diff --git a/deployments/helm/hephaestus/templates/controller/clusterrole.yaml b/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
index d3abd347..d961cdf0 100644
--- a/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
+++ b/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
@@ -91,6 +91,7 @@ rules:
       - secrets
     verbs:
       - get
+      - list
       - update
   - apiGroups:
       - apps
diff --git a/pkg/controller/support/secrets/secrets.go b/pkg/controller/support/secrets/secrets.go
index 6404b22e..60d2d435 100644
--- a/pkg/controller/support/secrets/secrets.go
+++ b/pkg/controller/support/secrets/secrets.go
@@ -42,7 +42,8 @@ func ReadSecrets(
 
 		path := strings.Join([]string{secretRef.Namespace, secretRef.Name}, "/")
 		log.Info("Finding secret", "path", path)
-		fields := fields.SelectorFromSet(map[string]string{"Namespace": secretRef.Namespace, "Name": secretRef.Name})
+		fields := fields.SelectorFromSet(
+			map[string]string{"metadata.namespace": secretRef.Namespace, "metadata.name": secretRef.Name})
 		// prevent exfiltration of arbitrary secret values by using the presence of this label
 		labels := labels.SelectorFromSet(map[string]string{hephv1.AccessLabel: "true"})
 		secrets, err := secretClient.List(ctx,