diff --git a/charts/linkerd-control-plane/templates/config-rbac.yaml b/charts/linkerd-control-plane/templates/config-rbac.yaml
index 5f5c34203ee3d..db305ebef1693 100644
--- a/charts/linkerd-control-plane/templates/config-rbac.yaml
+++ b/charts/linkerd-control-plane/templates/config-rbac.yaml
@@ -14,3 +14,26 @@ rules:
   resources: ["configmaps"]
   verbs: ["get"]
   resourceNames: ["linkerd-config"]
+{{- with .Values.configReaders }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: linkerd-config-reader
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/part-of: Linkerd
+    linkerd.io/control-plane-ns: {{$.Release.Namespace}}
+    {{- with $.Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+roleRef:
+  kind: Role
+  name: ext-namespace-metadata-linkerd-config
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+{{- range . }}
+- kind: ServiceAccount
+  name: {{ .name }}
+  namespace: {{ .namespace }}
+{{- end }}
+...
+{{- end }}
diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml
index 867d7c0bca678..0c5a2a4f9bbcd 100644
--- a/charts/linkerd-control-plane/values.yaml
+++ b/charts/linkerd-control-plane/values.yaml
@@ -709,3 +709,9 @@ podMonitor:
 egress:
   # -- The namespace that is used to store egress configuration that affects all client workloads in the cluster
   globalEgressNetworkNamespace: linkerd-egress
+
+# -- List of additional service accounts with read access to the linkerd-config
+# ConfigMap
+configReaders:
+#- name:
+#  namespace: