diff --git a/spacelift-workerpool-controller/templates/proxy-rbac.yaml b/spacelift-workerpool-controller/templates/proxy-rbac.yaml
index 6901fc4..93b6496 100644
--- a/spacelift-workerpool-controller/templates/proxy-rbac.yaml
+++ b/spacelift-workerpool-controller/templates/proxy-rbac.yaml
@@ -1,3 +1,4 @@
+{{ if .Values.metricsService.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -37,4 +38,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "spacelift-workerpool-controller.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
+  namespace: '{{ .Release.Namespace }}'
+{{ end }}
diff --git a/spacelift-workerpool-controller/values.yaml b/spacelift-workerpool-controller/values.yaml
index 4c98aab..c7e5307 100644
--- a/spacelift-workerpool-controller/values.yaml
+++ b/spacelift-workerpool-controller/values.yaml
@@ -3,6 +3,10 @@ controllerManager:
   # and will be able to manage WorkerPools across all namespaces in your cluster.
   # If you do not want to grant cluster wide permissions to the controller, you can specify a list
   # of namespaces. That will create a Role per namespace and bind it to the service account used by the controller.
+  #
+  # PLEASE NOTE: currently the metrics service requires a ClusterRole in order to function, so
+  # if `metricsService.enabled` is set to true, a ClusterRole will be created even if you
+  # specify namespaces.
   namespaces: []
   kubeRbacProxy:
     args: