diff --git a/ops/chart/templates/manager-rbac.yaml b/ops/chart/templates/manager-rbac.yaml
index 1cde3e7..389a533 100644
--- a/ops/chart/templates/manager-rbac.yaml
+++ b/ops/chart/templates/manager-rbac.yaml
@@ -87,6 +87,18 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - certificates.k8s.io
   resources:
diff --git a/src/config/rbac/role.yaml b/src/config/rbac/role.yaml
index 0a43600..02c7efc 100644
--- a/src/config/rbac/role.yaml
+++ b/src/config/rbac/role.yaml
@@ -87,6 +87,18 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - certificates.k8s.io
   resources:
diff --git a/src/internal/controller/zitadelcluster_controller.go b/src/internal/controller/zitadelcluster_controller.go
index 74b8937..a4f22fe 100644
--- a/src/internal/controller/zitadelcluster_controller.go
+++ b/src/internal/controller/zitadelcluster_controller.go
@@ -95,6 +95,7 @@ type ZitadelClusterReconciler struct {
 // +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get;list;watch;create;patch;delete
 // +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/approval,verbs=update
+// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 
 func (r *ZitadelClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx)