diff --git a/charts/cert-manager-webhook-hetzner/templates/rbac.yaml b/charts/cert-manager-webhook-hetzner/templates/rbac.yaml
index 09633c4..db9d891 100644
--- a/charts/cert-manager-webhook-hetzner/templates/rbac.yaml
+++ b/charts/cert-manager-webhook-hetzner/templates/rbac.yaml
@@ -121,4 +121,44 @@ subjects:
   - apiGroup: ""
     kind: ServiceAccount
     name: {{ include "cert-manager-webhook-hetzner.fullname" . }}
-    namespace: {{ .Release.Namespace }}
\ No newline at end of file
+    namespace: {{ .Release.Namespace }}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "cert-manager-webhook-hetzner.name" . }}
+    chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - "flowcontrol.apiserver.k8s.io"
+    resources:
+      - 'prioritylevelconfigurations'
+      - 'flowschemas'
+    verbs:
+      - 'list'
+      - 'watch'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "cert-manager-webhook-hetzner.name" . }}
+    chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-hetzner.fullname" . }}
+    namespace: {{ .Release.Namespace | quote }}
+---
\ No newline at end of file