diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
index 9b68dc8d7f..320e1bf77e 100644
--- a/pkg/render/apiserver.go
+++ b/pkg/render/apiserver.go
@@ -1485,6 +1485,12 @@ func (c *apiServerComponent) tigeraUserClusterRole() *rbacv1.ClusterRole {
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		// Access to hostendpoints from the UI ServiceGraph.
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		// List and view the threat defense configuration
 		{
 			APIGroups: []string{"projectcalico.org"},
@@ -1664,6 +1670,12 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		// Access to hostendpoints from the UI ServiceGraph.
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		// Manage the threat defense configuration
 		{
 			APIGroups: []string{"projectcalico.org"},
diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go
index d89198f90e..333acbc499 100644
--- a/pkg/render/apiserver_test.go
+++ b/pkg/render/apiserver_test.go
@@ -1306,6 +1306,11 @@ var (
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{
@@ -1445,6 +1450,11 @@ var (
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{