diff --git a/templates/ci/stacks-devnet-api.template.yaml b/templates/ci/stacks-devnet-api.template.yaml
index 711243f..1de5aab 100644
--- a/templates/ci/stacks-devnet-api.template.yaml
+++ b/templates/ci/stacks-devnet-api.template.yaml
@@ -11,9 +11,11 @@ metadata:
   name: stacks-devnet-api-service-account
 rules:
   - apiGroups: [""]
-    # TODO: production version should not be able to create/delete namespaces (only get) 
-    resources: ["pods", "pods/status", "services", "configmaps", "persistentvolumeclaims", "namespaces"]
+    resources: ["pods", "pods/status", "services", "configmaps", "persistentvolumeclaims"]
     verbs: ["get", "delete", "create"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/templates/stacks-devnet-api.template.yaml b/templates/stacks-devnet-api.template.yaml
index ed8727f..62299f2 100644
--- a/templates/stacks-devnet-api.template.yaml
+++ b/templates/stacks-devnet-api.template.yaml
@@ -11,9 +11,12 @@ metadata:
   name: stacks-devnet-api-service-account
 rules:
   - apiGroups: [""]
-    # TODO: production version should not be able to create/delete namespaces (only get) 
-    resources: ["pods", "pods/status", "services", "configmaps", "persistentvolumeclaims", "namespaces"]
+    resources: ["pods", "pods/status", "services", "configmaps", "persistentvolumeclaims"]
     verbs: ["get", "delete", "create"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get"]
+  
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1