Working on a single node Kubernetes cluster, I wish to apply a restrictive pod security policy to a group of users authenticated via openid. So the sequence of steps are like this.

1. Initialize the cluster, and create the pod security policies.
2. Apply the admission controller PodSecurityPolicy in API server (which causes an API server restart)
3. Create a ClusterRole and RoleBinding for the users.

The authentication of users via openid and fetching their group works good, however, limiting the PodSecurityPolicy to this group doesn't work. Example ClusterRole and RoleBinding given below. If I use system:authenticated instead of mygroup the policy is picked up for new pod creations.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp:restricted
rules:
- apiGroups:
  - extensions
  resources:
  - podsecuritypolicies
  resourceNames:
  - restricted # the psp we are giving access to
  verbs:
  - use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp:restricted
subjects:
- kind: Group
  name: mygroup # My group from openid, DOESN'T WORK.
# name: system:authenticated # all authenticated users, WORKS.
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: psp:restricted # A references to the role above
apiGroup: rbac.authorization.k8s.io

1. How to do the pod security policy RoleBinding to a specific group? Are there any errors in my steps above. I have other RoleBindings on this group which works perfectly fine.
2. A second problem is that Flannel pod fails to come up, as it seems to pick up the restrictive policy which prevents a volume mount etc. I've read that the order of the policies matter, and tried naming the policy with a name that sorts the policy as the last one. If I insert the policies much later, and add PodSecurityPolicy admission controller after initializing Flannel, everything seems good. Is there an order we have to follow while inserting policies, admission controllers?