diff --git a/deployments/k8s/base/rbac.yaml b/deployments/k8s/base/rbac.yaml
index 0900d03..78db56d 100644
--- a/deployments/k8s/base/rbac.yaml
+++ b/deployments/k8s/base/rbac.yaml
@@ -50,3 +50,38 @@ roleRef:
   kind: Role
   name: rdev-api
   apiGroup: rbac.authorization.k8s.io
+---
+# RBAC for Woodpecker CI to deploy to rdev namespace
+# Allows CI service accounts to apply deployment patches and watch rollout status
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: woodpecker-deployer
+  namespace: rdev
+  labels:
+    app.kubernetes.io/name: woodpecker-deployer
+    app.kubernetes.io/part-of: rdev
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: woodpecker-deployer
+  namespace: rdev
+  labels:
+    app.kubernetes.io/name: woodpecker-deployer
+    app.kubernetes.io/part-of: rdev
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: rdev
+  - kind: ServiceAccount
+    name: default
+    namespace: threesix
+roleRef:
+  kind: Role
+  name: woodpecker-deployer
+  apiGroup: rbac.authorization.k8s.io