diff --git a/config/rootcompute/kube-1.24/clusterrole-kubernetes-apiexport-bind.yaml b/config/rootcompute/kube-1.24/clusterrole-kubernetes-apiexport-bind.yaml
new file mode 100644
index 00000000000..2d79b807ff2
--- /dev/null
+++ b/config/rootcompute/kube-1.24/clusterrole-kubernetes-apiexport-bind.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    bootstrap.kcp.io/create-only: "true"
+    bootstrap.kcp.io/battery: root-compute-workspace
+  name: compute:apiexport:kubernetes:bind
+rules:
+- apiGroups: ["apis.kcp.io"]
+  resources:
+  - "apiexports"
+  resourceNames:
+  - "kubernetes"
+  verbs: ["bind"]
diff --git a/config/rootcompute/kube-1.24/clusterrolebinding-kubernetes-apiexport-bind.yaml b/config/rootcompute/kube-1.24/clusterrolebinding-kubernetes-apiexport-bind.yaml
new file mode 100644
index 00000000000..bd50eef3907
--- /dev/null
+++ b/config/rootcompute/kube-1.24/clusterrolebinding-kubernetes-apiexport-bind.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    bootstrap.kcp.io/create-only: "true"
+    bootstrap.kcp.io/battery: root-compute-workspace
+  name: compute:apiexport:kubernetes:bind
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: compute:apiexport:kubernetes:bind
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated