diff --git a/cluster/kube/lib/rook.libsonnet b/cluster/kube/lib/rook.libsonnet
index 8f83d2d8..4edfe7dd 100644
--- a/cluster/kube/lib/rook.libsonnet
+++ b/cluster/kube/lib/rook.libsonnet
@@ -10,7 +10,7 @@ local oa = kube.OpenAPI;
         local env = self,
         local cfg = env.cfg,
         cfg:: {
-            image: "rook/ceph:v1.1.9",
+            image: "rook/ceph:v1.2.7",
             namespace: "rook-ceph-system",
         },
 
@@ -236,6 +236,15 @@ local oa = kube.OpenAPI;
                     subresources: { status: {} },
                 },
             },
+            cephclients: kube.CustomResourceDefinition("ceph.rook.io", "v1", "CephClient") {
+                spec+: {
+                    validation: oa.Validation(oa.Dict {
+                        spec: oa.Dict {
+                            caps: oa.Any,
+                        },
+                    }),
+                },
+            },
         },
 
         sa: {
@@ -307,9 +316,24 @@ local oa = kube.OpenAPI;
                     },
                     {
                         apiGroups: ["policy", "apps"],
-                        resources: ["poddisruptionbudgets", "deployments"],
+                        resources: ["poddisruptionbudgets", "deployments", "replicasets"],
                         verbs: ["*"],
                     },
+                    {
+                        apiGroups: ["healthchecking.openshift.io"],
+                        resources: ["machinedisruptionbudgets"],
+                        verbs: ["get", "list", "watch", "create", "update", "delete"],
+                    },
+                    {
+                        apiGroups: ["machine.openshift.io"],
+                        resources: ["machines"],
+                        verbs: ["get", "list", "watch", "create", "update", "delete"],
+                    },
+                    {
+                        apiGroups: ["storage.k8s.io"],
+                        resources: ["csidrivers"],
+                        verbs: ["create"],
+                    },
                 ],
             },
 
@@ -733,7 +757,17 @@ local oa = kube.OpenAPI;
                         apiGroups: [""],
                         resources: ["configmaps"],
                         verbs: ["get", "list", "watch", "create", "update", "delete"],
-                    }
+                    },
+                ],
+            },
+            osdCluster: kube.ClusterRole(cluster.name("osd-cluster")) {
+                metadata+: cluster.metadata { namespace:: null },
+                rules: [
+                    {
+                        apiGroups: [""],
+                        resources: ["nodes"],
+                        verbs: ["get", "list"],
+                    },
                 ],
             },
             mgr: kube.Role(cluster.name("mgr")) {
@@ -802,6 +836,15 @@ local oa = kube.OpenAPI;
             subjects_: [cluster.sa.mgr],
         },
 
+        osdClusterRB: kube.ClusterRoleBinding(cluster.name("osd-cluster")) {
+            metadata+: {
+                namespace:: null,
+            },
+            roleRef_: cluster.roles.osdCluster,
+            subjects_: [cluster.sa.osd],
+        },
+
+
         cluster: kube._Object("ceph.rook.io/v1", "CephCluster", name) {
             metadata+: cluster.metadata,
             spec: {