diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index ff1ab30..a0f8e06 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -4,6 +4,26 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
 - apiGroups:
   - devcontainer.devstar.cn
   resources:
@@ -30,9 +50,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["create", "delete", "get", "list", "watch"]
-- apiGroups: ["apps"]
-  resources: ["statefulsets"]
-  verbs: ["create", "delete", "get", "list", "watch"]
diff --git a/internal/controller/devcontainerapp_controller.go b/internal/controller/devcontainerapp_controller.go
index b4aa976..34696f6 100644
--- a/internal/controller/devcontainerapp_controller.go
+++ b/internal/controller/devcontainerapp_controller.go
@@ -43,6 +43,8 @@ type DevcontainerAppReconciler struct {
 // +kubebuilder:rbac:groups=devcontainer.devstar.cn,resources=devcontainerapps,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=devcontainer.devstar.cn,resources=devcontainerapps/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=devcontainer.devstar.cn,resources=devcontainerapps/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=create;delete;get;list;watch
+// +kubebuilder:rbac:groups="",resources=services,verbs=create;delete;get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.