diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
index 09ebe32..4c65958 100644
--- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
+++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
@@ -22,6 +22,26 @@ rules:
     verbs:
       - 'create'
 ---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: webhook-dnsimple:webhook-authentication-reader
+  namespace: kube-system
+  labels:
+    app: cert-manager-webhook-dnsimple
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: webhook-dnsimple
+    namespace: cert-manager
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata: