diff --git a/hack/cluster-monitoring/deploy b/hack/cluster-monitoring/deploy
index 9ad91eb0ed85afbfc8f65f23bef4125257eea9cf..098af134773af3b783bc0f263d667ed142c3c14c 100755
--- a/hack/cluster-monitoring/deploy
+++ b/hack/cluster-monitoring/deploy
@@ -14,7 +14,7 @@ kctl() {
     kubectl --namespace "$NAMESPACE" "$@"
 }
 
-kctl apply -f manifests/prometheus-operator.yaml
+kctl apply -f manifests/prometheus-operator
 
 # Wait for TPRs to be ready.
 printf "Waiting for Operator to register third party objects..."
@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana
 
 kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml
 kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml
+kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml
 
 kctl apply -f manifests/alertmanager/alertmanager-config.yaml
 kctl apply -f manifests/alertmanager/alertmanager-service.yaml
diff --git a/hack/cluster-monitoring/teardown b/hack/cluster-monitoring/teardown
index 45ae61ed3dff044b9019806486d6cc1338bdccbc..e5e0d9a68bb4a0baff68408f6531137f76523aa7 100755
--- a/hack/cluster-monitoring/teardown
+++ b/hack/cluster-monitoring/teardown
@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager
 # Hack: wait a bit to let the controller delete the deployed Prometheus server.
 sleep 5
 
-kctl delete -f manifests/prometheus-operator.yaml
+kctl delete -f manifests/prometheus-operator
 
diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bd69276fb6bce92f01acf0710a0c8dbedde2aec8
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default
diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c7bebb9db27dc8dc56b958fdd067ae89d831bd33
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
diff --git a/manifests/prometheus-operator/prometheus-operator-service-account.yaml b/manifests/prometheus-operator/prometheus-operator-service-account.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..38d18cce71105613f954591c54f1eaa4ddd15b06
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator
diff --git a/manifests/prometheus-operator.yaml b/manifests/prometheus-operator/prometheus-operator.yaml
similarity index 74%
rename from manifests/prometheus-operator.yaml
rename to manifests/prometheus-operator/prometheus-operator.yaml
index 06ddf799408eba56593ca6c404da277cae0ce100..06232af055be9e68ce2c1f862d8c45cdc1e10840 100644
--- a/manifests/prometheus-operator.yaml
+++ b/manifests/prometheus-operator/prometheus-operator.yaml
@@ -11,12 +11,13 @@ spec:
       labels:
         operator: prometheus
     spec:
+      serviceAccountName: prometheus-operator
       containers:
        - name: prometheus-operator
          image: quay.io/coreos/prometheus-operator:v0.7.0
          args:
-           - "--kubelet-object=kube-system/kubelet"
-           - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
+         - "--kubelet-object=kube-system/kubelet"
+         - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
          resources:
            requests:
              cpu: 100m
diff --git a/manifests/prometheus/prometheus-cluster-role-binding.yaml b/manifests/prometheus/prometheus-cluster-role-binding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e337527f514534da666761476bc5e920e7f2359a
--- /dev/null
+++ b/manifests/prometheus/prometheus-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring
diff --git a/manifests/prometheus/prometheus-cluster-role.yaml b/manifests/prometheus/prometheus-cluster-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..458c615820ebb853cf5ae8bddd4c19c929693af9
--- /dev/null
+++ b/manifests/prometheus/prometheus-cluster-role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  verbs: ["get"]
diff --git a/manifests/prometheus/prometheus-k8s-service-account.yaml b/manifests/prometheus/prometheus-k8s-service-account.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..58d5342dfcebb4f667b0f2a916d8e52396651a03
--- /dev/null
+++ b/manifests/prometheus/prometheus-k8s-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-k8s
diff --git a/manifests/prometheus/prometheus-k8s.yaml b/manifests/prometheus/prometheus-k8s.yaml
index 23156650eb1c3fc5176003e0770f1895b6de640f..a8a1491031bb3c2f9f7ad2c1c403252895b0bb09 100644
--- a/manifests/prometheus/prometheus-k8s.yaml
+++ b/manifests/prometheus/prometheus-k8s.yaml
@@ -7,6 +7,7 @@ metadata:
 spec:
   replicas: 2
   version: v1.5.2
+  serviceAccountName: prometheus-k8s
   serviceMonitorSelector:
     matchExpression:
     - {key: k8s-apps, operator: Exists}