diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index b2c392460d..82715fcaf3 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -6,36 +6,6 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - '*'
   resources:
@@ -619,6 +589,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -676,7 +654,6 @@ rules:
   - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
diff --git a/pkg/controller/resourcedistribution/resourcedistribution_controller.go b/pkg/controller/resourcedistribution/resourcedistribution_controller.go
index 5425764a8d..847ea12914 100644
--- a/pkg/controller/resourcedistribution/resourcedistribution_controller.go
+++ b/pkg/controller/resourcedistribution/resourcedistribution_controller.go
@@ -41,9 +41,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	"github.com/openkruise/kruise/pkg/features"
 	"github.com/openkruise/kruise/pkg/util"
 	utilclient "github.com/openkruise/kruise/pkg/util/client"
 	utildiscovery "github.com/openkruise/kruise/pkg/util/discovery"
+	utilfeature "github.com/openkruise/kruise/pkg/util/feature"
 	"github.com/openkruise/kruise/pkg/util/ratelimiter"
 	utils "github.com/openkruise/kruise/pkg/webhook/resourcedistribution/validating"
 )
@@ -60,7 +62,7 @@ var (
 // Add creates a new ResourceDistribution Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.
 func Add(mgr manager.Manager) error {
-	if !utildiscovery.DiscoverGVK(controllerKind) {
+	if !utildiscovery.DiscoverGVK(controllerKind) || !utilfeature.DefaultFeatureGate.Enabled(features.ResourceDistributionGate) {
 		return nil
 	}
 	return add(mgr, newReconciler(mgr))
@@ -161,9 +163,9 @@ type ReconcileResourceDistribution struct {
 //+kubebuilder:rbac:groups=apps.kruise.io,resources=resourcedistributions,verbs=get;list;watch;
 //+kubebuilder:rbac:groups=apps.kruise.io,resources=resourcedistributions/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=apps.kruise.io,resources=resourcedistributions/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;delete
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
+//+kubebuilder:rbac:groups="core",resources=namespaces,verbs=get;list;watch;
+//+kubebuilder:rbac:groups="core",resources=configmaps,verbs=get;list;watch;create;update;delete
+//+kubebuilder:rbac:groups="core",resources=secrets,verbs=get;list;watch;create;update;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/pkg/features/kruise_features.go b/pkg/features/kruise_features.go
index 325f738e34..f2beea4ade 100644
--- a/pkg/features/kruise_features.go
+++ b/pkg/features/kruise_features.go
@@ -108,6 +108,9 @@ const (
 
 	// ImagePullJobGate enable imagepulljob-controller execute ImagePullJob.
 	ImagePullJobGate featuregate.Feature = "ImagePullJobGate"
+
+	// ResourceDistributionGate enable resourcedistribution-controller execute ResourceDistribution.
+	ResourceDistributionGate featuregate.Feature = "ResourceDistributionGate"
 )
 
 var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -133,6 +136,7 @@ var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
 	CloneSetEventHandlerOptimization:          {Default: false, PreRelease: featuregate.Alpha},
 	PreparingUpdateAsUpdate:                   {Default: false, PreRelease: featuregate.Alpha},
 	ImagePullJobGate:                          {Default: false, PreRelease: featuregate.Alpha},
+	ResourceDistributionGate:                  {Default: false, PreRelease: featuregate.Alpha},
 }
 
 func init() {
diff --git a/pkg/webhook/resourcedistribution/validating/resourcedistribution_create_update_handler.go b/pkg/webhook/resourcedistribution/validating/resourcedistribution_create_update_handler.go
index 306f62b0c8..524b169fce 100755
--- a/pkg/webhook/resourcedistribution/validating/resourcedistribution_create_update_handler.go
+++ b/pkg/webhook/resourcedistribution/validating/resourcedistribution_create_update_handler.go
@@ -19,6 +19,8 @@ import (
 	"net/http"
 
 	appsv1alpha1 "github.com/openkruise/kruise/apis/apps/v1alpha1"
+	"github.com/openkruise/kruise/pkg/features"
+	utilfeature "github.com/openkruise/kruise/pkg/util/feature"
 	webhookutil "github.com/openkruise/kruise/pkg/webhook/util"
 
 	admissionv1 "k8s.io/api/admission/v1"
@@ -151,6 +153,9 @@ func (h *ResourceDistributionCreateUpdateHandler) Handle(ctx context.Context, re
 			return admission.Errored(http.StatusBadRequest, err)
 		}
 	}
+	if !utilfeature.DefaultFeatureGate.Enabled(features.ResourceDistributionGate) {
+		return admission.Errored(http.StatusForbidden, fmt.Errorf("feature-gate %s is not enabled", features.ResourceDistributionGate))
+	}
 	if allErrs := h.validateResourceDistribution(obj, oldObj); len(allErrs) != 0 {
 		klog.V(3).Infof("all errors of validation: %v", allErrs)
 		return admission.Errored(http.StatusUnprocessableEntity, allErrs.ToAggregate())
diff --git a/pkg/webhook/server.go b/pkg/webhook/server.go
index e3587ec8af..01eeb59faf 100644
--- a/pkg/webhook/server.go
+++ b/pkg/webhook/server.go
@@ -103,7 +103,6 @@ func SetupWithManager(mgr manager.Manager) error {
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;update;patch