diff --git a/apps/okd/index.yaml b/apps/okd/index.yaml
index af78fab..afd261a 100644
--- a/apps/okd/index.yaml
+++ b/apps/okd/index.yaml
@@ -6,6 +6,11 @@ metadata:
   name: okd
   description: null
 options:
+  domain-name:
+    default: your_company.com
+    examples:
+    - your_company.com
+    type: string
   namespaces:
     default: []
     items:
@@ -16,36 +21,6 @@ options:
     examples:
     - false
     type: boolean
-  ingress-class:
-    default: traefik
-    examples:
-    - traefik
-    type: string
-  app-group:
-    default: infra
-    examples:
-    - infra
-    type: string
-  domain:
-    default: your-company
-    examples:
-    - your-company
-    type: string
-  issuer:
-    default: letsencrypt-prod
-    examples:
-    - letsencrypt-prod
-    type: string
-  sub-domain:
-    default: okd
-    examples:
-    - okd
-    type: string
-  domain-name:
-    default: your_company.com
-    examples:
-    - your_company.com
-    type: string
   images:
     default:
       okd:
@@ -89,6 +64,31 @@ options:
             type: string
         type: object
     type: object
+  ingress-class:
+    default: traefik
+    examples:
+    - traefik
+    type: string
+  issuer:
+    default: letsencrypt-prod
+    examples:
+    - letsencrypt-prod
+    type: string
+  sub-domain:
+    default: okd
+    examples:
+    - okd
+    type: string
+  domain:
+    default: your-company
+    examples:
+    - your-company
+    type: string
+  app-group:
+    default: infra
+    examples:
+    - infra
+    type: string
 dependencies:
 - dist: null
   category: share
diff --git a/apps/okd/rbac.tf b/apps/okd/rbac.tf
index 313d988..a3720b9 100644
--- a/apps/okd/rbac.tf
+++ b/apps/okd/rbac.tf
@@ -12,7 +12,7 @@ resource "kubectl_manifest" "okd_sa" {
   EOF
 }
 
-resource "kubectl_manifest" "okd_crb" {
+resource "kubectl_manifest" "okd_crb_admin" {
   count = var.cluster-admin ? 1 : 0
   yaml_body  = <<-EOF
     apiVersion: rbac.authorization.k8s.io/v1
@@ -66,3 +66,39 @@ resource "kubectl_manifest" "okd_role_bindings" {
       apiGroup: rbac.authorization.k8s.io
   EOF
 }
+
+resource "kubectl_manifest" "okd_clusterrole" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      labels: ${jsonencode(local.common-labels)}
+    rules:
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      resourceNames: ${jsonencode(local.sorted-namespaces)}
+      verbs: ["get", "list"]
+  EOF
+}
+
+resource "kubectl_manifest" "okd_clusterrole_bindings" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      namespace: "${local.sorted-namespaces[count.index]}"
+      labels: ${jsonencode(local.common-labels)}
+    subjects:
+    - kind: ServiceAccount
+      name: "${var.component}-${var.instance}"
+      namespace: "${var.namespace}"
+    roleRef:
+      kind: ClusterRole
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      apiGroup: rbac.authorization.k8s.io
+  EOF
+}