diff --git a/manifests/serviceaccount-rbac.yaml b/manifests/serviceaccount-rbac.yaml
index 2c8e657..b8bcf11 100644
--- a/manifests/serviceaccount-rbac.yaml
+++ b/manifests/serviceaccount-rbac.yaml
@@ -4,8 +4,6 @@ metadata:
   name: openclaw
   namespace: openclaw
 ---
-# Minimal Role/RoleBinding placeholder.
-# Adjust permissions once we know what OpenClaw needs (MCP, secrets read, etc.)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -15,6 +13,9 @@ rules:
   - apiGroups: [""]
     resources: ["pods", "pods/log"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding