diff --git a/Readme.md b/Readme.md
index 229d9ee..148346b 100644
--- a/Readme.md
+++ b/Readme.md
@@ -81,7 +81,14 @@ Instanciate the template.
 The "letsencrypt" service account needs to be able to manage its secrets and manage routes.
 
 ```
-> oc policy add-role-to-user edit -z letsencrypt
+> oc adm policy add-role-to-user edit -z letsencrypt
+```
+
+Add the `letsencrypt` clusterrole:
+
+```
+> oc create -f letsencrypt-clusterrole.yaml
+> oc adm policy add-cluster-role-to-user letsencrypt system:serviceaccount:`oc project -q`:letsencrypt
 ```
 
 ### Let's encrypt credentials
diff --git a/letsencrypt-clusterrole.yaml b/letsencrypt-clusterrole.yaml
index 673dbda..21a55e7 100644
--- a/letsencrypt-clusterrole.yaml
+++ b/letsencrypt-clusterrole.yaml
@@ -2,17 +2,23 @@ apiVersion: v1
 kind: ClusterRole
 metadata:
   name: letsencrypt
+  labels:
+    app: letsencrypt
 rules:
 - apiGroups:
   - ""
-  attributeRestrictions: null
+  - "route.openshift.io"
   resources:
   - routes
+  - routes/custom-host
+  - routes/status
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch