diff --git a/pkg/controller/podSecret/pod-secret-controller.go b/pkg/controller/podSecret/pod-secret-controller.go
index 363acde605c..2f1bf1533d1 100644
--- a/pkg/controller/podSecret/pod-secret-controller.go
+++ b/pkg/controller/podSecret/pod-secret-controller.go
@@ -188,6 +188,9 @@ func (nc *PodSecretController) syncPodSecret(refKey string) error {
 		return nil
 	}
 
+	if labels == nil {
+		labels = make(map[string]string)
+	}
 	labels[nodeName] = ""
 	secret.SetLabels(labels)
 	_, err = nc.kubeClient.CoreV1().SecretsWithMultiTenancy(namespace, tenant).Update(secret)
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index f20cc8858e9..74f1d40b595 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -414,6 +414,15 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		},
 	})
 
+	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pod-secret-controller"},
+		Rules: []rbacv1.PolicyRule{
+			rbacv1helpers.NewRule("list", "watch", "get").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+			rbacv1helpers.NewRule("list", "watch", "get", "update", "patch").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+
 	return controllerRoles, controllerRoleBindings
 }