diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 86439ed97..5a2f8a880 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -6,6 +6,20 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - pods
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -103,6 +117,24 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - extensions.tsuru.io
+  resources:
+  - rpaasvalidations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - extensions.tsuru.io
+  resources:
+  - rpaasvalidations/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - keda.sh
   resources:
diff --git a/controllers/validation_controller.go b/controllers/validation_controller.go
index d92ec2ca3..7eb682c1a 100644
--- a/controllers/validation_controller.go
+++ b/controllers/validation_controller.go
@@ -25,6 +25,14 @@ type RpaasValidationReconciler struct {
 	Log logr.Logger
 }
 
+// +kubebuilder:rbac:groups="",resources=configmaps;secrets;services;pods,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;update;patch
+
+// +kubebuilder:rbac:groups=extensions.tsuru.io,resources=rpaasflavors,verbs=get;list;watch
+// +kubebuilder:rbac:groups=extensions.tsuru.io,resources=rpaasplans,verbs=get;list;watch
+// +kubebuilder:rbac:groups=extensions.tsuru.io,resources=rpaasvalidations,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=extensions.tsuru.io,resources=rpaasvalidations/status,verbs=get;update;patch
+
 func (r *RpaasValidationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	validation, err := r.getRpaasValidation(ctx, req.NamespacedName)
 	if k8sErrors.IsNotFound(err) {