diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
index dd08b5764246..7c2085a2fc06 100644
--- a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
+++ b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
@@ -44,6 +44,9 @@ const (
 	InfraPersistentVolumeBinderControllerServiceAccountName = "pv-binder-controller"
 	PersistentVolumeBinderControllerRoleName                = "system:pv-binder-controller"
 
+	InfraPersistentVolumeAttachDetachControllerServiceAccountName = "pv-attach-detach-controller"
+	PersistentVolumeAttachDetachControllerRoleName                = "system:pv-attach-detach-controller"
+
 	InfraPersistentVolumeRecyclerControllerServiceAccountName = "pv-recycler-controller"
 	PersistentVolumeRecyclerControllerRoleName                = "system:pv-recycler-controller"
 
@@ -464,6 +467,55 @@ func init() {
 		panic(err)
 	}
 
+	err = InfraSAs.addServiceAccount(
+		InfraPersistentVolumeAttachDetachControllerServiceAccountName,
+		authorizationapi.ClusterRole{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: PersistentVolumeAttachDetachControllerRoleName,
+			},
+			Rules: []authorizationapi.PolicyRule{
+				// shared informer on PVs
+				{
+					Verbs:     sets.NewString("list", "watch"),
+					Resources: sets.NewString("persistentvolumes"),
+				},
+				// shared informer on PVCs
+				{
+					Verbs:     sets.NewString("list", "watch"),
+					Resources: sets.NewString("persistentvolumeclaims"),
+				},
+				// shared informer on nodes
+				{
+					Verbs:     sets.NewString("list", "watch"),
+					Resources: sets.NewString("nodes"),
+				},
+				// operationexecutor uses get with nodes
+				{
+					Verbs:     sets.NewString("get"),
+					Resources: sets.NewString("nodes"),
+				},
+				// strategic patch on nodes/status
+				{
+					Verbs:     sets.NewString("patch", "update"),
+					Resources: sets.NewString("nodes/status"),
+				},
+				// shared informer on pods
+				{
+					Verbs:     sets.NewString("list", "watch"),
+					Resources: sets.NewString("pods"),
+				},
+				// normal event usage
+				{
+					Verbs:     sets.NewString("create", "update", "patch"),
+					Resources: sets.NewString("events"),
+				},
+			},
+		},
+	)
+	if err != nil {
+		panic(err)
+	}
+
 	err = InfraSAs.addServiceAccount(
 		InfraPersistentVolumeBinderControllerServiceAccountName,
 		authorizationapi.ClusterRole{
diff --git a/pkg/cmd/server/kubernetes/master.go b/pkg/cmd/server/kubernetes/master.go
index b3fac1c6df13..f7b8ac86bd53 100644
--- a/pkg/cmd/server/kubernetes/master.go
+++ b/pkg/cmd/server/kubernetes/master.go
@@ -171,7 +171,10 @@ func (c *MasterConfig) RunPersistentVolumeController(client *client.Client, name
 		s.VolumeConfiguration.EnableDynamicProvisioning,
 	)
 	volumeController.Run()
+}
 
+func (c *MasterConfig) RunPersistentVolumeAttachDetachController(client *client.Client) {
+	s := c.ControllerManager
 	attachDetachController, err :=
 		attachdetachcontroller.NewAttachDetachController(
 			clientadapter.FromUnversionedClient(client),
diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
index cb15891516fa..a4c1674e47f4 100644
--- a/pkg/cmd/server/start/start_master.go
+++ b/pkg/cmd/server/start/start_master.go
@@ -583,6 +583,11 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro
 			glog.Fatalf("Could not get client for persistent volume binder controller: %v", err)
 		}
 
+		_, _, attachDetachControllerClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraPersistentVolumeAttachDetachControllerServiceAccountName)
+		if err != nil {
+			glog.Fatalf("Could not get client for attach detach controller: %v", err)
+		}
+
 		_, _, daemonSetClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraDaemonSetControllerServiceAccountName)
 		if err != nil {
 			glog.Fatalf("Could not get client for daemonset controller: %v", err)
@@ -641,6 +646,7 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro
 		kc.RunEndpointController(endpointControllerClient)
 		kc.RunNamespaceController(namespaceControllerClientSet, namespaceControllerClientPool)
 		kc.RunPersistentVolumeController(binderClient, oc.Options.PolicyConfig.OpenShiftInfrastructureNamespace, oc.ImageFor("recycler"), bootstrappolicy.InfraPersistentVolumeRecyclerControllerServiceAccountName)
+		kc.RunPersistentVolumeAttachDetachController(attachDetachControllerClient)
 		kc.RunGCController(gcClient)
 
 		kc.RunServiceLoadBalancerController(serviceLoadBalancerClient)
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
index 289487ac0507..084420281948 100644
--- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -2742,6 +2742,68 @@ items:
     - create
     - patch
     - update
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    creationTimestamp: null
+    name: system:pv-attach-detach-controller
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - persistentvolumes
+    verbs:
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - persistentvolumeclaims
+    verbs:
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - nodes
+    verbs:
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - nodes
+    verbs:
+    - get
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - nodes/status
+    verbs:
+    - patch
+    - update
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - pods
+    verbs:
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
 - apiVersion: v1
   kind: ClusterRole
   metadata: