diff --git a/config/openshift/kustomization.yaml b/config/openshift/kustomization.yaml
index 11f79311a..3ea4dde85 100644
--- a/config/openshift/kustomization.yaml
+++ b/config/openshift/kustomization.yaml
@@ -5,7 +5,7 @@ resources:
 - ../default
 - cluster-monitoring-view-binding.yaml
 - metrics-reader-token.yaml
-- prometheus-metrics-auth-binding.yaml
+- prometheus-metrics-reader-binding.yaml
 
 patches:
 - path: configmap-patch.yaml
diff --git a/config/openshift/prometheus-metrics-auth-binding.yaml b/config/openshift/prometheus-metrics-auth-binding.yaml
deleted file mode 100644
index 52300870d..000000000
--- a/config/openshift/prometheus-metrics-auth-binding.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# Grant the OpenShift user-workload-monitoring Prometheus SA permission to
-# authenticate to the WVA metrics endpoint (tokenreviews + subjectaccessreviews).
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: workload-variant-autoscaler-ocp-prometheus-metrics-auth
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: workload-variant-autoscaler-metrics-auth-role
-subjects:
-- kind: ServiceAccount
-  name: prometheus-k8s
-  namespace: openshift-user-workload-monitoring
diff --git a/config/openshift/prometheus-metrics-reader-binding.yaml b/config/openshift/prometheus-metrics-reader-binding.yaml
new file mode 100644
index 000000000..084813e77
--- /dev/null
+++ b/config/openshift/prometheus-metrics-reader-binding.yaml
@@ -0,0 +1,15 @@
+# Grant GET /metrics permission to the controller-manager SA whose token is
+# used by Prometheus (via authorization.credentials) to scrape the WVA
+# metrics endpoint. The WVA metrics endpoint performs a SubjectAccessReview
+# checking this permission.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: workload-variant-autoscaler-ocp-prometheus-metrics-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 13bc724f3..5a84bf787 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -19,6 +19,7 @@ resources:
 - metrics_auth_role_binding.yaml
 - prometheus_metrics_auth_role_binding.yaml
 - metrics_reader_role.yaml
+- metrics_reader_role_binding.yaml
 # EPP metrics reader service account with minimal privileges
 - epp_metrics_service_account.yaml
 - epp_metrics_reader_role.yaml
diff --git a/config/rbac/metrics_reader_role_binding.yaml b/config/rbac/metrics_reader_role_binding.yaml
new file mode 100644
index 000000000..0bd15a3b3
--- /dev/null
+++ b/config/rbac/metrics_reader_role_binding.yaml
@@ -0,0 +1,21 @@
+# Grant GET /metrics permission to the Prometheus SA so the
+# SubjectAccessReview performed by the WVA metrics endpoint passes.
+# This complements metrics_auth_role_binding.yaml (which grants
+# tokenreview/SAR permissions to the controller-manager) and
+# prometheus_metrics_auth_role_binding.yaml (which grants the
+# Prometheus SA authentication permissions).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-reader-rolebinding
+  labels:
+    app.kubernetes.io/name: workload-variant-autoscaler
+    app.kubernetes.io/managed-by: kustomize
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: kube-prometheus-stack-prometheus
+  namespace: workload-variant-autoscaler-monitoring