diff --git a/deploy/freedns-webhook/templates/rbac.yaml b/deploy/freedns-webhook/templates/rbac.yaml
index 5ba2e74..cf0650a 100644
--- a/deploy/freedns-webhook/templates/rbac.yaml
+++ b/deploy/freedns-webhook/templates/rbac.yaml
@@ -88,3 +88,42 @@ subjects:
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
     namespace: {{ .Values.certManager.namespace }}
+---
+# Grant pod account permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "freedns-webhook.fullname" . }}:flowcontrol
+  labels:
+    app: {{ include "freedns-webhook.name" . }}
+    chart: {{ include "freedns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - "flowcontrol.apiserver.k8s.io"
+    resources:
+      - 'prioritylevelconfigurations'
+      - 'flowschemas'
+    verbs:
+      - 'list'
+      - 'watch'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "freedns-webhook.fullname" . }}:flowcontrol
+  labels:
+    app: {{ include "freedns-webhook.name" . }}
+    chart: {{ include "freedns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "freedns-webhook.fullname" . }}:flowcontrol
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "freedns-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}