diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
index c1b7516b7..e86b09ae8 100644
--- a/pkg/webhook/managedresource/validatingadmissionpolicy.go
+++ b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -67,7 +67,7 @@ func GetValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {
 			},
 			Validations: []admv1.Validation{
 				{
-					Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups`,
+					Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
 					Message:    "Create, Update, or Delete operations on ARM managed resources is forbidden",
 					Reason:     &forbidden,
 				},