diff --git a/charts/woodpecker-agent/templates/role.yaml b/charts/woodpecker-agent/templates/role.yaml
new file mode 100644
index 000000000..dfb08aa79
--- /dev/null
+++ b/charts/woodpecker-agent/templates/role.yaml
@@ -0,0 +1,27 @@
+{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  labels:
+    {{- include "woodpecker-agent.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.rbac.role.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.serviceAccount.rbac.role.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [''] # '' indicates core apiGroup (don't remove)
+    resources: ['persistentvolumeclaims']
+    verbs: ['create','delete']
+  - apiGroups: ['']
+    resources: ['services']
+    verbs: ['create','delete']
+  - apiGroups: ['']
+    resources:
+      - pods
+      - pods/log
+    verbs: ['watch','create','delete','get','list']
+{{- end }}
diff --git a/charts/woodpecker-agent/templates/rolebinding.yaml b/charts/woodpecker-agent/templates/rolebinding.yaml
new file mode 100644
index 000000000..b7f52da51
--- /dev/null
+++ b/charts/woodpecker-agent/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  labels:
+    {{- include "woodpecker-agent.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.rbac.roleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.serviceAccount.rbac.roleBinding.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "woodpecker-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/woodpecker-agent/values.yaml b/charts/woodpecker-agent/values.yaml
index ab8469d21..731682597 100644
--- a/charts/woodpecker-agent/values.yaml
+++ b/charts/woodpecker-agent/values.yaml
@@ -31,13 +31,27 @@ nameOverride: ""
 fullnameOverride: ""
 
 serviceAccount:
-  # Specifies whether a service account should be created
+  # Specifies whether a service account should be created (also see RBAC subsection)
   create: true
   # Annotations to add to the service account
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  rbac:
+    # If your cluster has RBAC enabled and you're using the Kubernetes agent-
+    # backend you'll need this. (this is true for almost all production clusters)
+    # only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints
+    # the Role and RoleBinding are only created if serviceAccount.create is also true
+    create: true
+    # additional annotations and labels in role and roleBinding are only needed, if you
+    # are using additional tooling to manage / verify roles or roleBindings (OPA, etc.)
+    role:
+      annotations: {}
+      labels: {}
+    roleBinding:
+      annotations: {}
+      labels: {}
 
 podAnnotations: {}