diff --git a/generic/role.yaml b/generic/role.yaml
index 4987dc6..44863a4 100644
--- a/generic/role.yaml
+++ b/generic/role.yaml
@@ -1,11 +1,42 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+apiVersion: v1
+kind: ServiceAccount
 metadata:
-  namespace: default
+  name: uncloud
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: '*'
   name: service-reader
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["services"]
   verbs: ["get", "watch", "list"]
-
 ---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: uncloud-binding
+subjects:
+- kind: ServiceAccount
+  name: uncloud
+  namespace: default
+roleRef:
+  kind: ClusterRole
+  name: service-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kubectl-pod
+spec:
+  serviceAccountName: uncloud
+  containers:
+  - name: kubectl
+    image: bitnami/kubectl:latest
+    args:
+    - sh
+    - -c
+    - sleep
+    - "1000000"