diff --git a/kbatch/templates/rbac.yaml b/kbatch/templates/rbac.yaml
new file mode 100644
index 0000000..e5cc396
--- /dev/null
+++ b/kbatch/templates/rbac.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kbatch-proxy.fullname" . }}
+rules:
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - configmaps
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kbatch-proxy.fullname" . }}
+subjects:
+  - kind: User
+    name: {{ include "kbatch-proxy.serviceAccountName" . }}
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: {{ include "kbatch-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/kbatch/values.yaml b/kbatch/values.yaml
index 25a7404..1f63da2 100644
--- a/kbatch/values.yaml
+++ b/kbatch/values.yaml
@@ -16,6 +16,9 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+rbac:
+  create: true
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true