diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
index 332069d..09ebe32 100644
--- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
+++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
@@ -22,6 +22,32 @@ rules:
     verbs:
       - 'create'
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flow-schema-reader
+  labels:
+    app: cert-manager-webhook-dnsimple
+rules:
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["flowschemas", "prioritylevelconfigurations"]
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grant-flow-schema-permission
+  labels:
+    app: cert-manager-webhook-dnsimple
+subjects:
+  - kind: ServiceAccount
+    name: webhook-dnsimple
+    namespace: cert-manager
+roleRef:
+  kind: ClusterRole
+  name: flow-schema-reader
+  apiGroup: rbac.authorization.k8s.io
+---
 # apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding