diff --git a/config/deploy/base.yml b/config/deploy/base.yml
index 9d88476..f7d77f7 100644
--- a/config/deploy/base.yml
+++ b/config/deploy/base.yml
@@ -108,6 +108,7 @@ rules:
   verbs:
   - get
   - list
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/config/deploy/manifests.yaml b/config/deploy/manifests.yaml
index 381d2fd..e03dd4b 100644
--- a/config/deploy/manifests.yaml
+++ b/config/deploy/manifests.yaml
@@ -9,7 +9,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: platform-system/platform-serving-cert
     controller-gen.kubebuilder.io/version: v0.5.0
   creationTimestamp: null
   name: clusterresourcequotas.platform.flanksource.com
@@ -189,7 +189,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: platform-system/platform-serving-cert
   creationTimestamp: null
   name: platform-mutating-webhook-configuration
   namespace: platform-system
@@ -241,7 +241,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: platform-system/platform-serving-cert
   creationTimestamp: null
   name: platform-validating-webhook-configuration
   namespace: platform-system
@@ -397,6 +397,7 @@ rules:
   verbs:
   - get
   - list
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/config/operator/rbac/role.yaml b/config/operator/rbac/role.yaml
index c675eb3..7057434 100644
--- a/config/operator/rbac/role.yaml
+++ b/config/operator/rbac/role.yaml
@@ -13,6 +13,7 @@ rules:
   verbs:
   - get
   - list
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/pkg/controllers/pod/pod_reconciler.go b/pkg/controllers/pod/pod_reconciler.go
index 6fcf762..7053dca 100644
--- a/pkg/controllers/pod/pod_reconciler.go
+++ b/pkg/controllers/pod/pod_reconciler.go
@@ -62,7 +62,7 @@ func addPodReconciler(mgr manager.Manager, r reconcile.Reconciler) error {
 }
 
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update
-// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;update;watch
 
 func (r *PodReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {