2\x48\xbe\xdd\xc6\x5a\x34\x58\x96\x53\xf8\x40\xa5\x75\xf9\xd9\x29\x36\x79\x1e\x98\x0e\xc8\x3d\x61\x02\xaf\x24\x83\x34\xb9\x83\x1d\xe0\xc3\xb6\x9c\xcf\xb7\xd9\xbf\x83\x27\xa3\x55\x77\x48\xda\x53\xbb\x7d\x03\xe5\x88\xde\x97\x28\x45\xdc\xc9\xca\x53\xa5\x57\xe5\xe5\xd6\xf8\xe8\xb3\x92\x7b\x53\xff\x75\x86\xf8\x47\xbb\x56\xbb\xe5\xdb\x7c\x51\xcf\x1f\xb3\x63\x9a\xe7\xd6\x15\x8b\x3c\xfb\x91\xfb\xdd\xaf\x46\x46\xbb\xc1\x45\x66\x77\xe8\xe9\xd7\x38\x19\x86\x9e\xbd\xa0\x54\xf5\x33\x00\x00\xff\xff\x52\x01\x15\xe5\x08\x08\x00\x00"),
 		},
 		"/charts/control-plane/calico-host-protection/templates/host-endpoints.yaml": &vfsgen۰CompressedFileInfo{
 			name:             "host-endpoints.yaml",
@@ -4883,6 +4883,13 @@ var vfsgenAssets = func() http.FileSystem {
 
 			compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xbc\x93\x4f\x6f\x1a\x3d\x10\x87\xef\xfe\x14\x23\xe5\x90\xf7\x95\xba\x94\xa4\x51\x55\xad\xc4\x21\x82\xa6\xcd\x25\x8d\x1a\x94\x4b\xd5\x83\xf1\x4e\xc0\xc5\x3b\x63\x8d\x67\x4b\x57\x28\xdf\xbd\x5a\x76\x49\x03\x25\xe9\x1f\x41\x39\x99\x91\xf7\xe7\x99\xc7\x8f\x8f\xe0\xc2\x0b\x2e\x6c\x08\x10\x39\x78\x57\x9b\x23\x18\x6c\xfe\x4c\x96\x65\xe6\x08\x6e\x6e\xde\x83\x75\x0e\x53\x32\x36\xfa\x5b\x94\xe4\x99\x72\x70\x52\xf4\xa2\xf0\x17\x74\xea\x6c\xf0\x8e\x7b\x2c\xd3\x97\x5f\x4f\xcc\xdc\x53\x91\xc3\xbb\xc0\x13\x1b\xae\x50\x17\x2c\xf3\xeb\xf6\x84\x12\xd5\x16\x56\x6d\x6e\x00\xc8\x96\x98\x43\x4a\x33\x93\x22\xba\xa6\x92\x30\xa0\x53\x96\x1c\x66\x36\xfd\x37\xe3\xa4\x19\x52\x11\xd9\x93\xfe\x6f\x00\xa2\xe0\xe8\xea\x7c\x9c\x83\x4a\x85\x06\xc0\xc6\x18\xea\x0f\x74\xc1\xb2\xb0\x52\x3c\x94\x59\x0a\x94\x1c\xfa\x06\xc0\xd3\x54\x30\xa5\x26\x3b\x03\xeb\x74\xd5\xf6\x79\x08\xbc\x30\x00\x4d\x20\x2b\x3b\x0e\x39\x8c\x87\xd7\xab\x4a\xe2\x4a\x1c\xe6\xab\x35\x00\xa1\xa6\xf5\x7a\xb9\xcc\x40\x2c\x4d\x11\x7a\xb7\x36\x54\x98\x7a\xa5\x25\x3b\xc5\x12\x49\x87\x97\xa3\x8f\x09\xee\xef\xbb\xad\x19\x2c\x97\xd0\xfb\xf1\xbf\xf9\x14\xa9\x58\x17\x0a\x4c\xea\xc9\xae\x9a\xe9\x76\x44\x16\x4d\x39\x7c\x3a\x3d\xfd\xdc\x21\x9f\x57\x13\x74\x1a\x0e\x86\xbd\xcb\xdf\x81\x9e\xb8\x40\xad\x23\xc2\x60\x00\xc7\x8e\x49\x85\x43\x40\x39\xfe\x37\x17\xf0\x0c\x9c\xd7\x67\x67\xaf\xd6\x78\xc6\x62\xef\xee\xbc\x83\x09\xea\x02\x91\xc0\x85\x2a\x29\xca\xaa\xf9\x03\xd0\xf2\xa4\x28\x59\x13\x9e\x69\x7b\xf2\x61\x9c\x3d\xd9\x62\xb6\x9b\xda\xb6\xa6\x9b\xa2\xee\x52\xb5\xc3\xb3\xe5\xe9\xcf\xa6\x6e\xb8\xda\x92\xbe\x6c\xbb\x81\x6e\x6e\x50\x86\x21\x93\x72\x25\xfb\xc7\xec\xda\xe0\xac\x23\xf0\x2b\x39\x9b\xac\xbf\x11\xf3\x74\xdf\x66\xbe\xe9\xbf\x80\x47\x72\xbe\xdd\x20\xb6\x7f\x4c\xf8\x14\x9d\x9d\x06\x3e\x7a\x8d\xf8\x8c\x58\x6d\xeb\x23\xa4\x1a\x2c\xd5\xe0\xc9\x71\xe9\x69\xfa\x70\xef\xc4\x0a\xf8\x2d\x06\xef\xbc\x86\x1a\x22\x4a\xe9\x55\xb1\xd8\xff\x78\x05\x52\x9d\xb1\xce\x50\xfe\x70\xc4\x93\x7e\xbf\xff\xfb\x32\x3c\xf1\xcc\x1a\x02\xe6\x7b\x00\x00\x00\xff\xff\x46\x9d\xb1\xd4\x1b\x07\x00\x00"),
 		},
+		"/charts/control-plane/calico-host-protection/templates/psp.yaml": &vfsgen۰CompressedFileInfo{
+			name:             "psp.yaml",
+			modTime:          time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC),
+			uncompressedSize: 387,
+
+			compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x74\x8f\xb1\x6a\x33\x41\x0c\x84\xfb\x7d\x0a\x75\x86\x1f\xee\x8c\xdb\xeb\x0c\x3f\xa4\x49\x8c\x71\x48\x7a\x79\x4f\x8e\x85\x75\xd2\xb2\xd2\x3a\xb9\xb7\x0f\x77\x49\x91\xc6\xe5\x68\x46\x1a\x7d\x58\xf8\x9d\xaa\xb3\xe9\x00\xc5\x84\xf3\xbc\xbd\xef\xce\x14\xb8\x4b\x37\xd6\x71\x80\xa3\x8d\xaf\x94\x5b\xe5\x98\x8f\xab\x9f\x26\x0a\x1c\x31\x70\x48\x00\xa8\x6a\x81\xc1\xa6\xbe\x48\x00\xa7\x9c\x6d\x2a\xbd\xff\xee\xf4\x28\xe5\x8a\xfd\xad\x9d\xa9\x2a\x05\x79\xcf\xb6\x45\x11\xfb\xa4\xf1\x58\xed\xc2\x42\x07\x9c\xc8\x07\xd8\xfc\xdb\x24\x00\xc5\x89\x06\xc8\x28\x9c\xad\xbb\x9a\x07\xe9\x58\x8c\x35\xba\x6c\x1a\xd5\x44\xa8\x76\xc5\x4b\xf2\x42\x79\xa9\x2c\x95\xef\x2c\xf4\x41\xe3\x00\x17\x14\xa7\x04\x70\xf1\xa7\x6a\xad\xfc\x7c\x54\x9b\xd0\x00\xa7\xa6\x7b\xdf\xeb\x9c\x96\x81\xee\xfd\xcd\xa9\xfe\xf5\x5f\x9a\xc7\x9a\x39\x98\x9e\xcc\x22\x2d\x28\xcf\xac\xed\xeb\xc1\x15\x6f\xa5\x08\x4d\xa4\x81\xb2\xb6\xf9\x83\xe0\xdd\xa4\x2d\x80\x09\xa0\x03\x9a\x4a\xcc\xff\xb9\xae\xc2\x29\x57\x8a\xf4\x1d\x00\x00\xff\xff\x2d\xa8\x2e\x26\x83\x01\x00\x00"),
+		},
 		"/charts/control-plane/calico-host-protection/values.yaml": &vfsgen۰FileInfo{
 			name:    "values.yaml",
 			modTime: time.Date(1970, 1, 1, 0, 0, 1, 0, time.UTC),
@@ -8014,6 +8021,7 @@ var vfsgenAssets = func() http.FileSystem {
 		fs["/charts/control-plane/calico-host-protection/templates/host-endpoint-controller.yaml"].(os.FileInfo),
 		fs["/charts/control-plane/calico-host-protection/templates/host-endpoints.yaml"].(os.FileInfo),
 		fs["/charts/control-plane/calico-host-protection/templates/host-protection.yaml"].(os.FileInfo),
+		fs["/charts/control-plane/calico-host-protection/templates/psp.yaml"].(os.FileInfo),
 	}
 	fs["/charts/control-plane/kube-apiserver"].(*vfsgen۰DirInfo).entries = []os.FileInfo{
 		fs["/charts/control-plane/kube-apiserver/.helmignore"].(os.FileInfo),
diff --git a/test/platform/packet/packet_test.go b/test/platform/packet/packet_test.go
index cc57b1b21..b1de745e5 100644
--- a/test/platform/packet/packet_test.go
+++ b/test/platform/packet/packet_test.go
@@ -98,3 +98,22 @@ func TestWhenBGPIsNotDisabledInConfigurationServersHasBGPSessionCreated(t *testi
 		t.Fatalf("Worker pool with BGP not disabled should have at least one BGP session")
 	}
 }
+
+func TestCalicoHostEndpointControllerRunsWithDedicatedPSP(t *testing.T) {
+	client := testutil.CreateKubeClient(t)
+	labelSelector := "app=calico-hostendpoint-controller"
+	expectedAnnotation := "calico-hostendpoint-controller-psp"
+
+	pods, err := client.CoreV1().Pods("kube-system").List(context.Background(), metav1.ListOptions{
+		LabelSelector: labelSelector,
+	})
+	if err != nil {
+		t.Fatalf("Listing pods with label %q: %v", labelSelector, err)
+	}
+
+	for _, v := range pods.Items {
+		if v.Annotations["kubernetes.io/psp"] != expectedAnnotation {
+			t.Fatalf("Pod: %s annotation expected: %s got: %s", v.Name, expectedAnnotation, v.Annotations["kubernetes.io/psp"])
+		}
+	}
+}