diff --git a/flux/cluster/apps/gitops/agola/kustomization.yaml b/flux/cluster/apps/gitops/agola/kustomization.yaml
index c696da4..fd47e5f 100644
--- a/flux/cluster/apps/gitops/agola/kustomization.yaml
+++ b/flux/cluster/apps/gitops/agola/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - deployment.yaml
   - external-secret.yaml
   - ingress.yaml
+  - rbac.yaml
   - services.yaml
diff --git a/flux/cluster/apps/gitops/agola/rbac.yaml b/flux/cluster/apps/gitops/agola/rbac.yaml
new file mode 100644
index 0000000..9f8ec3c
--- /dev/null
+++ b/flux/cluster/apps/gitops/agola/rbac.yaml
@@ -0,0 +1,59 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: agola
+  namespace: gitops
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: agola
+  namespace: gitops
+rules:
+- apiGroups:
+  - ""
+  - "coordination.k8s.io"
+  resources:
+  - nodes
+  - pods
+  - pods/exec
+  - configmaps
+  - leases
+  - secrets
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: agola
+  namespace: gitops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: agola
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: gitops
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: agola
+  namespace: gitops
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: agola
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: gitops