diff --git a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
index 6d6604bc2ef7f11e30cfbccc9f40f7fa7b52bf69..b233625976c68cc005dd7965a1dce4d666cc6e28 100644
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -184,6 +184,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       clusterRole.mixin.metadata.withName('resource-metrics-server-resources') +
       clusterRole.withRules(rules),
 
+    clusterRoleAggregatedMetricsReader:
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local rules =
+        policyRule.new() +
+        policyRule.withApiGroups(['metrics.k8s.io']) +
+        policyRule.withResources(['pods']) +
+        policyRule.withVerbs(['get','list','watch']);
+
+      clusterRole.new() +
+      clusterRole.mixin.metadata.withName('system:aggregated-metrics-reader') +
+      clusterRole.mixin.metadata.withLabels({
+        "rbac.authorization.k8s.io/aggregate-to-admin": "true",
+        "rbac.authorization.k8s.io/aggregate-to-edit": "true",
+        "rbac.authorization.k8s.io/aggregate-to-view": "true",
+      }) +
+      clusterRole.withRules(rules),
+
     roleBindingAuthReader:
       local roleBinding = k.rbac.v1.roleBinding;
 
diff --git a/jsonnetfile.lock.json b/jsonnetfile.lock.json
index d3c2799b2e61525df2de10b761f58db477e3a702..2798bacd25e8aa2e6b6139ffa97f0e03a9476c04 100644
--- a/jsonnetfile.lock.json
+++ b/jsonnetfile.lock.json
@@ -8,7 +8,7 @@
                     "subdir": "jsonnet/kube-prometheus"
                 }
             },
-            "version": "a7bb5d1a1f37152f0e45912550a1a80b29fcd28a"
+            "version": "1fbf75767a59d7fff5a7d716657349fcd884e4d3"
         },
         {
             "name": "ksonnet",
diff --git a/kustomization.yaml b/kustomization.yaml
index fc91b965e71d7c4eca1f4696ee67fdfa3e024693..75847a07244db0a9c7abdf17663e0426ca788ead 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -40,6 +40,7 @@ resources:
 - ./manifests/node-exporter-serviceMonitor.yaml
 - ./manifests/prometheus-adapter-apiService.yaml
 - ./manifests/prometheus-adapter-clusterRole.yaml
+- ./manifests/prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml
 - ./manifests/prometheus-adapter-clusterRoleBinding.yaml
 - ./manifests/prometheus-adapter-clusterRoleBindingDelegator.yaml
 - ./manifests/prometheus-adapter-clusterRoleServerResources.yaml
diff --git a/manifests/prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml b/manifests/prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d766a1f43d87aa25186198a7eeec3d732bd8364d
--- /dev/null
+++ b/manifests/prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch