diff --git a/config/setup/yurt-controller-manager.yaml b/config/setup/yurt-controller-manager.yaml
index 143e37d1a7a..d153a42351f 100644
--- a/config/setup/yurt-controller-manager.yaml
+++ b/config/setup/yurt-controller-manager.yaml
@@ -72,7 +72,32 @@ rules:
     verbs:
       - list
       - watch
-
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/config/yaml-template/yurt-controller-manager.yaml b/config/yaml-template/yurt-controller-manager.yaml
index 63f69216a9a..ecd551fa349 100644
--- a/config/yaml-template/yurt-controller-manager.yaml
+++ b/config/yaml-template/yurt-controller-manager.yaml
@@ -72,6 +72,32 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/pkg/yurtctl/constants/constants.go b/pkg/yurtctl/constants/constants.go
index fae3378c928..0dffade6372 100644
--- a/pkg/yurtctl/constants/constants.go
+++ b/pkg/yurtctl/constants/constants.go
@@ -108,6 +108,32 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - "kubernetes.io/legacy-unknown"
+  verbs:
+  - approve
 `
 	YurtControllerManagerClusterRoleBinding = `
 apiVersion: rbac.authorization.k8s.io/v1