diff --git a/components/cluster-as-a-service/staging/cluster-provisioner-read-pod-logs.yaml b/components/cluster-as-a-service/staging/cluster-provisioner-read-pod-logs.yaml
new file mode 100644
index 00000000000..78b8e17d6ac
--- /dev/null
+++ b/components/cluster-as-a-service/staging/cluster-provisioner-read-pod-logs.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
\ No newline at end of file
diff --git a/components/cluster-as-a-service/staging/kustomization.yaml b/components/cluster-as-a-service/staging/kustomization.yaml
index c82b467d4f1..a760541ff00 100644
--- a/components/cluster-as-a-service/staging/kustomization.yaml
+++ b/components/cluster-as-a-service/staging/kustomization.yaml
@@ -5,6 +5,8 @@ resources:
   - ../base
   - ../../openshift-gitops
   - external-secrets.yaml
+  - namespace-manager-pod-reader-role.yaml
+  - namespace-manager-pod-reader-binding.yaml
 patches:
   - path: add-hypershift-params.yaml
     target:
diff --git a/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml
new file mode 100644
index 00000000000..bf4d3d5a985
--- /dev/null
+++ b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-manager-pod-reader-binding
+subjects:
+  - kind: ServiceAccount
+    name: namespace-manager
+    namespace: ${SPACE_NAME}-eaas
+roleRef:
+  kind: ClusterRole
+  name: namespace-manager-pod-reader
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml
new file mode 100644
index 00000000000..1dc73238a48
--- /dev/null
+++ b/components/cluster-as-a-service/staging/namespace-manager-pod-reader-role.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-manager-pod-reader
+rules:
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
\ No newline at end of file