diff --git a/files/secrets-store/csi-secrets-store-DaemonSet.yaml b/files/secrets-store/csi-secrets-store-DaemonSet.yaml
index d06f605..e44a0a5 100644
--- a/files/secrets-store/csi-secrets-store-DaemonSet.yaml
+++ b/files/secrets-store/csi-secrets-store-DaemonSet.yaml
@@ -43,7 +43,7 @@ spec:
             - name: registration-dir
               mountPath: /registration
         - name: secrets-store
-          image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12
+          image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.13
           args:
             - "--debug=true"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
index 0ae0e1b..0c407d6 100644
--- a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
+++ b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
@@ -1,6 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: secretproviderclasses-role
 rules:
 - apiGroups:
@@ -10,28 +11,6 @@ rules:
   verbs:
   - get
   - list
-  - update
-  - watch
-- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - update
-  - patch
-  - list
   - watch
 - apiGroups:
   - secrets-store.csi.x-k8s.io
@@ -51,5 +30,5 @@ rules:
   - secretproviderclasspodstatuses/status
   verbs:
   - get
-  - update
   - patch
+  - update
diff --git a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
index 9b0466b..bab9954 100644
--- a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
+++ b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
@@ -12,6 +12,7 @@ spec:
     listKind: SecretProviderClassList
     plural: secretproviderclasses
     singular: secretproviderclass
+  preserveUnknownFields: false
   scope: Namespaced
   validation:
     openAPIV3Schema:
@@ -59,6 +60,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: labels of K8s secret object
+                    type: object
                   secretName:
                     description: name of the K8s secret object
                     type: string
diff --git a/vars/secrets_store_files_list.yml b/vars/secrets_store_files_list.yml
index be2b01b..616940d 100644
--- a/vars/secrets_store_files_list.yml
+++ b/vars/secrets_store_files_list.yml
@@ -1,7 +1,7 @@
 ---
 secrets_store_files:
-  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml"
+  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml"
   - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml"
   - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml"