diff --git a/apps/base/forecastle/namespace.yaml b/apps/base/forecastle/namespace.yaml
index fd234355acaccbeca3b7f53e495911ecde6a3db9..696c5807cd84b46e42208f78c8950e6fc216ae9b 100644
--- a/apps/base/forecastle/namespace.yaml
+++ b/apps/base/forecastle/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
   namespace: forecastle
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: forecastle-reconciler
-  namespace: forecastle
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: forecastle-reconciler
   namespace: forecastle
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: forecastle-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: forecastle-reconciler
diff --git a/apps/base/gitlab-runner/namespace.yaml b/apps/base/gitlab-runner/namespace.yaml
index 6007b95ab044f2c031f80268924d3b6a711e260d..17914e5da21b5b7aa192288fb431776291fb8e99 100644
--- a/apps/base/gitlab-runner/namespace.yaml
+++ b/apps/base/gitlab-runner/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: gitlab-runner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitlab-runner-reconciler
-  namespace: gitlab-runner
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: gitlab-runner-reconciler
   namespace: gitlab-runner
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitlab-runner-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: gitlab-runner-reconciler
diff --git a/apps/base/goharbor/namespace.yaml b/apps/base/goharbor/namespace.yaml
index 15df40ed4d0f5d6abb615b64d3b96cd428196022..7134d5dd11fd6cb52e7242af9a7e5cf60026f04a 100644
--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: goharbor
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: goharbor
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: goharbor
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler
diff --git a/apps/base/keycloak/namespace.yaml b/apps/base/keycloak/namespace.yaml
index 0deeb378527bbfe892742e3dc902d75bd730b161..1384e40e4c269fca9ad69cd0f489967884cc3936 100644
--- a/apps/base/keycloak/namespace.yaml
+++ b/apps/base/keycloak/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
   namespace: keycloak
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-reconciler
-  namespace: keycloak
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: keycloak-reconciler
   namespace: keycloak
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: keycloak-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: keycloak-reconciler
diff --git a/apps/base/mail/namespace.yaml b/apps/base/mail/namespace.yaml
index 7e1eb63f862136b4ef686fdf9ad5629c490ad5bd..a0a4c8db81fc30c1bd122d13862676c026baa286 100644
--- a/apps/base/mail/namespace.yaml
+++ b/apps/base/mail/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
   namespace: mail
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: mail
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: mail
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler
diff --git a/apps/base/matrix/namespace.yaml b/apps/base/matrix/namespace.yaml
index c839643f507d5f9fa5a7085e20ab2decb6ca5f91..a04bf7faf464a4ad7fc7ee1be906a78dfc90af64 100644
--- a/apps/base/matrix/namespace.yaml
+++ b/apps/base/matrix/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: matrix
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: matrix-reconciler
-  namespace: matrix
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: matrix-reconciler
   namespace: matrix
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: matrix-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: matrix-reconciler
diff --git a/apps/base/nextcloud/namespace.yaml b/apps/base/nextcloud/namespace.yaml
index 243de68a6af1d522a010e971bd4832d81c9f1767..63ffbfca3c61b75ce3b4a1358c57906fe385f946 100644
--- a/apps/base/nextcloud/namespace.yaml
+++ b/apps/base/nextcloud/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: nextcloud
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: nextcloud-reconciler
-  namespace: nextcloud
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: nextcloud-reconciler
   namespace: nextcloud
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: nextcloud-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: nextcloud-reconciler
diff --git a/apps/base/renovate/namespace.yaml b/apps/base/renovate/namespace.yaml
index 4c3b08a4d3f7fd0d97fed0756c7780b443c85eba..c4c9e233fe0a281c3e78382ad3b9b6766b8b2152 100644
--- a/apps/base/renovate/namespace.yaml
+++ b/apps/base/renovate/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
   namespace: renovate
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: renovate
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: renovate
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler