diff --git a/exp/etcdrestore/webhooks/rbac.go b/exp/etcdrestore/webhooks/rbac.go
index f7292117..29d0208e 100644
--- a/exp/etcdrestore/webhooks/rbac.go
+++ b/exp/etcdrestore/webhooks/rbac.go
@@ -17,8 +17,10 @@ limitations under the License.
 package webhooks
 
 import (
+	"cmp"
 	"context"
 	"fmt"
+	"os"
 
 	authv1 "k8s.io/api/authorization/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
@@ -32,6 +34,13 @@ func validateRBAC(ctx context.Context, cl client.Client, clusterName, clusterNam
 		return fmt.Errorf("failed to get admission request from context: %w", err)
 	}
 
+	namespace := cmp.Or(os.Getenv("POD_NAMESPACE"), "rancher-turtles-system")
+
+	turtlesController := fmt.Sprintf("system:serviceaccount:%s:rancher-turtles-etcdsnapshotrestore-manager", namespace)
+	if admissionRequest.UserInfo.Username == turtlesController {
+		return nil
+	}
+
 	sar := authv1.SubjectAccessReview{
 		Spec: authv1.SubjectAccessReviewSpec{
 			ResourceAttributes: &authv1.ResourceAttributes{
diff --git a/exp/etcdrestore/webhooks/rbac_test.go b/exp/etcdrestore/webhooks/rbac_test.go
index 3027e336..6d0ac3fb 100644
--- a/exp/etcdrestore/webhooks/rbac_test.go
+++ b/exp/etcdrestore/webhooks/rbac_test.go
@@ -103,4 +103,14 @@ var _ = Describe("RBAC tests", func() {
 			},
 		}), cl, "test-cluster", namespace)).ToNot(Succeed())
 	})
+
+	It("should allow turtles controller to access cluster", func() {
+		Expect(validateRBAC(admission.NewContextWithRequest(ctx, admission.Request{
+			AdmissionRequest: admissionv1.AdmissionRequest{
+				UserInfo: authenticationv1.UserInfo{
+					Username: "system:serviceaccount:rancher-turtles-system:rancher-turtles-etcdsnapshotrestore-manager",
+				},
+			},
+		}), cl, "test-cluster", namespace)).To(Succeed())
+	})
 })