diff --git a/metricbeat/README.md b/metricbeat/README.md
index f5b59fd40..f5af56ec6 100644
--- a/metricbeat/README.md
+++ b/metricbeat/README.md
@@ -50,6 +50,7 @@ helm install --name metricbeat elastic/metricbeat --set imageTag=7.3.2
| `imagePullPolicy` | The Kubernetes [imagePullPolicy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) value | `IfNotPresent` |
| `imagePullSecrets` | Configuration for [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) so that you can use a private registry for your image | `[]` |
| `managedServiceAccount` | Whether the `serviceAccount` should be managed by this helm chart. Set this to `false` in order to manage your own service account and related roles. | `true` |
+| `clusterRoleRules` | Configurable [cluster role rules](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that Metricbeat uses to access Kubernetes resources. | see [values.yaml](./values.yaml) |
| `podAnnotations` | Configurable [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) applied to all Metricbeat pods | `{}` |
| `podSecurityContext` | Configurable [podSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Metricbeat pod execution environment | `runAsUser: 0`
`privileged: false` |
| `livenessProbe` | Parameters to pass to [liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) checks for values such as timeouts and thresholds. | `failureThreshold: 3`
`initialDelaySeconds: 10`
`periodSeconds: 10`
`successThreshold: 3`
`timeoutSeconds: 5` |
diff --git a/metricbeat/templates/clusterrole.yaml b/metricbeat/templates/clusterrole.yaml
index dd7fcc7ac..a9a9fe3ee 100644
--- a/metricbeat/templates/clusterrole.yaml
+++ b/metricbeat/templates/clusterrole.yaml
@@ -8,15 +8,5 @@ metadata:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
-rules:
-- apiGroups:
- - ""
- resources:
- - namespaces
- - pods
- - events
- verbs:
- - get
- - list
- - watch
+rules: {{ toYaml .Values.clusterRoleRules | nindent 2 -}}
{{- end -}}
diff --git a/metricbeat/tests/metricbeat_test.py b/metricbeat/tests/metricbeat_test.py
index a274b6a90..6148f45a8 100644
--- a/metricbeat/tests/metricbeat_test.py
+++ b/metricbeat/tests/metricbeat_test.py
@@ -207,3 +207,26 @@ def test_adding_an_affinity_rule():
r = helm_template(config)
assert r['daemonset'][name]['spec']['template']['spec']['affinity']['podAntiAffinity'][
'requiredDuringSchedulingIgnoredDuringExecution'][0]['topologyKey'] == 'kubernetes.io/hostname'
+
+def test_cluster_role_rules():
+ config = ''
+ r = helm_template(config)
+ rules = r['clusterrole']['release-name-metricbeat-cluster-role']['rules'][0]
+ assert rules['apiGroups'][0] == 'extensions'
+ assert rules['verbs'][0] == 'get'
+ assert rules['resources'][0] == 'namespaces'
+
+ config = '''
+clusterRoleRules:
+ - apiGroups:
+ - "someone"
+ verbs:
+ - "or"
+ resources:
+ - "something"
+'''
+ r = helm_template(config)
+ rules = r['clusterrole']['release-name-metricbeat-cluster-role']['rules'][0]
+ assert rules['apiGroups'][0] == 'someone'
+ assert rules['verbs'][0] == 'or'
+ assert rules['resources'][0] == 'something'
diff --git a/metricbeat/values.yaml b/metricbeat/values.yaml
index 5c852497e..cf514f4dc 100755
--- a/metricbeat/values.yaml
+++ b/metricbeat/values.yaml
@@ -105,6 +105,23 @@ readinessProbe:
# Whether this chart should self-manage its service account, role, and associated role binding.
managedServiceAccount: true
+clusterRoleRules:
+ - apiGroups:
+ - "extensions"
+ - "apps"
+ - ""
+ resources:
+ - namespaces
+ - pods
+ - events
+ - deployments
+ - nodes
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+
podAnnotations: {}
# iam.amazonaws.com/role: es-cluster