diff --git a/bootstrap/system-upgrades/clusterrole.yaml b/bootstrap/system-upgrades/clusterrole.yaml
index 88180579734cd8e15e7636c630c0f090569d309a..ca360cc8482e32e964fb38767f033ff2df79a587 100644
--- a/bootstrap/system-upgrades/clusterrole.yaml
+++ b/bootstrap/system-upgrades/clusterrole.yaml
@@ -3,21 +3,12 @@ kind: ClusterRole
 metadata:
   name: system-upgrade-controller
 rules:
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - patch
-  - update
 - apiGroups:
   - ""
   resources:
-  - secrets
   - namespaces
+  - nodes
+  - customresourcedefinitions
   verbs:
   - get
   - list
@@ -34,6 +25,33 @@ rules:
   - patch
   - delete
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # Borrowed from https://stackoverflow.com/a/63553032
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/bootstrap/system-upgrades/clusterrolebinding.yaml b/bootstrap/system-upgrades/clusterrolebinding.yaml
index 4a1ae37fecc4a954385fec49c8210be134cea972..1c30e7f06285cf3f170f89644b0393f5a93d5ab0 100644
--- a/bootstrap/system-upgrades/clusterrolebinding.yaml
+++ b/bootstrap/system-upgrades/clusterrolebinding.yaml
@@ -20,5 +20,17 @@ roleRef:
   kind: ClusterRole
   name: system-upgrade-controller
 subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-upgrade-controller
+subjects:
 - kind: ServiceAccount
   name: system-upgrade
\ No newline at end of file