diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index fc0b5369..a83c571c 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -38,6 +38,13 @@ data:
       servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @)
       credentialIssuerConfig: (@= data.values.app_name + "-config" @)
       apiService: (@= data.values.app_name + "-api" @)
+    kubeCertAgent:
+      namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @)
+      (@ if data.values.image_digest: @)
+      image: (@= data.values.image_repo + "@" + data.values.image_digest @)
+      (@ else: @)
+      image: (@= data.values.image_repo + ":" + data.values.image_tag @)
+      (@ end @)
 ---
 #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
 apiVersion: v1
diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml
index 9ef976b3..5f02c6ca 100644
--- a/deploy/rbac.yaml
+++ b/deploy/rbac.yaml
@@ -65,17 +65,17 @@ roleRef:
   name: #@ data.values.app_name + "-aggregated-api-server"
   apiGroup: rbac.authorization.k8s.io
 
-#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
+#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-exec"
+  name: #@ data.values.app_name + "-kube-system-pod-read-write"
   namespace: kube-system
 rules:
   - apiGroups: [""]
     resources: [pods]
-    verbs: [get, list]
+    verbs: [create, get, list, patch, update, watch, delete]
   - apiGroups: [""]
     resources: [pods/exec]
     verbs: [create]
@@ -83,7 +83,7 @@ rules:
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-exec"
+  name: #@ data.values.app_name + "-kube-system-pod-read-write"
   namespace: kube-system
 subjects:
   - kind: ServiceAccount
@@ -91,7 +91,7 @@ subjects:
     namespace: #@ data.values.namespace
 roleRef:
   kind: Role
-  name: #@ data.values.app_name + "-kube-system-pod-exec"
+  name: #@ data.values.app_name + "-kube-system-pod-read-write"
   apiGroup: rbac.authorization.k8s.io
 
 #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)