diff --git a/apis/apps/v1/componentdefinition_types.go b/apis/apps/v1/componentdefinition_types.go
index 33a1ef5d626..7e95eb981aa 100644
--- a/apis/apps/v1/componentdefinition_types.go
+++ b/apis/apps/v1/componentdefinition_types.go
@@ -489,6 +489,8 @@ type ComponentDefinitionSpec struct {
 	// for the Component based on the specified policy rules.
 	// This ensures that the Pods in the Component has appropriate permissions to function.
 	//
+	// To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+	//
 	// This field is immutable.
 	//
 	// +optional
diff --git a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
index 09d0003e11b..39f2d171172 100644
--- a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
+++ b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-
diff --git a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
index 09d0003e11b..39f2d171172 100644
--- a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
+++ b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-
diff --git a/deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml b/deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml
new file mode 100644
index 00000000000..366dc78bc34
--- /dev/null
+++ b/deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.rbac.enabled }}
+# Additional role that is required for addons. Can be defined by user.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubeblocks.fullname" . }}-rbac-manager-role
+  labels:
+    {{- include "kubeblocks.labels" . | nindent 4 }}
+rules:
+# rabbitmq needs this
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+# user defined rules
+{{- with .Values.rbac.additionalPolicyRules }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
index 14e11594ce6..b0da3e0dec7 100644
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -69,10 +69,15 @@ fullnameOverride: ""
 ##
 ## If it is set to false, then you will need to create the service account
 ## named `cluster.ComponentSpec.ServiceAccountName` and the corresponding (cluster) role binding
-## manually or through the cluster's Helm template, as shown in the example:
-##   helm install mysql apecloud-mysql-cluster
+## manually.
+##
+## @param rbac.additionalPolicyRules
+## In your Componentdefinition CR's `policyRules` field, you can only define rules kubeblocks
+## already has. If you want to define a rule that kubeblocks does not have, you can add it here. 
+## This field is `[]rbacv1.PolicyRule`.
 rbac:
   enabled: true
+  additionalPolicyRules: []
 
 ## Deployment update strategy.
 ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy