diff --git a/Makefile b/Makefile
index cba6bb34f..12a20a23b 100644
--- a/Makefile
+++ b/Makefile
@@ -142,18 +142,23 @@ tidy:
 
 .PHONY: manifests
 KUSTOMIZE_CATD_RBAC_DIR := config/base/catalogd/rbac
-KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/manager/webhook
+KUSTOMIZE_CATD_WEBHOOKS_DIR := config/base/catalogd/webhook
 KUSTOMIZE_OPCON_RBAC_DIR := config/base/operator-controller/rbac
 # Due to https://github.com/kubernetes-sigs/controller-tools/issues/837 we can't specify individual files
 # So we have to generate them together and then move them into place
 manifests: $(CONTROLLER_GEN) $(KUSTOMIZE) #EXHELP Generate WebhookConfiguration, ClusterRole, and CustomResourceDefinition objects.
 	# Generate CRDs via our own generator
 	hack/tools/update-crds.sh
-	# Generate the remaining operator-controller manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)
-	# Generate the remaining catalogd manifests
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)
-	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)
+	# Generate the remaining operator-controller standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/standard
+	# Generate the remaining operator-controller experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/operator-controller/..." output:rbac:artifacts:config=$(KUSTOMIZE_OPCON_RBAC_DIR)/experimental
+	# Generate the remaining catalogd standard manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/standard
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS),standard webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/standard
+	# Generate the remaining catalogd experimental manifests
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) rbac:roleName=manager-role paths="./internal/catalogd/..." output:rbac:artifacts:config=$(KUSTOMIZE_CATD_RBAC_DIR)/experimental
+	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) webhook paths="./internal/catalogd/..." output:webhook:artifacts:config=$(KUSTOMIZE_CATD_WEBHOOKS_DIR)/experimental
 	# Generate manifests stored in source-control
 	mkdir -p $(MANIFEST_HOME)
 	$(KUSTOMIZE) build $(KUSTOMIZE_STANDARD_OVERLAY) > $(STANDARD_MANIFEST)
diff --git a/config/base/catalogd/kustomization.yaml b/config/base/catalogd/kustomization.yaml
index d4ebee2d5..67e52bb9d 100644
--- a/config/base/catalogd/kustomization.yaml
+++ b/config/base/catalogd/kustomization.yaml
@@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namePrefix: catalogd-
 resources:
-- rbac
 - manager
diff --git a/config/base/catalogd/manager/kustomization.yaml b/config/base/catalogd/manager/kustomization.yaml
index 2c10750df..111cdf624 100644
--- a/config/base/catalogd/manager/kustomization.yaml
+++ b/config/base/catalogd/manager/kustomization.yaml
@@ -2,17 +2,9 @@ resources:
 - manager.yaml
 - service.yaml
 - network_policy.yaml
-- webhook/manifests.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
   newName: quay.io/operator-framework/catalogd
   newTag: devel
-patches:
-- path: webhook/patch.yaml
-  target:
-    group: admissionregistration.k8s.io
-    kind: MutatingWebhookConfiguration
-    name: mutating-webhook-configuration
-    version: v1
diff --git a/config/base/catalogd/rbac/auth_proxy_client_clusterrole.yaml b/config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml
similarity index 100%
rename from config/base/catalogd/rbac/auth_proxy_client_clusterrole.yaml
rename to config/base/catalogd/rbac/common/auth_proxy_client_clusterrole.yaml
diff --git a/config/base/catalogd/rbac/auth_proxy_role.yaml b/config/base/catalogd/rbac/common/auth_proxy_role.yaml
similarity index 100%
rename from config/base/catalogd/rbac/auth_proxy_role.yaml
rename to config/base/catalogd/rbac/common/auth_proxy_role.yaml
diff --git a/config/base/catalogd/rbac/auth_proxy_role_binding.yaml b/config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml
similarity index 100%
rename from config/base/catalogd/rbac/auth_proxy_role_binding.yaml
rename to config/base/catalogd/rbac/common/auth_proxy_role_binding.yaml
diff --git a/config/base/catalogd/rbac/common/kustomization.yaml b/config/base/catalogd/rbac/common/kustomization.yaml
new file mode 100644
index 000000000..7ea680d16
--- /dev/null
+++ b/config/base/catalogd/rbac/common/kustomization.yaml
@@ -0,0 +1,19 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
diff --git a/config/base/catalogd/rbac/leader_election_role.yaml b/config/base/catalogd/rbac/common/leader_election_role.yaml
similarity index 100%
rename from config/base/catalogd/rbac/leader_election_role.yaml
rename to config/base/catalogd/rbac/common/leader_election_role.yaml
diff --git a/config/base/catalogd/rbac/leader_election_role_binding.yaml b/config/base/catalogd/rbac/common/leader_election_role_binding.yaml
similarity index 100%
rename from config/base/catalogd/rbac/leader_election_role_binding.yaml
rename to config/base/catalogd/rbac/common/leader_election_role_binding.yaml
diff --git a/config/base/catalogd/rbac/role_binding.yaml b/config/base/catalogd/rbac/common/role_binding.yaml
similarity index 100%
rename from config/base/catalogd/rbac/role_binding.yaml
rename to config/base/catalogd/rbac/common/role_binding.yaml
diff --git a/config/base/catalogd/rbac/service_account.yaml b/config/base/catalogd/rbac/common/service_account.yaml
similarity index 100%
rename from config/base/catalogd/rbac/service_account.yaml
rename to config/base/catalogd/rbac/common/service_account.yaml
diff --git a/config/base/catalogd/rbac/experimental/kustomization.yaml b/config/base/catalogd/rbac/experimental/kustomization.yaml
new file mode 100644
index 000000000..b7f92edf4
--- /dev/null
+++ b/config/base/catalogd/rbac/experimental/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+resources:
+- ../common
+- role.yaml
diff --git a/config/base/catalogd/rbac/role.yaml b/config/base/catalogd/rbac/experimental/role.yaml
similarity index 100%
rename from config/base/catalogd/rbac/role.yaml
rename to config/base/catalogd/rbac/experimental/role.yaml
diff --git a/config/base/catalogd/rbac/kustomization.yaml b/config/base/catalogd/rbac/kustomization.yaml
index 8ed66bdd1..63c9d6895 100644
--- a/config/base/catalogd/rbac/kustomization.yaml
+++ b/config/base/catalogd/rbac/kustomization.yaml
@@ -1,20 +1,4 @@
+# This kustomization picks the standard rbac by default
+# If the experimental rbac is desired, select that directory explicitly
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-# The following RBAC configurations are used to protect
-# the metrics endpoint with authn/authz. These configurations
-# ensure that only authorized users and service accounts
-# can access the metrics endpoint. Comment the following
-# permissions if you want to disable this protection.
-# More info: https://book.kubebuilder.io/reference/metrics.html
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
+- standard
diff --git a/config/base/catalogd/rbac/standard/kustomization.yaml b/config/base/catalogd/rbac/standard/kustomization.yaml
new file mode 100644
index 000000000..f18de0c5b
--- /dev/null
+++ b/config/base/catalogd/rbac/standard/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+resources:
+  - ../common
+  - role.yaml
diff --git a/config/base/catalogd/rbac/standard/role.yaml b/config/base/catalogd/rbac/standard/role.yaml
new file mode 100644
index 000000000..c887c7c4f
--- /dev/null
+++ b/config/base/catalogd/rbac/standard/role.yaml
@@ -0,0 +1,48 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: olmv1-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/base/catalogd/webhook/experimental/kustomization.yaml b/config/base/catalogd/webhook/experimental/kustomization.yaml
new file mode 100644
index 000000000..65f0f61ef
--- /dev/null
+++ b/config/base/catalogd/webhook/experimental/kustomization.yaml
@@ -0,0 +1,13 @@
+resources:
+- manifests.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+patches:
+- path: patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+    version: v1
diff --git a/config/base/catalogd/manager/webhook/manifests.yaml b/config/base/catalogd/webhook/experimental/manifests.yaml
similarity index 100%
rename from config/base/catalogd/manager/webhook/manifests.yaml
rename to config/base/catalogd/webhook/experimental/manifests.yaml
diff --git a/config/base/catalogd/manager/webhook/patch.yaml b/config/base/catalogd/webhook/experimental/patch.yaml
similarity index 100%
rename from config/base/catalogd/manager/webhook/patch.yaml
rename to config/base/catalogd/webhook/experimental/patch.yaml
diff --git a/config/base/catalogd/webhook/kustomization.yaml b/config/base/catalogd/webhook/kustomization.yaml
new file mode 100644
index 000000000..aa908830c
--- /dev/null
+++ b/config/base/catalogd/webhook/kustomization.yaml
@@ -0,0 +1,4 @@
+# This kustomization picks the standard webhook by default
+# If the experimental webhook is desired, select that directory explicitly
+resources:
+- standard
diff --git a/config/base/catalogd/webhook/standard/kustomization.yaml b/config/base/catalogd/webhook/standard/kustomization.yaml
new file mode 100644
index 000000000..65f0f61ef
--- /dev/null
+++ b/config/base/catalogd/webhook/standard/kustomization.yaml
@@ -0,0 +1,13 @@
+resources:
+- manifests.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: catalogd-
+patches:
+- path: patch.yaml
+  target:
+    group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: mutating-webhook-configuration
+    version: v1
diff --git a/config/base/catalogd/webhook/standard/manifests.yaml b/config/base/catalogd/webhook/standard/manifests.yaml
new file mode 100644
index 000000000..a5842de42
--- /dev/null
+++ b/config/base/catalogd/webhook/standard/manifests.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-olm-operatorframework-io-v1-clustercatalog
+  failurePolicy: Fail
+  name: inject-metadata-name.olm.operatorframework.io
+  rules:
+  - apiGroups:
+    - olm.operatorframework.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustercatalogs
+  sideEffects: None
+  timeoutSeconds: 10
diff --git a/config/base/catalogd/webhook/standard/patch.yaml b/config/base/catalogd/webhook/standard/patch.yaml
new file mode 100644
index 000000000..ab8528c76
--- /dev/null
+++ b/config/base/catalogd/webhook/standard/patch.yaml
@@ -0,0 +1,20 @@
+# None of these values can be set via the kubebuilder directive, hence this patch
+- op: replace
+  path: /webhooks/0/clientConfig/service/namespace
+  value: olmv1-system
+- op: replace
+  path: /webhooks/0/clientConfig/service/name
+  value: catalogd-service
+- op: add
+  path: /webhooks/0/clientConfig/service/port
+  value: 9443
+# Make sure there's a name defined, otherwise, we can't create a label. This could happen when generateName is set
+# Then, if any of the conditions are true, create the label:
+# 1. No labels exist
+# 2. The olm.operatorframework.io/metadata.name label doesn't exist
+# 3. The olm.operatorframework.io/metadata.name label doesn't match the name
+- op: add
+  path: /webhooks/0/matchConditions
+  value:
+    - name: MissingOrIncorrectMetadataNameLabel
+      expression: "'name' in object.metadata && (!has(object.metadata.labels) || !('olm.operatorframework.io/metadata.name' in object.metadata.labels) || object.metadata.labels['olm.operatorframework.io/metadata.name'] != object.metadata.name)"
diff --git a/config/base/operator-controller/kustomization.yaml b/config/base/operator-controller/kustomization.yaml
index 500860cf6..4622afa97 100644
--- a/config/base/operator-controller/kustomization.yaml
+++ b/config/base/operator-controller/kustomization.yaml
@@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namePrefix: operator-controller-
 resources:
-- rbac
 - manager
diff --git a/config/base/operator-controller/manager/kustomization.yaml b/config/base/operator-controller/manager/kustomization.yaml
index 259f17c9e..b480ada69 100644
--- a/config/base/operator-controller/manager/kustomization.yaml
+++ b/config/base/operator-controller/manager/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-
 resources:
 - manager.yaml
 - service.yaml
diff --git a/config/base/operator-controller/rbac/auth_proxy_client_clusterrole.yaml b/config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/auth_proxy_client_clusterrole.yaml
rename to config/base/operator-controller/rbac/common/auth_proxy_client_clusterrole.yaml
diff --git a/config/base/operator-controller/rbac/auth_proxy_role.yaml b/config/base/operator-controller/rbac/common/auth_proxy_role.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/auth_proxy_role.yaml
rename to config/base/operator-controller/rbac/common/auth_proxy_role.yaml
diff --git a/config/base/operator-controller/rbac/auth_proxy_role_binding.yaml b/config/base/operator-controller/rbac/common/auth_proxy_role_binding.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/auth_proxy_role_binding.yaml
rename to config/base/operator-controller/rbac/common/auth_proxy_role_binding.yaml
diff --git a/config/base/operator-controller/rbac/clusterextension_editor_role.yaml b/config/base/operator-controller/rbac/common/clusterextension_editor_role.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/clusterextension_editor_role.yaml
rename to config/base/operator-controller/rbac/common/clusterextension_editor_role.yaml
diff --git a/config/base/operator-controller/rbac/clusterextension_viewer_role.yaml b/config/base/operator-controller/rbac/common/clusterextension_viewer_role.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/clusterextension_viewer_role.yaml
rename to config/base/operator-controller/rbac/common/clusterextension_viewer_role.yaml
diff --git a/config/base/operator-controller/rbac/common/kustomization.yaml b/config/base/operator-controller/rbac/common/kustomization.yaml
new file mode 100644
index 000000000..e81be963a
--- /dev/null
+++ b/config/base/operator-controller/rbac/common/kustomization.yaml
@@ -0,0 +1,26 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+
+# The following resources are pre-defined roles for editors and viewers
+# of APIs provided by this project.
+- clusterextension_editor_role.yaml
+- clusterextension_viewer_role.yaml
+
+# The following RBAC configurations are used to protect
+# the metrics endpoint with authn/authz. These configurations
+# ensure that only authorized users and service accounts
+# can access the metrics endpoint. Comment the following
+# permissions if you want to disable this protection.
+# More info: https://book.kubebuilder.io/reference/metrics.html
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
+
diff --git a/config/base/operator-controller/rbac/leader_election_role.yaml b/config/base/operator-controller/rbac/common/leader_election_role.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/leader_election_role.yaml
rename to config/base/operator-controller/rbac/common/leader_election_role.yaml
diff --git a/config/base/operator-controller/rbac/leader_election_role_binding.yaml b/config/base/operator-controller/rbac/common/leader_election_role_binding.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/leader_election_role_binding.yaml
rename to config/base/operator-controller/rbac/common/leader_election_role_binding.yaml
diff --git a/config/base/operator-controller/rbac/role_binding.yaml b/config/base/operator-controller/rbac/common/role_binding.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/role_binding.yaml
rename to config/base/operator-controller/rbac/common/role_binding.yaml
diff --git a/config/base/operator-controller/rbac/service_account.yaml b/config/base/operator-controller/rbac/common/service_account.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/service_account.yaml
rename to config/base/operator-controller/rbac/common/service_account.yaml
diff --git a/config/base/operator-controller/rbac/experimental/kustomization.yaml b/config/base/operator-controller/rbac/experimental/kustomization.yaml
new file mode 100644
index 000000000..52a91a8e1
--- /dev/null
+++ b/config/base/operator-controller/rbac/experimental/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: operator-controller-
+resources:
+- ../common
+- role.yaml
diff --git a/config/base/operator-controller/rbac/role.yaml b/config/base/operator-controller/rbac/experimental/role.yaml
similarity index 100%
rename from config/base/operator-controller/rbac/role.yaml
rename to config/base/operator-controller/rbac/experimental/role.yaml
diff --git a/config/base/operator-controller/rbac/kustomization.yaml b/config/base/operator-controller/rbac/kustomization.yaml
index 719df5654..63c9d6895 100644
--- a/config/base/operator-controller/rbac/kustomization.yaml
+++ b/config/base/operator-controller/rbac/kustomization.yaml
@@ -1,27 +1,4 @@
+# This kustomization picks the standard rbac by default
+# If the experimental rbac is desired, select that directory explicitly
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
-- service_account.yaml
-- role.yaml
-- role_binding.yaml
-- leader_election_role.yaml
-- leader_election_role_binding.yaml
-
-# The following resources are pre-defined roles for editors and viewers
-# of APIs provided by this project.
-- clusterextension_editor_role.yaml
-- clusterextension_viewer_role.yaml
-
-# The following RBAC configurations are used to protect
-# the metrics endpoint with authn/authz. These configurations
-# ensure that only authorized users and service accounts
-# can access the metrics endpoint. Comment the following
-# permissions if you want to disable this protection.
-# More info: https://book.kubebuilder.io/reference/metrics.html
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
-
+- standard
diff --git a/config/base/operator-controller/rbac/standard/kustomization.yaml b/config/base/operator-controller/rbac/standard/kustomization.yaml
new file mode 100644
index 000000000..7d430c538
--- /dev/null
+++ b/config/base/operator-controller/rbac/standard/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: olmv1-system
+namePrefix: operator-controller-
+resources:
+  - ../common
+  - role.yaml
diff --git a/config/base/operator-controller/rbac/standard/role.yaml b/config/base/operator-controller/rbac/standard/role.yaml
new file mode 100644
index 000000000..bb1cbe626
--- /dev/null
+++ b/config/base/operator-controller/rbac/standard/role.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clustercatalogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - olm.operatorframework.io
+  resources:
+  - clusterextensions/status
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  - roles
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: olmv1-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/components/base/experimental/kustomization.yaml b/config/components/base/experimental/kustomization.yaml
index b9ccb1d42..ab4eac1f7 100644
--- a/config/components/base/experimental/kustomization.yaml
+++ b/config/components/base/experimental/kustomization.yaml
@@ -3,7 +3,10 @@ kind: Component
 # Pull in the experimental CRDs
 resources:
 - ../../../base/catalogd/crd/experimental
+- ../../../base/catalogd/rbac/experimental
+- ../../../base/catalogd/webhook/experimental
 - ../../../base/operator-controller/crd/experimental
+- ../../../base/operator-controller/rbac/experimental
 # Pull in the component(s) common to standard and experimental
 components:
 - ../common
diff --git a/config/components/base/standard/kustomization.yaml b/config/components/base/standard/kustomization.yaml
index bf2466405..84ce224c0 100644
--- a/config/components/base/standard/kustomization.yaml
+++ b/config/components/base/standard/kustomization.yaml
@@ -3,7 +3,10 @@ kind: Component
 # Pull in the standard CRDs
 resources:
 - ../../../base/catalogd/crd/standard
+- ../../../base/catalogd/rbac/standard
+- ../../../base/catalogd/webhook/standard
 - ../../../base/operator-controller/crd/standard
+- ../../../base/operator-controller/rbac/standard
 # Pull in the component(s) common to standard and experimental
 components:
 - ../common
diff --git a/hack/tools/update-crds.sh b/hack/tools/update-crds.sh
index b86464519..8627784fe 100755
--- a/hack/tools/update-crds.sh
+++ b/hack/tools/update-crds.sh
@@ -38,7 +38,11 @@ done
 # Copy the generated files
 for b in ${!modules[@]}; do
     for c in ${channels[@]}; do
-        cp ${CRD_TMP}/${c}/${crds[${b}]} config/base/${modules[${b}]}/crd/${c}
+        # CRDs for kinds not listed in the standardKinds map in crd-generator/main.go
+        # will not be generated for the standard channel - so we check the expected generated
+        # file exists before copying it.
+        FILE="${CRD_TMP}/${c}/${crds[${b}]}"
+        [[ -e "${FILE}" ]] && cp "${FILE}" config/base/${modules[${b}]}/crd/${c}
     done
 done