diff --git a/playbooks/openshift-apps/mirrormanager.yml b/playbooks/openshift-apps/mirrormanager.yml
index 3705911220..75464859ce 100644
--- a/playbooks/openshift-apps/mirrormanager.yml
+++ b/playbooks/openshift-apps/mirrormanager.yml
@@ -52,6 +52,7 @@
         - abompard
         - nphilipp
         - adrian
+      allow_pod_creation: true
       tags:
         - apply-appowners
 
diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml
index 907b9a0c59..b5450f1675 100644
--- a/roles/openshift/project/defaults/main.yml
+++ b/roles/openshift/project/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 allow_fas_db: false
 allow_iad2: true
+allow_pod_creation: false
 
 egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"
 
diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
index 476083c33e..5848c2ae2d 100644
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@@ -17,9 +17,6 @@ rules:
   resources:
   - endpoints
   - persistentvolumeclaims
-  - pods
-  - pods/attach
-  - pods/exec
   - replicationcontrollers
   - serviceaccounts
   - services
@@ -32,6 +29,23 @@ rules:
   - delete
   - update
 {% endif %}
+# Permissions for pods
+- apiGroups:
+  - "*"
+  attributeRestrictions: null
+  resources:
+  - pods
+  - pods/attach
+  - pods/exec
+  verbs:
+  - get
+  - list
+  - watch
+{% if env == "staging" or allow_pod_creation %}
+  - create
+  - delete
+  - update
+{% endif %}
 - apiGroups:
   - "*"
   attributeRestrictions: null