diff --git a/docs/docs/concepts/backends.md b/docs/docs/concepts/backends.md
index 6fe5fd9d7e..fdbd1d5181 100644
--- a/docs/docs/concepts/backends.md
+++ b/docs/docs/concepts/backends.md
@@ -1047,6 +1047,31 @@ projects:
     
     If on-demand provisioning is important, we recommend using [VM-based](#vm-based) backends as they already support auto-scaling. -->
 
+??? info "Required permissions"
+    The following Kubernetes permissions are sufficient for `dstack` to work:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: dstack-backend
+    rules:
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      verbs: ["get", "create"]
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["get", "create", "delete"]
+    - apiGroups: [""]
+      resources: ["services"]
+      verbs: ["get", "create", "delete"]
+    - apiGroups: [""]
+      resources: ["nodes"]
+      verbs: ["list"]
+    ```
+    
+    Ensure you've created a ClusterRoleBinding to grant the role to the user or the service account you're using.
+
 > To learn more, see the [Kubernetes](../guides/kubernetes.md) guide.
 
 ### RunPod