diff --git a/charts/tenet/templates/generated/generated.yaml b/charts/tenet/templates/generated/generated.yaml
index 28b2304..43e0a6a 100644
--- a/charts/tenet/templates/generated/generated.yaml
+++ b/charts/tenet/templates/generated/generated.yaml
@@ -92,6 +92,13 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - tenet.cybozu.io
+  resources:
+  - networkpolicyadmissionrules
+  verbs:
+  - get
+  - list
 - apiGroups:
   - tenet.cybozu.io
   resources:
@@ -192,24 +199,6 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/name: '{{ include "tenet.name" . }}'
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ include "tenet.chart" . }}'
-  name: '{{ template "tenet.fullname" . }}-manager-admin'
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: '{{ template "tenet.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index d0f7ff7..b63925e 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -34,6 +34,13 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - tenet.cybozu.io
+  resources:
+  - networkpolicyadmissionrules
+  verbs:
+  - get
+  - list
 - apiGroups:
   - tenet.cybozu.io
   resources:
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 3cacad5..2070ede 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -10,16 +10,3 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: manager-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: controller-manager
-  namespace: system
diff --git a/controllers/networkpolicytemplate_controller.go b/controllers/networkpolicytemplate_controller.go
index a004c4f..be84e02 100644
--- a/controllers/networkpolicytemplate_controller.go
+++ b/controllers/networkpolicytemplate_controller.go
@@ -58,6 +58,7 @@ type NetworkPolicyTemplateReconciler struct {
 //+kubebuilder:rbac:groups=tenet.cybozu.io,resources=networkpolicytemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=tenet.cybozu.io,resources=networkpolicytemplates/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=tenet.cybozu.io,resources=networkpolicytemplates/finalizers,verbs=update
+// +kubebuilder:rbac:groups=tenet.cybozu.io,resources=networkpolicyadmissionrules,verbs=get;list
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 //+kubebuilder:rbac:groups="cilium.io",resources=ciliumnetworkpolicies,verbs=get;list;watch;create;update;delete
 //+kubebuilder:rbac:groups="cilium.io",resources=ciliumclusterwidenetworkpolicies,verbs=get;list;watch;create;update;delete