diff --git a/bundle/manifests/instana-agent-operator.clusterserviceversion.yaml b/bundle/manifests/instana-agent-operator.clusterserviceversion.yaml
index a9959691..00835cb7 100644
--- a/bundle/manifests/instana-agent-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/instana-agent-operator.clusterserviceversion.yaml
@@ -272,6 +272,11 @@ spec:
           - events
           verbs:
           - create
+        - nonResourceURLs:
+          - /version
+          - /healthz
+          verbs:
+          - get
         - apiGroups:
           - ""
           resources:
@@ -343,6 +348,15 @@ spec:
           verbs:
           - get
           - list
+          - watch
+        - apiGroups:
+          - security.openshift.io
+          resourceNames:
+          - privileged
+          resources:
+          - securitycontextconstraints
+          verbs:
+          - use
         serviceAccountName: controller-manager
       deployments:
       - name: controller-manager
diff --git a/ci/pipeline.yaml b/ci/pipeline.yaml
index 9b0b0b57..202ccdd6 100644
--- a/ci/pipeline.yaml
+++ b/ci/pipeline.yaml
@@ -369,7 +369,7 @@ jobs:
                 # Store the SHA of the manifest in a variable for use in the next pipeline task. Can only retrieve it while pushing
                 echo "---> Pushing multi-architectural manifest to docker.io"
                 docker manifest push --purge "docker.io/instana/instana-agent-operator:$OPERATOR_DOCKER_VERSION" | tee "latest-operator-image-manifest-sha/sha-${VERSION}"
-                
+
                 # Validate the SHA to be sure we captured something
                 if ! [[ $(cat "latest-operator-image-manifest-sha/sha-${VERSION}") =~ ^sha256:[0-9a-zA-Z]+$ ]]; then
                   echo "---> Did not manage to capture a valid digest for the manifest, aborting; $(cat "latest-operator-image-manifest-sha/sha-${VERSION}")"