diff --git a/ansible/kustomization.yaml b/ansible/kustomization.yaml
index 3d21bc9..3fad65c 100644
--- a/ansible/kustomization.yaml
+++ b/ansible/kustomization.yaml
@@ -1,6 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: ansible
+  unsetOnly: true
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
 labels:
 - pairs:
     app.kubernetes.io/instance: ansible
@@ -9,8 +22,6 @@ labels:
 - pairs:
     app.kubernetes.io/part-of: ansible
 
-namespace: ansible
-
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys
diff --git a/ansible/rbac.yaml b/ansible/rbac.yaml
index 4067edf..4b9de79 100644
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -23,3 +23,112 @@ subjects:
 - kind: ServiceAccount
   name: dch-webhooks
   namespace: default
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: host-provisioner
+  labels:
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
+      which it uses to get the connection details for the Kubernetes API
+      server, including the issuing CA certificate, to pass to `kubeadm
+      join` on a new worker node.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  resourceNames:
+  - cluster-info
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-provisioner
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to manipulate labels, taints, etc. on
+      nodes it adds to the cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: host-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to create bootstrap tokens in order to
+      add new nodes to the Kubernetes cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
diff --git a/dch-webhooks/ansible-job.yaml b/dch-webhooks/ansible-job.yaml
index 8805676..9cb907e 100644
--- a/dch-webhooks/ansible-job.yaml
+++ b/dch-webhooks/ansible-job.yaml
@@ -90,11 +90,15 @@ spec:
         - mountPath: /tmp
           name: tmp
           subPath: tmp
+        - mountPath: /var/tmp
+          name: tmp
+          subPath: tmp
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      serviceAccountName: host-provisioner
       volumes:
       - name: dch-root-ca
         configMap: