diff --git a/aws/deploy-role-bindings/README.md b/aws/deploy-role-bindings/README.md
index 925fa964..b8892d9d 100644
--- a/aws/deploy-role-bindings/README.md
+++ b/aws/deploy-role-bindings/README.md
@@ -60,8 +60,10 @@ module "workload_platform" {
 
 | Name | Type |
 |------|------|
+| [kubernetes_cluster_role.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
+| [kubernetes_cluster_role_binding.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_role.deploy_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource |
-| [kubernetes_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
 
 ## Inputs
diff --git a/aws/deploy-role-bindings/main.tf b/aws/deploy-role-bindings/main.tf
index 8855c71d..7fba2f4e 100644
--- a/aws/deploy-role-bindings/main.tf
+++ b/aws/deploy-role-bindings/main.tf
@@ -1,9 +1,8 @@
-resource "kubernetes_role_binding" "cluster" {
+resource "kubernetes_cluster_role_binding" "cluster" {
   for_each = toset(var.cluster_roles)
 
   metadata {
-    name      = var.name
-    namespace = var.namespace
+    name = var.name
   }
 
   role_ref {
@@ -19,6 +18,38 @@ resource "kubernetes_role_binding" "cluster" {
   }
 }
 
+resource "kubernetes_cluster_role" "cluster_crd" {
+  metadata {
+    name = "${var.name}-cluster-crd"
+  }
+
+  rule {
+    api_groups = ["apiextensions.k8s.io"]
+    resources  = ["customresourcedefinitions"]
+    verbs      = ["get", "list"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "cluster_crd" {
+  metadata {
+    name = "${var.name}-cluster-crd"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "${var.name}-cluster-crd"
+  }
+
+  subject {
+    kind      = "Group"
+    name      = var.group
+    api_group = "rbac.authorization.k8s.io"
+  }
+
+  depends_on = [kubernetes_cluster_role.cluster_crd]
+}
+
 resource "kubernetes_role_binding" "crd" {
   metadata {
     name      = kubernetes_role.deploy_crd.metadata[0].name