diff --git a/examples/prometheus/clusterrole-patch.json b/examples/prometheus/clusterrole-patch.json
deleted file mode 100644
index 082b427a22b..00000000000
--- a/examples/prometheus/clusterrole-patch.json
+++ /dev/null
@@ -1,38 +0,0 @@
-[
-  {
-    "op": "add",
-    "path": "/rules/-",
-    "value": {
-      "apiGroups": [
-        ""
-      ],
-      "resources": [
-        "services",
-        "endpoints",
-        "pods"
-      ],
-      "verbs": [
-        "get",
-        "list",
-        "watch"
-      ]
-    }
-  },
-  {
-    "op": "add",
-    "path": "/rules/-",
-    "value": {
-      "apiGroups": [
-        "networking.k8s.io"
-      ],
-      "resources": [
-        "ingresses"
-      ],
-      "verbs": [
-        "get",
-        "list",
-        "watch"
-      ]
-    }
-  }
-]
\ No newline at end of file
diff --git a/examples/prometheus/rbac.yaml b/examples/prometheus/rbac.yaml
new file mode 100644
index 00000000000..32d5eeef7bd
--- /dev/null
+++ b/examples/prometheus/rbac.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus
+  namespace: projectcontour
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus
+  namespace: projectcontour
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus
diff --git a/site/content/docs/main/guides/prometheus.md b/site/content/docs/main/guides/prometheus.md
index fc7e83d3328..87d1a514ab3 100644
--- a/site/content/docs/main/guides/prometheus.md
+++ b/site/content/docs/main/guides/prometheus.md
@@ -40,12 +40,10 @@ $ kubectl apply -f examples/grafana/httpproxy.yaml
 
 ### Scrape Contour and Envoy metrics
 
-To enable Prometheus to scrape metrics from the Contour and Envoy pods, some small customizations are needed to the sample deployment:
-
-Update `ClusterRole` to enable the installed Prometheus instance to monitor `Pods` and other resources in all namespaces:
+To enable Prometheus to scrape metrics from the Contour and Envoy pods, we can add some RBAC customizations with a `Role` and `RoleBinding` in the `projectcontour` namespace:
 
 ```sh
-$ kubectl patch clusterrole prometheus-k8s --type=json --patch-file examples/prometheus/clusterrole-patch.json
+kubectl apply -f examples/prometheus/rbac.yaml
 ```
 
 Now add [`PodMonitor`][6] resources for scraping metrics from Contour and Envoy pods in the `projectcontour` namespace: