diff --git a/charts/argo/templates/workflow-controller-clusterrole.yaml b/charts/argo/templates/workflow-controller-clusterrole.yaml
new file mode 100644
index 00000000..ad4c52c6
--- /dev/null
+++ b/charts/argo/templates/workflow-controller-clusterrole.yaml
@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Release.name }}-{{ .Values.controllerName}}-cluster-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/exec
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - workflows
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
diff --git a/charts/argo/templates/workflow-controller-crb.yaml b/charts/argo/templates/workflow-controller-crb.yaml
new file mode 100644
index 00000000..641ad1a6
--- /dev/null
+++ b/charts/argo/templates/workflow-controller-crb.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.name }}-{{ .Values.controllerName}}-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.name }}-{{ .Values.controllerName}}-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.workflowServiceAccount }}
+    namespace: {{ .Release.Namespace }}
+{{- if .Values.workflowNamespaces }}
+{{- $uiServiceAccount := .Values.workflowServiceAccount }}
+{{- $namespace := .Release.Namespace }}
+{{- range $key := .Values.workflowNamespaces }}
+  {{- if not (eq $key $namespace) }}
+  - kind: ServiceAccount
+    name: {{ $uiServiceAccount }}
+    namespace: {{ $key }}
+  {{- end }}
+{{- end }}
+{{- end }}