diff --git a/Tiltfile b/Tiltfile
index b947fa60..c8dbc691 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -21,6 +21,23 @@ namespace_create('kubewarden')
 # Install CRDs
 crd = kustomize('config/crd')
 k8s_yaml(crd)
+roles = decode_yaml_stream(kustomize('config/rbac'))
+cluster_rules = []
+namespace_rules = []
+roles_rules_mapping = {
+	"ClusterRole": {},
+	"Role": {},
+}
+
+for role in roles:
+    if role.get('kind') == 'ClusterRole':
+	roles_rules_mapping["ClusterRole"][role.get('metadata').get('name')] = role.get('rules')
+    elif role.get('kind') == 'Role':
+        roles_rules_mapping["Role"][role.get('metadata').get('name')] = role.get('rules')
+
+if len(roles_rules_mapping["ClusterRole"]) == 0 or len(roles_rules_mapping["Role"]) == 0:
+    fail("Failed to load cluster and namespace roles")
+
 
 # Install kubewarden-controller helm chart
 install = helm(
@@ -38,7 +55,16 @@ for o in objects:
         o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
         # Disable the leader election to speed up the startup time.
         o['spec']['template']['spec']['containers'][0]['args'].remove('--leader-elect')
-        break
+
+    # Update the cluster and namespace roles used by the controller. This ensures
+    # that always we have the latest roles applied to the cluster.
+    if o.get('kind') == 'ClusterRole' and o.get('metadata').get('name') == 'kubewarden-controller-manager-cluster-role':
+	o['rules'] = roles_rules_mapping["ClusterRole"]["manager-role"]
+    if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-manager-namespaced-role':
+	o['rules'] = roles_rules_mapping["Role"]["manager-role"]
+    if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-leader-election-role':
+	o['rules'] = roles_rules_mapping["Role"]["leader-election-role"]
+
 updated_install = encode_yaml_stream(objects)
 k8s_yaml(updated_install)
 
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index a0dfa514..047a13f1 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -73,6 +73,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers/status
+  verbs:
+  - get
+  - patch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -93,15 +119,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - replicasets
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - apps
   resources:
@@ -132,29 +149,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers
-  verbs:
-  - delete
-  - get
-  - list
-  - watch
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - policy
   resources:
diff --git a/controllers/admissionpolicy_controller.go b/controllers/admissionpolicy_controller.go
index 88ee9413..fe4685ef 100644
--- a/controllers/admissionpolicy_controller.go
+++ b/controllers/admissionpolicy_controller.go
@@ -46,11 +46,8 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update
 //
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // AdmissionPolicyReconciler reconciles an AdmissionPolicy object
 type AdmissionPolicyReconciler struct {
diff --git a/controllers/clusteradmissionpolicy_controller.go b/controllers/clusteradmissionpolicy_controller.go
index cf5d4c73..6fcc0194 100644
--- a/controllers/clusteradmissionpolicy_controller.go
+++ b/controllers/clusteradmissionpolicy_controller.go
@@ -45,12 +45,9 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update
-//
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // ClusterAdmissionPolicyReconciler reconciles a ClusterAdmissionPolicy object
 type ClusterAdmissionPolicyReconciler struct {
diff --git a/controllers/policyserver_controller.go b/controllers/policyserver_controller.go
index f49f68c0..3516beae 100644
--- a/controllers/policyserver_controller.go
+++ b/controllers/policyserver_controller.go
@@ -50,11 +50,11 @@ type PolicyServerReconciler struct {
 // We need access to these resources only inside of the namespace where the
 // controller is deployed. Here we assume it's being deployed inside of the
 // `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete;create;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=secrets;services;configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=create;update;patch;delete;get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete