diff --git a/README.md b/README.md
index b28538c5..b4910ac6 100644
--- a/README.md
+++ b/README.md
@@ -219,7 +219,8 @@ helm delete --namespace test my-application
 | rbac.serviceAccount.name | string | `{{ include "application.name" $ }}` | Service Account Name. |
 | rbac.serviceAccount.additionalLabels | object | `nil` | Additional labels for Service Account. |
 | rbac.serviceAccount.annotations | object | `nil` | Annotations for Service Account. |
-| rbac.roles | list | `nil` | Namespaced Roles. |
+| rbac.roles | list | `nil` | Role definitions scoped to a single namespace. |
+| rbac.clusterRoles | list | `nil` | ClusterRole definitions with cluster-wide permissions. |
 
 ### ConfigMap Parameters
 
diff --git a/application/templates/clusterrole.yaml b/application/templates/clusterrole.yaml
new file mode 100644
index 00000000..640f358d
--- /dev/null
+++ b/application/templates/clusterrole.yaml
@@ -0,0 +1,20 @@
+{{- if and (.Values.rbac).enabled .Values.rbac.clusterRoles }}
+{{- range .Values.rbac.clusterRoles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "application.name" $ }}-clusterrole-{{ .name }}
+  labels:
+  {{- include "application.labels" $ | nindent 4 }}
+{{- if $.Values.rbac.additionalLabels }}
+{{ toYaml $.Values.rbac.additionalLabels | indent 4 }}
+{{- end }}
+{{- if $.Values.rbac.annotations }}
+  annotations:
+{{ toYaml $.Values.rbac.annotations | indent 4 }}
+{{- end }}
+rules:
+{{ toYaml .rules | indent 2 }}
+{{- end }}
+{{- end }}
diff --git a/application/templates/clusterrolebinding.yaml b/application/templates/clusterrolebinding.yaml
new file mode 100644
index 00000000..ca1c203b
--- /dev/null
+++ b/application/templates/clusterrolebinding.yaml
@@ -0,0 +1,30 @@
+{{- if and (.Values.rbac).enabled .Values.rbac.clusterRoles }}
+{{- range .Values.rbac.clusterRoles }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "application.name" $ }}-clusterrolebinding-{{ .name }}
+  labels:
+  {{- include "application.labels" $ | nindent 4 }}
+{{- if $.Values.rbac.additionalLabels }}
+{{ toYaml $.Values.rbac.additionalLabels | indent 4 }}
+{{- end }}
+{{- if $.Values.rbac.annotations }}
+  annotations:
+{{ toYaml $.Values.rbac.annotations | indent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "application.name" $ }}-clusterrole-{{ .name }}
+subjects:
+  - kind: ServiceAccount
+  {{- if $.Values.rbac.serviceAccount.name }}
+    name: {{ $.Values.rbac.serviceAccount.name }}
+  {{- else }}
+    name: {{ template "application.name" $ }}
+  {{- end }}
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/application/values.yaml b/application/values.yaml
index 1d5c4e54..09a71cf3 100644
--- a/application/values.yaml
+++ b/application/values.yaml
@@ -706,7 +706,7 @@ rbac:
     # @section -- RBAC Parameters
     annotations:
       # key: value
-  # -- (list) Namespaced Roles.
+  # -- (list) Role definitions scoped to a single namespace.
   # @section -- RBAC Parameters
   roles:
   # - name: configmaps
@@ -725,6 +725,27 @@ rbac:
   #     - secrets
   #     verbs:
   #     - get
+  # -- (list) ClusterRole definitions with cluster-wide permissions.
+  # @section -- RBAC Parameters
+  clusterRoles:
+  # - name: configmaps
+  #   rules:
+  #   - apiGroups:
+  #     - ""
+  #     resources:
+  #     - configmaps
+  #     verbs:
+  #     - get
+  # - name: pods
+  #   rules:
+  #   - apiGroups:
+  #     - ""
+  #     resources:
+  #     - pods
+  #     verbs:
+  #     - get
+  #     - list
+  #     - watch
 
 configMap:
   # -- (bool) Deploy additional ConfigMaps.