diff --git a/packages/system/cozystack-controller/templates/rbac.yaml b/packages/system/cozystack-controller/templates/rbac.yaml
index eb680f70..4aa17a29 100644
--- a/packages/system/cozystack-controller/templates/rbac.yaml
+++ b/packages/system/cozystack-controller/templates/rbac.yaml
@@ -15,3 +15,6 @@ rules:
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["get", "list", "watch", "patch", "update"]
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  verbs: ["get", "list", "watch"]
diff --git a/packages/system/cozystack-controller/templates/role.yaml b/packages/system/cozystack-controller/templates/role.yaml
new file mode 100644
index 00000000..96bfc9a5
--- /dev/null
+++ b/packages/system/cozystack-controller/templates/role.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozystack-controller-deployment-patch-update
+  namespace: cozy-system
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments"]
+  resourceNames: ["cozystack-api"]
+  verbs: ["patch", "update"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozystack-controller-deployment-patch-update
+  namespace: cozy-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cozystack-controller-deployment-patch-update
+subjects:
+- kind: ServiceAccount
+  name: cozystack-controller
+  namespace: cozy-system