diff --git a/component/main.jsonnet b/component/main.jsonnet
index 71e19f4..ce8feec 100644
--- a/component/main.jsonnet
+++ b/component/main.jsonnet
@@ -60,6 +60,35 @@ local certSecret =
   else
     null;
 
+local metricsRbac =
+  local sa = kube.ServiceAccount('metrics') {
+    metadata+: {
+      namespace: params.namespace,
+    },
+  };
+  [
+    sa,
+    kube.Secret(sa.metadata.name) {
+      metadata+: {
+        annotations+: {
+          'kubernetes.io/service-account.name': sa.metadata.name,
+          'vcluster.loft.sh/force-sync': 'true',
+        },
+        namespace: params.namespace,
+      },
+      type: 'kubernetes.io/service-account-token',
+      data:: {},
+    },
+    kube.ClusterRoleBinding(sa.metadata.name) {
+      roleRef: {
+        apiGroup: 'rbac.authorization.k8s.io',
+        kind: 'ClusterRole',
+        name: 'system:monitoring',
+      },
+      subjects_: [ sa ],
+    },
+  ];
+
 // Define outputs below
 {
   '00_namespace': [
@@ -68,6 +97,7 @@ local certSecret =
   ],
   [if hasCountriesConfig then '10_odoo_countrylist']: countriesConfigMap,
   [if certSecret != null then '10_certs']: certSecret,
+  '10_rbac_api_metrics': metricsRbac,
   '10_rbac_cluster_admin_impersonation': (import 'rbac-cluster-admin-impersonation.libsonnet'),
   '10_rbac_basic_user': (import 'rbac-basic-user.libsonnet'),
   '10_rbac_organization': (import 'rbac-organization.libsonnet'),
diff --git a/tests/golden/defaults/control-api/control-api/10_rbac_api_metrics.yaml b/tests/golden/defaults/control-api/control-api/10_rbac_api_metrics.yaml
new file mode 100644
index 0000000..fe19709
--- /dev/null
+++ b/tests/golden/defaults/control-api/control-api/10_rbac_api_metrics.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: metrics
+    vcluster.loft.sh/force-sync: 'true'
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:monitoring
+subjects:
+  - kind: ServiceAccount
+    name: metrics
+    namespace: appuio-control-api
diff --git a/tests/golden/insecure/control-api/control-api/10_rbac_api_metrics.yaml b/tests/golden/insecure/control-api/control-api/10_rbac_api_metrics.yaml
new file mode 100644
index 0000000..fe19709
--- /dev/null
+++ b/tests/golden/insecure/control-api/control-api/10_rbac_api_metrics.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: metrics
+    vcluster.loft.sh/force-sync: 'true'
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:monitoring
+subjects:
+  - kind: ServiceAccount
+    name: metrics
+    namespace: appuio-control-api
diff --git a/tests/golden/withcronjob/control-api/control-api/10_rbac_api_metrics.yaml b/tests/golden/withcronjob/control-api/control-api/10_rbac_api_metrics.yaml
new file mode 100644
index 0000000..fe19709
--- /dev/null
+++ b/tests/golden/withcronjob/control-api/control-api/10_rbac_api_metrics.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: metrics
+    vcluster.loft.sh/force-sync: 'true'
+  labels:
+    name: metrics
+  name: metrics
+  namespace: appuio-control-api
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: metrics
+  name: metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:monitoring
+subjects:
+  - kind: ServiceAccount
+    name: metrics
+    namespace: appuio-control-api