diff --git a/roles/helm/defaults/main.yml b/roles/helm/defaults/main.yml
index eff9744..fbe59d1 100644
--- a/roles/helm/defaults/main.yml
+++ b/roles/helm/defaults/main.yml
@@ -1,4 +1,4 @@
-helm_namespace: helm-app
+helm_namespace: kube-system 
 helm_cert_cn: helm001
 tiller_sa: tiller
 tiller_cert_cn: tiller001
diff --git a/roles/helm/helm.yml b/roles/helm/helm.yml
index 0b90ee6..11d391f 100644
--- a/roles/helm/helm.yml
+++ b/roles/helm/helm.yml
@@ -2,7 +2,7 @@
   roles:
   - helm
   vars:
-    helm_namespace: helm-app
+    helm_namespace: kube-system 
     helm_cert_cn: helm001
     tiller_sa: tiller
     tiller_cert_cn: tiller001
diff --git a/roles/helm/templates/helm-rbac.yaml.j2 b/roles/helm/templates/helm-rbac.yaml.j2
index 0874c7b..b15bcd5 100644
--- a/roles/helm/templates/helm-rbac.yaml.j2
+++ b/roles/helm/templates/helm-rbac.yaml.j2
@@ -1,5 +1,5 @@
-# 限制helm应用只允许部署在指定namespace
-# 可以配合NetworkPolicy等实现namespace间网络完全隔离
+# 绑定helm sa到 cluster-admin，这样可以兼容现有需要集群特权的charts
+# 
 ---
 apiVersion: v1
 kind: Namespace
@@ -12,26 +12,15 @@ metadata:
   name: {{ tiller_sa }}
   namespace: {{ helm_namespace }}
 ---
-kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: tiller-manager
-  namespace: {{ helm_namespace }}
-rules:
-- apiGroups: ["", "extensions", "apps"]
-  resources: ["*"]
-  verbs: ["*"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: tiller-binding
-  namespace: {{ helm_namespace }}
-subjects:
-- kind: ServiceAccount
-  name: {{ tiller_sa }}
-  namespace: {{ helm_namespace }}
+  name: tiller-cb
 roleRef:
-  kind: Role
-  name: tiller-manager
   apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ tiller_sa }}
+    namespace: {{ helm_namespace }}
diff --git a/roles/helm/templates/strict-helm-rbac.yaml.j2 b/roles/helm/templates/strict-helm-rbac.yaml.j2
new file mode 100644
index 0000000..549288d
--- /dev/null
+++ b/roles/helm/templates/strict-helm-rbac.yaml.j2
@@ -0,0 +1,62 @@
+# 限制helm应用只允许部署在指定namespace
+# 可以配合NetworkPolicy等实现namespace间网络完全隔离
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ helm_namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ tiller_sa }}
+  namespace: {{ helm_namespace }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tiller-manager
+  namespace: {{ helm_namespace }}
+rules:
+- apiGroups: ["", "extensions", "apps"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tiller-binding
+  namespace: {{ helm_namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ tiller_sa }}
+  namespace: {{ helm_namespace }}
+roleRef:
+  kind: Role
+  name: tiller-manager
+  apiGroup: rbac.authorization.k8s.io
+---
+# 
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tiller-cluster-manager
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tiller-cluster-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tiller-cluster-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ tiller_sa }}
+  namespace: {{ helm_namespace }}