diff --git a/addons/bootstrap/portal-reader/base/kustomization.yaml b/addons/bootstrap/portal-reader/base/kustomization.yaml
new file mode 100644
index 0000000..aaa7921
--- /dev/null
+++ b/addons/bootstrap/portal-reader/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - portal-reader.yaml
diff --git a/addons/bootstrap/portal-reader/base/portal-reader.yaml b/addons/bootstrap/portal-reader/base/portal-reader.yaml
new file mode 100644
index 0000000..fe2f38a
--- /dev/null
+++ b/addons/bootstrap/portal-reader/base/portal-reader.yaml
@@ -0,0 +1,31 @@
+# Read access for the portal ops portal. portal's per-account spoke IAM role is
+# mapped to the "portal-reader" group via an EKS access entry (kubernetes_groups,
+# wired in landing-zone fleet/aws/cluster-stack). This binds that group to the
+# minimal read portal needs on a managed cluster: the eks-agent-platform
+# Tenant/Platform CRs (its tenant-inventory watcher) and nodes (best-effort node
+# count in the connection test). No Secrets, no workloads — strictly the surface
+# portal reads, replacing the broad AmazonEKSAdminViewPolicy.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: portal-reader
+rules:
+  - apiGroups: ["platform.nanohype.dev"]
+    resources: ["tenants", "platforms"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: portal-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: portal-reader
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: portal-reader
diff --git a/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/dev/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/production/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml b/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml
new file mode 100644
index 0000000..774a422
--- /dev/null
+++ b/addons/bootstrap/portal-reader/overlays/staging/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
diff --git a/applicationsets/addons-bootstrap-kustomize.yaml b/applicationsets/addons-bootstrap-kustomize.yaml
index 0711e0f..496a6d3 100644
--- a/applicationsets/addons-bootstrap-kustomize.yaml
+++ b/applicationsets/addons-bootstrap-kustomize.yaml
@@ -25,6 +25,10 @@ spec:
                   namespace: kube-system
                   path: addons/bootstrap/priority-classes
                   syncWave: "2"
+                - appName: portal-reader
+                  namespace: kube-system
+                  path: addons/bootstrap/portal-reader
+                  syncWave: "2"
   template:
     metadata:
       name: '{{ .appName }}'