diff --git a/rbac/non-privileged-role.yaml b/rbac/non-privileged-role.yaml
new file mode 100644
index 00000000..e1b18e70
--- /dev/null
+++ b/rbac/non-privileged-role.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: krkn-non-privileged-role
+  namespace: target-namespace
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "delete"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "delete"]
diff --git a/rbac/non-privileged-rolebinding.yaml b/rbac/non-privileged-rolebinding.yaml
new file mode 100644
index 00000000..98f7f676
--- /dev/null
+++ b/rbac/non-privileged-rolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: krkn-non-privileged-rolebinding
+  namespace: target-namespace
+subjects:
+- kind: ServiceAccount
+  name: krkn-sa
+  namespace: target-namespace
+roleRef:
+  kind: Role
+  name: krkn-non-privileged-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/rbac/privileged-clusterrole.yaml b/rbac/privileged-clusterrole.yaml
new file mode 100644
index 00000000..7ad07d6d
--- /dev/null
+++ b/rbac/privileged-clusterrole.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: krkn-privileged-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
diff --git a/rbac/privileged-clusterrolebinding.yaml b/rbac/privileged-clusterrolebinding.yaml
new file mode 100644
index 00000000..71285e90
--- /dev/null
+++ b/rbac/privileged-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: krkn-privileged-clusterrolebinding
+subjects:
+- kind: ServiceAccount
+  name: krkn-sa
+  namespace: krkn-namespace
+roleRef:
+  kind: ClusterRole
+  name: krkn-privileged-clusterrole
+  apiGroup: rbac.authorization.k8s.io