diff --git a/docs/deploy/resources/rbac.yaml b/docs/deploy/resources/rbac.yaml
index 1a9b6bdd07..f243dd9e83 100644
--- a/docs/deploy/resources/rbac.yaml
+++ b/docs/deploy/resources/rbac.yaml
@@ -5,19 +5,65 @@ metadata:
   namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system:controller:glbc
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:controller:glbc
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:controller:glbc
+- kind: ServiceAccount
+  name: glbc
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: system:controller:glbc
 rules:
 - apiGroups: [""]
-  resources: ["secrets", "endpoints", "services", "pods", "nodes", "namespaces", "configmaps", "events"]
+  resources: ["secrets"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
   verbs: ["get", "list", "watch", "update", "create", "patch"]
-- apiGroups: ["extensions"]
+- apiGroups: [""]
+  resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
+  verbs: ["get", "list", "watch"]
+# TODO: switch to patch services/status
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["update", "patch"]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+# For now, GLBC annotates ingress resources with various state and statuses: 
+# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
+# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
+- apiGroups: ["extensions", "networking.k8s.io"]
   resources: ["ingresses"]
-  verbs: ["get", "list", "watch", "update"]
-- apiGroups: ["extensions"]
+  verbs: ["update"]
+- apiGroups: ["extensions", "networking.k8s.io"]
   resources: ["ingresses/status"]
   verbs: ["update"]
+# GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state:
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93
+# TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["get", "list", "watch", "update", "create", "patch"]