diff --git a/roles/rbac/tasks/main.yml b/roles/rbac/tasks/main.yml
index 9c1340a82..531461f0b 100644
--- a/roles/rbac/tasks/main.yml
+++ b/roles/rbac/tasks/main.yml
@@ -18,6 +18,8 @@
     - {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding}
     - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole}
     - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding}
+    - {name: 'custom:system:node', file: 'custom:system:node-clusterrole.yml', type: clusterrole}
+    - {name: 'custom:system:node', file: 'custom:system:node-clusterrolebinding.yml', type: clusterrolebinding}
     - {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
     - {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
   register: manifests
diff --git a/roles/rbac/templates/custom:system:node-clusterrole.yml b/roles/rbac/templates/custom:system:node-clusterrole.yml
new file mode 100644
index 000000000..775318613
--- /dev/null
+++ b/roles/rbac/templates/custom:system:node-clusterrole.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: custom:system:node
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - list
+  - watch
diff --git a/roles/rbac/templates/custom:system:node-clusterrolebinding.yml b/roles/rbac/templates/custom:system:node-clusterrolebinding.yml
new file mode 100644
index 000000000..cefc9f626
--- /dev/null
+++ b/roles/rbac/templates/custom:system:node-clusterrolebinding.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: custom:system:node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom:system:node
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:nodes