diff --git a/pkg/cluster/util.go b/pkg/cluster/util.go
index e9b18c186f26d1c6e7dfadd81ae0e57e612b4468..2a1442886fedfefd408ef42ebcf778bc1089c0a6 100644
--- a/pkg/cluster/util.go
+++ b/pkg/cluster/util.go
@@ -21,25 +21,46 @@ func isValidUsername(username string) bool {
 	return userRegexp.MatchString(username)
 }
 
-func normalizeUserFlags(userFlags []string) (flags []string, err error) {
+func isValidFlag(flag string) bool {
+	for _, validFlag := range []string{constants.RoleFlagSuperuser, constants.RoleFlagLogin, constants.RoleFlagCreateDB,
+		constants.RoleFlagInherit, constants.RoleFlagReplication, constants.RoleFlagByPassRLS} {
+		if flag == validFlag || flag == "NO"+validFlag {
+			return true
+		}
+	}
+	return false
+}
+
+func invertFlag(flag string) string {
+	if flag[:2] == "NO" {
+		return flag[2:]
+	}
+	return "NO" + flag
+}
+
+func normalizeUserFlags(userFlags []string) ([]string, error) {
 	uniqueFlags := make(map[string]bool)
 	addLogin := true
 
 	for _, flag := range userFlags {
 		if !alphaNumericRegexp.MatchString(flag) {
-			err = fmt.Errorf("user flag '%v' is not alphanumeric", flag)
-			return
+			return nil, fmt.Errorf("user flag %q is not alphanumeric", flag)
 		}
+
 		flag = strings.ToUpper(flag)
 		if _, ok := uniqueFlags[flag]; !ok {
+			if !isValidFlag(flag) {
+				return nil, fmt.Errorf("user flag %q is not valid", flag)
+			}
+			invFlag := invertFlag(flag)
+			if uniqueFlags[invFlag] {
+				return nil, fmt.Errorf("conflicting user flags: %q and %q", flag, invFlag)
+			}
 			uniqueFlags[flag] = true
 		}
 	}
-	if uniqueFlags[constants.RoleFlagLogin] && uniqueFlags[constants.RoleFlagNoLogin] {
-		return nil, fmt.Errorf("conflicting or redundant flags: LOGIN and NOLOGIN")
-	}
 
-	flags = []string{}
+	flags := []string{}
 	for k := range uniqueFlags {
 		if k == constants.RoleFlagNoLogin || k == constants.RoleFlagLogin {
 			addLogin = false
@@ -55,7 +76,7 @@ func normalizeUserFlags(userFlags []string) (flags []string, err error) {
 		flags = append(flags, constants.RoleFlagLogin)
 	}
 
-	return
+	return flags, nil
 }
 
 func specPatch(spec interface{}) ([]byte, error) {
diff --git a/pkg/util/constants/roles.go b/pkg/util/constants/roles.go
index 3b249092b014c4492e34cdcdd97253297537461e..5f81cb3d8754e34fe7005591578bce34719ac048 100644
--- a/pkg/util/constants/roles.go
+++ b/pkg/util/constants/roles.go
@@ -12,4 +12,6 @@ const (
 	RoleFlagNoLogin        = "NOLOGIN"
 	RoleFlagCreateRole     = "CREATEROLE"
 	RoleFlagCreateDB       = "CREATEDB"
+	RoleFlagReplication    = "REPLICATION"
+	RoleFlagByPassRLS      = "BYPASSRLS"
 )