diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
index 182ce8e6e6..86fe89f152 100644
--- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml
@@ -10,6 +10,25 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-installation
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - dkp.d2iq.io
+    resources:
+      - kommandercores
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Chart.Name }}-installation
@@ -20,12 +39,11 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Chart.Name }}-installation
 subjects:
   - kind: ServiceAccount
     name: {{ .Chart.Name }}-installation
     namespace: {{ .Release.Namespace }}
-
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
index 417e66e119..ebb9e8ceca 100644
--- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
+++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml
@@ -11,6 +11,33 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-pre-upgrade
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - dkp.d2iq.io
+      - helm.toolkit.fluxcd.io
+    resources:
+      - kommandercores
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - dkp.d2iq.io
+    resources:
+      - kommandercores
+    verbs:
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Chart.Name }}-pre-upgrade
@@ -21,7 +48,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: {{ .Chart.Name }}-pre-upgrade
 subjects:
   - kind: ServiceAccount
     name: {{ .Chart.Name }}-pre-upgrade