diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
index 9e52d535d..5a614a995 100644
--- a/traefik/templates/rbac/clusterrole.yaml
+++ b/traefik/templates/rbac/clusterrole.yaml
@@ -105,6 +105,17 @@ rules:
       - update
   {{- end -}}
   {{- if .Values.providers.kubernetesCRD.enabled }}
+   {{- if not .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+   {{- end }}
   - apiGroups:
       - traefik.io
     resources:
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
index 201968841..760a1d80b 100644
--- a/traefik/tests/rbac-config_test.yaml
+++ b/traefik/tests/rbac-config_test.yaml
@@ -124,6 +124,25 @@ tests:
               verbs:
                 - update
         template: rbac/clusterrole.yaml
+  - it: ClusterRole should be able to read ingressclass when only kubernetesCRD is enabled
+    set:
+      providers:
+        kubernetesIngress:
+          enabled: false
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups:
+              - extensions
+              - networking.k8s.io
+            resources:
+              - ingressclasses
+            verbs:
+              - get
+              - list
+              - watch
+        template: rbac/clusterrole.yaml
   - it: ClusterRole should not be able to read CRDs when kubernetesCRD is disabled
     set:
       providers: