diff --git a/deploy/kubernetes/rbac.yaml b/deploy/kubernetes/rbac.yaml
index 6a07ee321..2bddeacf3 100644
--- a/deploy/kubernetes/rbac.yaml
+++ b/deploy/kubernetes/rbac.yaml
@@ -32,9 +32,13 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
+# Secret permission is optional.
+# Enable it if your driver needs secret.
+# For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+# See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+#  - apiGroups: [""]
+#    resources: ["secrets"]
+#    verbs: ["get", "list"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]