diff --git a/kube/deploy/core/monitoring/fluentbit/app/config/fluent-bit.yaml b/kube/deploy/core/monitoring/fluentbit/app/config/fluent-bit.yaml
index 0bed5331..b9c18ec9 100644
--- a/kube/deploy/core/monitoring/fluentbit/app/config/fluent-bit.yaml
+++ b/kube/deploy/core/monitoring/fluentbit/app/config/fluent-bit.yaml
@@ -19,7 +19,7 @@ pipeline:
       "k8s-logging.parser": "on"
       "k8s-logging.exclude": "on"
       namespace_labels: "on"
-    #   use_kubelet: "on"
+    #   use_kubelet: "on" # wanna use it but can't verify TLS without rotate-server-certificates :(
     #   kubelet_host: "$${KUBE_NODE_IP}"
     #   tls.verify: "off"
     # - name: stdout
diff --git a/kube/deploy/core/monitoring/fluentbit/app/rbac.yaml b/kube/deploy/core/monitoring/fluentbit/app/rbac.yaml
index f286be67..a609e214 100644
--- a/kube/deploy/core/monitoring/fluentbit/app/rbac.yaml
+++ b/kube/deploy/core/monitoring/fluentbit/app/rbac.yaml
@@ -5,7 +5,8 @@ metadata:
   name: "fluentbit"
 rules:
   - apiGroups: [""]
-    resources: ["pods", "namespaces", "nodes", "nodes/proxy"]
+    # resources: ["pods", "namespaces", "nodes", "nodes/proxy"] # use when use_kubelet enabled
+    resources: ["pods", "namespaces"]
     verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -15,14 +16,14 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: *app
 subjects:
   - kind: ServiceAccount
     name: *app
     namespace: *app
-  - apiGroup: rbac.authorization.k8s.io
-    kind: Group
-    name: system:serviceaccounts
+  # - apiGroup: rbac.authorization.k8s.io
+  #   kind: Group
+  #   name: system:serviceaccounts
 ---
 apiVersion: v1
 kind: ServiceAccount