diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 6a6a1799e..b0b5e22f9 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -1051,6 +1051,7 @@ rules:
   resources:
   - managedserviceaccounts
   verbs:
+  - create
   - delete
   - get
   - list
diff --git a/pkg/templates/charts/toggle/server-foundation/templates/clusterrole-foundation.yaml b/pkg/templates/charts/toggle/server-foundation/templates/clusterrole-foundation.yaml
index e368f05c5..fc0f3351a 100644
--- a/pkg/templates/charts/toggle/server-foundation/templates/clusterrole-foundation.yaml
+++ b/pkg/templates/charts/toggle/server-foundation/templates/clusterrole-foundation.yaml
@@ -108,3 +108,6 @@ rules:
   - apiGroups: ["addon.open-cluster-management.io"]
     resources: ["addondeploymentconfigs"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.open-cluster-management.io"]
+    resources: ["managedserviceaccounts"]
+    verbs: ["get", "watch", "list", "create", "update"]
diff --git a/pkg/templates/charts/toggle/server-foundation/templates/ocm-proxyserver.yaml b/pkg/templates/charts/toggle/server-foundation/templates/ocm-proxyserver.yaml
index 76abd85aa..d7921399d 100644
--- a/pkg/templates/charts/toggle/server-foundation/templates/ocm-proxyserver.yaml
+++ b/pkg/templates/charts/toggle/server-foundation/templates/ocm-proxyserver.yaml
@@ -44,6 +44,9 @@ spec:
         - --agent-cafile=/var/run/klusterlet/ca.crt
         - --agent-certfile=/var/run/klusterlet/tls.crt
         - --agent-keyfile=/var/run/klusterlet/tls.key
+        - --proxy-service-cafile=/var/run/clusterproxy/service-ca.crt
+        - --proxy-service-name=cluster-proxy-addon-user
+        - --proxy-service-port=9092
         env:
 {{- if .Values.hubconfig.proxyConfigs }}
         - name: HTTP_PROXY
@@ -88,6 +91,8 @@ spec:
           name: klusterlet-certs
         - mountPath: /var/run/apiservice
           name: apiservice-certs
+        - mountPath: /var/run/clusterproxy
+          name: cluster-proxy-service-ca
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
@@ -130,4 +135,8 @@ spec:
       - name: apiservice-certs
         secret:
           defaultMode: 420
-          secretName: ocm-proxyserver
\ No newline at end of file
+          secretName: ocm-proxyserver
+      - name: cluster-proxy-service-ca
+        configMap:
+          defaultMode: 420
+          name: openshift-service-ca.crt
diff --git a/pkg/templates/rbac_gen.go b/pkg/templates/rbac_gen.go
index 94ff61492..4144ec141 100644
--- a/pkg/templates/rbac_gen.go
+++ b/pkg/templates/rbac_gen.go
@@ -145,6 +145,7 @@ package main
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 //+kubebuilder:rbac:groups=authentication.open-cluster-management.io,resources=managedserviceaccounts,verbs=get;list;watch;update;patch;delete
+//+kubebuilder:rbac:groups=authentication.open-cluster-management.io,resources=managedserviceaccounts,verbs=get;watch;list;create;update
 //+kubebuilder:rbac:groups=authentication.open-cluster-management.io,resources=managedserviceaccounts/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
 //+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create