diff --git a/woodpecker/woodpecker-permissions.yaml b/woodpecker/woodpecker-permissions.yaml
new file mode 100644
index 0000000..43cf806
--- /dev/null
+++ b/woodpecker/woodpecker-permissions.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: woodpecker-ci-role
+  namespace: woodpecker
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "pods/exec", "pods/status", "persistentvolumeclaims", "secrets"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: woodpecker-ci-binding
+  namespace: woodpecker
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: woodpecker
+roleRef:
+  kind: Role
+  name: woodpecker-ci-role
+  apiGroup: rbac.authorization.k8s.io