diff --git a/stable/kube2iam/Chart.yaml b/stable/kube2iam/Chart.yaml
index f44ea296f20d..35f030f777b8 100644
--- a/stable/kube2iam/Chart.yaml
+++ b/stable/kube2iam/Chart.yaml
@@ -1,5 +1,5 @@
 name: kube2iam
-version: 0.3.0
+version: 0.3.1
 description: Provide IAM credentials to pods based on annotations.
 keywords:
   - kube2iam
diff --git a/stable/kube2iam/README.md b/stable/kube2iam/README.md
index ff76f25af3e0..bfb066595444 100644
--- a/stable/kube2iam/README.md
+++ b/stable/kube2iam/README.md
@@ -52,6 +52,7 @@ Parameter | Description | Default
 `podAnnotations` | annotations to be added to pods | `{}`
 `resources` | pod resource requests & limits | `{}`
 `verbose` | Enable verbose output | `false`
+`rbac.enabled` | Enable role and serviceaccount creation | `false`
 `updateStrategy` | The strategy for daemon set updates, e.g. `RollingUpdate` (requires Kubernetes 1.6+) | not set
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
diff --git a/stable/kube2iam/templates/daemonset.yaml b/stable/kube2iam/templates/daemonset.yaml
index ee3380378b3a..4595271ce8e8 100644
--- a/stable/kube2iam/templates/daemonset.yaml
+++ b/stable/kube2iam/templates/daemonset.yaml
@@ -18,6 +18,11 @@ spec:
         app: {{ template "name" . }}
         release: {{ .Release.Name }}
     spec:
+{{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "fullname" . }}
+{{- else }}
+      serviceAccountName: default
+{{- end }}
       containers:
         - name: kube2iam
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
diff --git a/stable/kube2iam/templates/role.yaml b/stable/kube2iam/templates/role.yaml
new file mode 100644
index 000000000000..b7c0b0ec168a
--- /dev/null
+++ b/stable/kube2iam/templates/role.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - watch
+  - list
+{{- end -}}
diff --git a/stable/kube2iam/templates/rolebinding.yaml b/stable/kube2iam/templates/rolebinding.yaml
new file mode 100644
index 000000000000..044c5664d9ad
--- /dev/null
+++ b/stable/kube2iam/templates/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/stable/kube2iam/templates/serviceaccount.yaml b/stable/kube2iam/templates/serviceaccount.yaml
new file mode 100644
index 000000000000..35c9cd02de6e
--- /dev/null
+++ b/stable/kube2iam/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.rbac.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "fullname" . }}
+{{- end -}}
diff --git a/stable/kube2iam/values.yaml b/stable/kube2iam/values.yaml
index 87fe9d2ad372..a104d356ce1e 100644
--- a/stable/kube2iam/values.yaml
+++ b/stable/kube2iam/values.yaml
@@ -32,3 +32,6 @@ resources: {}
   #   memory: 16Mi
 
 verbose: false
+
+rbac:
+  enabled: false