diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
index fcf1687e57..3fe0a1ae18 100644
--- a/pkg/render/apiserver.go
+++ b/pkg/render/apiserver.go
@@ -1783,7 +1783,15 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"securityeventwebhooks"},
 			Verbs:     []string{"get", "list", "update", "patch", "create", "delete"},
 		},
-		// Allow the user to create and patch webhooks-secret secret.
+		// Allow the user to create secrets.
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"secrets",
+			},
+			Verbs: []string{"create"},
+		},
+		// Allow the user to patch webhooks-secret secret.
 		{
 			APIGroups: []string{""},
 			Resources: []string{
@@ -1792,7 +1800,7 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			ResourceNames: []string{
 				"webhooks-secret",
 			},
-			Verbs: []string{"create", "patch"},
+			Verbs: []string{"patch"},
 		},
 	}
 
diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go
index 9d1079acf1..2bd6f5258f 100644
--- a/pkg/render/apiserver_test.go
+++ b/pkg/render/apiserver_test.go
@@ -1510,11 +1510,16 @@ var (
 			Resources: []string{"securityeventwebhooks"},
 			Verbs:     []string{"get", "list", "update", "patch", "create", "delete"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"create"},
+		},
 		{
 			APIGroups:     []string{""},
 			Resources:     []string{"secrets"},
 			ResourceNames: []string{"webhooks-secret"},
-			Verbs:         []string{"create", "patch"},
+			Verbs:         []string{"patch"},
 		},
 	}
 )