diff --git a/deploy/helm/pieced-operator/Chart.yaml b/deploy/helm/pieced-operator/Chart.yaml
index d372b2e..1528733 100644
--- a/deploy/helm/pieced-operator/Chart.yaml
+++ b/deploy/helm/pieced-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pieced-operator
 description: PieCed IT tenant lifecycle operator
-version: 0.1.32
-appVersion: "0.1.32"
+version: 0.1.33
+appVersion: "0.1.33"
 type: application
diff --git a/deploy/helm/pieced-operator/templates/rbac.yaml b/deploy/helm/pieced-operator/templates/rbac.yaml
index f81622b..2982bfe 100644
--- a/deploy/helm/pieced-operator/templates/rbac.yaml
+++ b/deploy/helm/pieced-operator/templates/rbac.yaml
@@ -34,29 +34,34 @@ rules:
     verbs: ["create", "patch"]
 
   # --- Capsule Tenant ---
+  # `patch` is required for server-side apply (SSA) — controller-runtime's
+  # `client.Apply` uses HTTP PATCH with content-type application/apply-patch+yaml.
+  # We keep `update` for backwards-compat in case any code path still does
+  # replace-style writes (currently none). Same applies to all unstructured
+  # resources below.
   - apiGroups: ["capsule.clastix.io"]
     resources: ["tenants"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO SecretStore ---
   - apiGroups: ["external-secrets.io"]
     resources: ["secretstores"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO ExternalSecret ---
   - apiGroups: ["external-secrets.io"]
     resources: ["externalsecrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Cilium CiliumNetworkPolicy ---
   - apiGroups: ["cilium.io"]
     resources: ["ciliumnetworkpolicies"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- OpenClaw OpenClawInstance ---
   - apiGroups: ["openclaw.rocks"]
     resources: ["openclawinstances"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Leader election (coordination) ---
   - apiGroups: ["coordination.k8s.io"]
diff --git a/deploy/helm/pieced-operator/values.yaml b/deploy/helm/pieced-operator/values.yaml
index 401e6a5..e14c8ed 100644
--- a/deploy/helm/pieced-operator/values.yaml
+++ b/deploy/helm/pieced-operator/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: registry.c5ai.ch/pieced/pieced-operator
-  tag: "0.1.32"
+  tag: "0.1.33"
   pullPolicy: IfNotPresent
 
 imagePullSecrets: