diff --git a/tailscale/rbac.yaml b/tailscale/rbac.yaml
new file mode 100644
index 0000000..8712bbd
--- /dev/null
+++ b/tailscale/rbac.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+rules:
+- apiGroups: ['']
+  resources: ['secrets', 'services', 'endpoints']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['']
+  resources: ['nodes']
+  verbs: ['get', 'list', 'update', 'patch']
+- apiGroups: ['apps']
+  resources: ['daemonsets']
+  verbs: ['get', 'list', 'watch']
+- apiGroups: ['tailscale.com']
+  resources: ['*']
+  verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+- apiGroups: ['coordination.k8s.io']
+  resources: ['leases']
+  verbs: ['get', 'create', 'update']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-operator
+  labels:
+    app.kubernetes.io/name: tailscale
+    app.kubernetes.io/component: operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tailscale-operator
+subjects:
+- kind: ServiceAccount
+  name: tailscale-operator
+  namespace: tailscale