Spawn failures owing to pod security policies

I’m seeing symptoms similar to Single User Container Not Creating due to Pod Policies i.e. spawn failures, with the error given as:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"jupyter-user1\" is forbidden: PodSecurityPolicy: unable to admit pod: []","reason":"Forbidden","details":{"name":"jupyter-user1","kind":"pods"},"code":403}

I’ve tried the suggestion there i.e.

singleuser:
  #...
  cloudMetadata:
      blockWithIptables: false

and that hasn’t helped.

These are the network policies:

 kubectl get networkPolicy -n jupyterhub
NAME         POD-SELECTOR                                                   AGE
autohttps    app=jupyterhub,component=autohttps,release=z2jh-0.14           31m
hub          app=jupyterhub,component=hub,release=z2jh-0.14                 3h28m
proxy        app=jupyterhub,component=proxy,release=z2jh-0.14               3h28m
singleuser   app=jupyterhub,component=singleuser-server,release=z2jh-0.14   3h28m

This is using Helm chart 1.2.0, the k8s cluster is running 1.23.4, on OpenStack via Magnum.

This is the pod security policy:

kubectl get psp
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME                PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
magnum.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

I was able to work around this by applying a rolebinding which authorized service accounts.