diff --git a/README.md b/README.md
index 90ebcde81..fa2c1d50b 100644
--- a/README.md
+++ b/README.md
@@ -178,9 +178,12 @@ Feature discovery is preferably run as a Kubernetes DaemonSet. There is an
 example spec that can be used as a template, or, as is when just trying out the
 service:
 ```
+kubectl create -f rbac.yaml
 kubectl create -f node-feature-discovery-daemonset.json.template
 ```
 
+If you have RBAC authorization enabled (as is the default e.g. with clusters initialized with kubeadm) you need to configure the appropriate ClusterRoles, ClusterRoleBindings and a ServiceAccount in order for NFD to create node labels. The provided templates will configure these for you.
+
 When run as a daemonset, nodes are re-labeled at an interval specified using
 the `--sleep-interval` option. In the [template](https://github.com/kubernetes-incubator/node-feature-discovery/blob/master/node-feature-discovery-daemonset.json.template#L38) the default interval is set to 60s
 which is also the default when no `--sleep-interval` is specified.
diff --git a/node-feature-discovery-daemonset.json.template b/node-feature-discovery-daemonset.json.template
index 719a415ab..ab8c44e2d 100644
--- a/node-feature-discovery-daemonset.json.template
+++ b/node-feature-discovery-daemonset.json.template
@@ -21,6 +21,7 @@
       },
       "spec": {
         "hostNetwork": true,
+        "serviceAccount": "node-feature-discovery",
         "containers": [
           {
             "env": [
diff --git a/node-feature-discovery-job.json.template b/node-feature-discovery-job.json.template
index 0f193df96..853ad4296 100644
--- a/node-feature-discovery-job.json.template
+++ b/node-feature-discovery-job.json.template
@@ -18,6 +18,7 @@
       },
       "spec": {
         "hostNetwork": true,
+        "serviceAccount": "node-feature-discovery",
         "containers": [
           {
             "env": [
diff --git a/rbac.yaml b/rbac.yaml
new file mode 100644
index 000000000..a726131ad
--- /dev/null
+++ b/rbac.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-feature-discovery
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-feature-discovery
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-feature-discovery
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-feature-discovery
+subjects:
+- kind: ServiceAccount
+  name: node-feature-discovery
+  namespace: default
+
+