diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml
new file mode 100644
index 000000000..dec6b720a
--- /dev/null
+++ b/config/rbac/instascale_role.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: instascale-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - clusterversions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - machine.openshift.io
+  resources:
+  - machines
+  - machinesets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/instascale_role_binding.yaml b/config/rbac/instascale_role_binding.yaml
new file mode 100644
index 000000000..00a7d43f7
--- /dev/null
+++ b/config/rbac/instascale_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: instascale-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: instascale-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system