diff --git a/Makefile b/Makefile
index a9937367..d97e8d10 100644
--- a/Makefile
+++ b/Makefile
@@ -45,8 +45,16 @@ help: ## Display this help.
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role crd paths="./api/...;./onmetal-api-net/..." output:crd:artifacts:config=config/onmetal-api-net/crd/bases output:rbac:artifacts:config=config/onmetal-api-net/rbac
+
+	# apinetlet
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./apinetlet/..." output:rbac:artifacts:config=config/apinetlet/rbac
 
+	# poollet system roles
+	cp config/apinetlet/apinet-rbac/role.yaml config/onmetal-api-net/rbac/apinetlet_role.yaml
+	./hack/replace.sh config/onmetal-api-net/rbac/apinetlet_role.yaml 's/apinet-role/apinet.api.onmetal.de:system:apinetlets/g'
+	./hack/replace.sh config/onmetal-api-net/rbac/apinetlet_role.yaml 's/Role/ClusterRole/g'
+	./hack/replace.sh config/onmetal-api-net/rbac/apinetlet_role.yaml '/namespace: system/d'
+
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
diff --git a/config/onmetal-api-net/rbac/apinetlet_role.yaml b/config/onmetal-api-net/rbac/apinetlet_role.yaml
index 489bd9d4..9901d8d2 100644
--- a/config/onmetal-api-net/rbac/apinetlet_role.yaml
+++ b/config/onmetal-api-net/rbac/apinetlet_role.yaml
@@ -1,31 +1,57 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: apinet.api.onmetal.de:system:apinetlets
 rules:
 - apiGroups:
-    - apinet.api.onmetal.de
+  - apinet.api.onmetal.de
   resources:
-    - networks
+  - networks
   verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - create
-    - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - create
+  - delete
+  - deletecollection
 - apiGroups:
-    - apinet.api.onmetal.de
+  - apinet.api.onmetal.de
   resources:
-    - publicips
+  - publicips
   verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - create
-    - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - create
+  - delete
+  - deletecollection
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/networkpluginclient
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/hack/replace.sh b/hack/replace.sh
new file mode 100755
index 00000000..2b7267bb
--- /dev/null
+++ b/hack/replace.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+FILE="$1"
+EXPRESSION="$2"
+
+sed "$EXPRESSION" "$FILE" > "$FILE.bak"
+mv "$FILE.bak" "$FILE"