diff --git a/manifests/klusterlet/management/klusterlet-registration-role.yaml b/manifests/klusterlet/management/klusterlet-registration-role.yaml
index ea20cc31e..f9da097ca 100644
--- a/manifests/klusterlet/management/klusterlet-registration-role.yaml
+++ b/manifests/klusterlet/management/klusterlet-registration-role.yaml
@@ -6,7 +6,14 @@ metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-registration:agent
   namespace: {{ .AgentNamespace }}
 rules:
-# leader election needs to operate configmaps, create hub-kubeconfig external-managed-registration/work secrets
+# leader election needs to operate configmaps and leases
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["create", "get", "list", "update", "watch", "patch"]
+# create hub-kubeconfig external-managed-registration/work secrets
 # TODO(zhujian7): may be replaced by a clusterrole to grant secret operation for others namespaces when addon
 # agents are supported running on the management cluster
 - apiGroups: [""]
diff --git a/manifests/klusterlet/management/klusterlet-work-role.yaml b/manifests/klusterlet/management/klusterlet-work-role.yaml
index 7be545521..7ec0bbddb 100644
--- a/manifests/klusterlet/management/klusterlet-work-role.yaml
+++ b/manifests/klusterlet/management/klusterlet-work-role.yaml
@@ -6,7 +6,7 @@ metadata:
   name: open-cluster-management:management:{{ .KlusterletName }}-work:agent
   namespace: {{ .AgentNamespace }}
 rules:
-# leader election needs to operate configmaps
+# leader election needs to operate configmaps and leases
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]