diff --git a/controlplane/config/rbac/kustomization.yaml b/controlplane/config/rbac/kustomization.yaml
index 731832a6a..370f0ae02 100644
--- a/controlplane/config/rbac/kustomization.yaml
+++ b/controlplane/config/rbac/kustomization.yaml
@@ -16,3 +16,4 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- tetrapod_clients.yaml
diff --git a/controlplane/config/rbac/role.yaml b/controlplane/config/rbac/role.yaml
index 1a36a0077..2f74605cb 100644
--- a/controlplane/config/rbac/role.yaml
+++ b/controlplane/config/rbac/role.yaml
@@ -5,6 +5,14 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - cidrblocks
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - controlplane.miscord.win
   resources:
diff --git a/controlplane/config/rbac/tetrapod_clients.yaml b/controlplane/config/rbac/tetrapod_clients.yaml
new file mode 100644
index 000000000..49cc1ff6a
--- /dev/null
+++ b/controlplane/config/rbac/tetrapod_clients.yaml
@@ -0,0 +1,60 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tetrapod-clients-role
+rules:
+# CIDRClaimTemplates
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - cidrclaimtemplates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - cidrclaimtemplates/status
+  verbs:
+  - get
+
+# CIDRClaims
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - cidrclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - cidrclaims/status
+  verbs:
+  - get
+
+# PeerNodes
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - peernodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - controlplane.miscord.win
+  resources:
+  - peernodes/status
+  verbs:
+  - get
diff --git a/controlplane/controllers/cidrclaim_controller.go b/controlplane/controllers/cidrclaim_controller.go
index e60f304f6..c940505d9 100644
--- a/controlplane/controllers/cidrclaim_controller.go
+++ b/controlplane/controllers/cidrclaim_controller.go
@@ -43,6 +43,7 @@ type CIDRClaimReconciler struct {
 //+kubebuilder:rbac:groups=controlplane.miscord.win,resources=cidrclaims,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=controlplane.miscord.win,resources=cidrclaims/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=controlplane.miscord.win,resources=cidrclaims/finalizers,verbs=update
+//+kubebuilder:rbac:groups=controlplane.miscord.win,resources=cidrblocks,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.