diff --git a/drone/default-serviceaccount-rbac.yaml b/drone/default-serviceaccount-rbac.yaml
new file mode 100644
index 0000000..a6eddf7
--- /dev/null
+++ b/drone/default-serviceaccount-rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: default-deploy
+  namespace: default
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log", "pods/exec", "pods/attach", "services", "secrets", "configmaps", "persistentvolumes", "persistentvolumeclaims"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses", "networkpolicies"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: default-deploy
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: default
+roleRef:
+  kind: Role
+  name: default-deploy
+  apiGroup: rbac.authorization.k8s.io
diff --git a/drone/install-drone.sh b/drone/install-drone.sh
index 948005c..2ac0b89 100755
--- a/drone/install-drone.sh
+++ b/drone/install-drone.sh
@@ -8,6 +8,8 @@ sudo chown -R 1000:1000 /opt/drone
 
 # 应用所有yaml文件
 kubectl apply -f drone-pipeline-serviceaccount.yaml
+kubectl apply -f drone-runner-rbac.yaml
+kubectl apply -f default-serviceaccount-rbac.yaml
 kubectl apply -f drone-server-deployment.yaml
 kubectl apply -f drone-server-service.yaml
 kubectl apply -f drone-runner-deployment.yaml