diff --git a/pkg/sdk/resources/rbac.go b/pkg/sdk/resources/rbac.go
index c3699ce7..2cb9428e 100644
--- a/pkg/sdk/resources/rbac.go
+++ b/pkg/sdk/resources/rbac.go
@@ -52,7 +52,7 @@ func (b *ResourceBuilder) CreateRoleBinding(name, roleRef, serviceAccount, servi
 
 // CreateRole creates role
 func (b *ResourceBuilder) CreateRole(name string, rules []rbacv1.PolicyRule) *rbacv1.Role {
-	return &rbacv1.Role{
+	role := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "rbac.authorization.k8s.io/v1",
 			Kind:       "Role",
@@ -61,8 +61,12 @@ func (b *ResourceBuilder) CreateRole(name string, rules []rbacv1.PolicyRule) *rb
 			Name:   name,
 			Labels: b.WithCommonLabels(nil),
 		},
-		Rules: rules,
 	}
+	if len(rules) > 0 {
+		// avoid hotloop over empty rules/nil
+		role.Rules = rules
+	}
+	return role
 }
 
 // CreateClusterRoleBinding creates cluster role binding
@@ -132,7 +136,7 @@ func CreateClusterRoleBinding(name, roleRef, serviceAccount, serviceAccountNames
 
 // CreateClusterRole creates a cluster role
 func CreateClusterRole(name string, rules []rbacv1.PolicyRule, labels map[string]string) *rbacv1.ClusterRole {
-	return &rbacv1.ClusterRole{
+	clusterRole := &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "rbac.authorization.k8s.io/v1",
 			Kind:       "ClusterRole",
@@ -141,6 +145,10 @@ func CreateClusterRole(name string, rules []rbacv1.PolicyRule, labels map[string
 			Name:   name,
 			Labels: labels,
 		},
-		Rules: rules,
 	}
+	if len(rules) > 0 {
+		// avoid hotloop over empty rules/nil
+		clusterRole.Rules = rules
+	}
+	return clusterRole
 }
diff --git a/pkg/sdk/resources/rbac_test.go b/pkg/sdk/resources/rbac_test.go
new file mode 100644
index 00000000..567a4252
--- /dev/null
+++ b/pkg/sdk/resources/rbac_test.go
@@ -0,0 +1,30 @@
+package resources
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+var _ = Describe("RBAC Resources", func() {
+	var builder ResourceBuilder
+
+	BeforeEach(func() {
+		builder = NewResourceBuilder(
+			map[string]string{"common": "label"},
+			map[string]string{"operator": "label"},
+		)
+	})
+
+	It("should treat empty rules as nil for Role", func() {
+		role := builder.CreateRole("test-role", []rbacv1.PolicyRule{})
+		Expect(role.Rules).To(BeNil())
+	})
+
+	It("should treat empty rules as nil for ClusterRole", func() {
+		labels := map[string]string{"test": "label"}
+		clusterRole := CreateClusterRole("test-clusterrole", []rbacv1.PolicyRule{}, labels)
+		Expect(clusterRole.Rules).To(BeNil())
+	})
+})
diff --git a/pkg/sdk/resources/resources_suite_test.go b/pkg/sdk/resources/resources_suite_test.go
new file mode 100644
index 00000000..b38445ad
--- /dev/null
+++ b/pkg/sdk/resources/resources_suite_test.go
@@ -0,0 +1,13 @@
+package resources
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestResources(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Resources Suite")
+}