diff --git a/Makefile b/Makefile
index ddb84fe5f..68291ed4f 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@
 IMAGE_CHART_TESTING=quay.io/helmpack/chart-testing:v3.11.0
 IMAGE_HELM_CHANGELOG=ghcr.io/traefik/helm-changelog:v0.3.0
 IMAGE_HELM_DOCS=jnorwood/helm-docs:v1.14.2
-IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.15.3-0.5.1
+IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.15.3-0.5.2
 
 traefik/tests/__snapshot__:
 	@mkdir traefik/tests/__snapshot__
diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
index ff363fd74..1e25115c7 100644
--- a/traefik/templates/_podtemplate.tpl
+++ b/traefik/templates/_podtemplate.tpl
@@ -1,4 +1,5 @@
 {{- define "traefik.podTemplate" }}
+  {{- $version := include "imageVersion" $ }}
     metadata:
       annotations:
       {{- if .Values.deployment.podAnnotations }}
@@ -463,6 +464,9 @@
            {{- end }}
            {{- if .Values.providers.kubernetesCRD.allowEmptyServices }}
           - "--providers.kubernetescrd.allowEmptyServices=true"
+           {{- end }}
+           {{- if and .Values.rbac.namespaced (semverCompare ">=3.1.2-0" $version) }}
+          - "--providers.kubernetescrd.disableClusterScopeResources=true"
            {{- end }}
            {{- if .Values.providers.kubernetesCRD.nativeLBByDefault }}
           - "--providers.kubernetescrd.nativeLBByDefault=true"
@@ -485,8 +489,12 @@
            {{- if .Values.providers.kubernetesIngress.ingressClass }}
           - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}"
            {{- end }}
-           {{- if .Values.providers.kubernetesIngress.disableIngressClassLookup }}
+           {{- if .Values.rbac.namespaced }}
+            {{- if semverCompare "<3.1.2-0" $version }}
           - "--providers.kubernetesingress.disableIngressClassLookup=true"
+            {{- else }}
+          - "--providers.kubernetesingress.disableClusterScopeResources=true"
+            {{- end }}
            {{- end }}
            {{- if .Values.providers.kubernetesIngress.nativeLBByDefault }}
           - "--providers.kubernetesingress.nativeLBByDefault=true"
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
index 3ab9c698e..3fa943e54 100644
--- a/traefik/templates/rbac/clusterrole.yaml
+++ b/traefik/templates/rbac/clusterrole.yaml
@@ -1,11 +1,5 @@
 {{- $version := include "imageVersion" $ }}
-{{- if .Values.rbac.enabled }}
-{{- if or
-       (semverCompare ">=v3.1.0-0" $version)
-       (.Values.providers.kubernetesGateway.enabled)
-       (not .Values.rbac.namespaced)
-       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
-}}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -27,42 +21,6 @@ rules:
       - list
       - watch
   {{- end }}
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-  {{- if not .Values.rbac.namespaced }}
-      - ingresses
-  {{- end }}
-    verbs:
-      - get
-      - list
-      - watch
-  {{- if (.Values.providers.kubernetesGateway).enabled }}
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses/status
-    verbs:
-      - update
-  {{- end }}
- {{- if not .Values.rbac.namespaced }}
   {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:
       - ""
@@ -117,7 +75,27 @@ rules:
       - delete
       - deletecollection
     {{- end }}
+  {{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ template "traefik.fullname" . }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+  {{- end -}}
   {{- if .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - extensions
       - networking.k8s.io
@@ -145,25 +123,16 @@ rules:
       - list
       - watch
   {{- end -}}
-  {{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ template "traefik.fullname" . }}
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-  {{- end -}}
-  {{- if .Values.providers.kubernetesGateway.enabled }}
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
   - apiGroups:
       - ""
     resources:
-      - services
+      - namespaces
     {{- if (semverCompare "<v3.1.0-0" $version) }}
       - endpoints
     {{- end }}
       - secrets
+      - services
     verbs:
       - get
       - list
@@ -180,6 +149,7 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      - gatewayclasses
       - gateways
       - httproutes
       - referencegrants
@@ -192,6 +162,7 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      - gatewayclasses/status
       - gateways/status
       - httproutes/status
       - tcproutes/status
@@ -213,10 +184,8 @@ rules:
       - patch
       - delete
   {{- end }}
-{{- /* not .Values.rbac.namespace */}}
-{{- end }}
-{{- if .Values.hub.token }}
-   {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
+  {{- if .Values.hub.token }}
+    {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
   - apiGroups:
       - ""
     resources:
@@ -224,7 +193,7 @@ rules:
     verbs:
       - list
       - watch
-   {{- end }}
+    {{- end }}
   - apiGroups:
       - ""
     resources:
@@ -238,7 +207,7 @@ rules:
     {{- if .Values.hub.apimanagement.enabled }}
       - watch
     {{- end }}
-  {{- if .Values.hub.apimanagement.enabled }}
+    {{- if .Values.hub.apimanagement.enabled }}
   - apiGroups:
       - hub.traefik.io
     resources:
@@ -271,7 +240,7 @@ rules:
       - get
       - list
       - watch
-    {{- if (semverCompare "<v3.1.0-0" $version) }}
+      {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:
       - ""
     resources:
@@ -279,8 +248,7 @@ rules:
     verbs:
       - list
       - watch
+      {{- end -}}
     {{- end -}}
-  {{- end -}}
-{{- end }}
-{{- end }}
+  {{- end }}
 {{- end }}
diff --git a/traefik/templates/rbac/clusterrolebinding.yaml b/traefik/templates/rbac/clusterrolebinding.yaml
index 17fb0a260..3a203ab07 100644
--- a/traefik/templates/rbac/clusterrolebinding.yaml
+++ b/traefik/templates/rbac/clusterrolebinding.yaml
@@ -1,10 +1,4 @@
-{{- $version := include "imageVersion" $ }}
-{{- if .Values.rbac.enabled }}
-{{- if or
-       (semverCompare ">=v3.1.0-0" $version)
-       (not .Values.rbac.namespaced)
-       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
-}}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -21,4 +15,3 @@ subjects:
     name: {{ include "traefik.serviceAccountName" . }}
     namespace: {{ template "traefik.namespace" . }}
 {{- end -}}
-{{- end -}}
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
index 8cd9837cf..e81aaa8a6 100644
--- a/traefik/templates/rbac/role.yaml
+++ b/traefik/templates/rbac/role.yaml
@@ -1,8 +1,7 @@
 {{- $version := include "imageVersion" $ }}
 {{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
 {{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
-{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
-{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces)) -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
 
 {{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
 {{- range $allNamespaces }}
@@ -107,30 +106,6 @@ rules:
     verbs:
       - use
 {{- end -}}
-{{- if (and (has . $gatewayNamespaces) ($.Values.providers.kubernetesGateway).enabled) }}
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - httproutes
-      - referencegrants
-      - tcproutes
-      - tlsroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses/status
-      - gateways/status
-      - httproutes/status
-      - tcproutes/status
-      - tlsroutes/status
-    verbs:
-      - update
-{{- end -}}
 {{- if $.Values.hub.token }}
   - apiGroups:
       - ""
diff --git a/traefik/templates/requirements.yaml b/traefik/templates/requirements.yaml
index 0175ca0be..795e45937 100644
--- a/traefik/templates/requirements.yaml
+++ b/traefik/templates/requirements.yaml
@@ -18,3 +18,12 @@
     {{- fail "ERROR: Currently Traefik Hub doesn't support namespaced RBACs" -}}
   {{- end }}
 {{- end }}
+
+{{- if .Values.rbac.namespaced }}
+  {{- if .Values.providers.kubernetesGateway.enabled }}
+    {{- fail "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced." }}
+  {{- end }}
+  {{- if and (not .Values.providers.kubernetesIngress.enabled) (not .Values.providers.kubernetesCRD.enabled) }}
+    {{- fail "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider." }}
+  {{- end }}
+{{- end }}
diff --git a/traefik/tests/common-metadata_test.yaml b/traefik/tests/common-metadata_test.yaml
index a0450a1a4..0b2eb0796 100644
--- a/traefik/tests/common-metadata_test.yaml
+++ b/traefik/tests/common-metadata_test.yaml
@@ -1,4 +1,4 @@
-suite: Resources contains metadata
+suite: resources contains metadata
 templates:
   - ingressroute.yaml
   - deployment.yaml
@@ -16,31 +16,28 @@ templates:
   - rbac/clusterrole.yaml
   - rbac/clusterrolebinding.yaml
   - rbac/podsecuritypolicy.yaml
-  - rbac/role.yaml
-  - rbac/rolebinding.yaml
   - rbac/serviceaccount.yaml
 
 tests:
-  - it: "should contains labels metadata"
+  - it: "should contains labels metadata with cluster rbac"
     set:
-      providers.kubernetesGateway.enabled: true
-      ingressRoute.dashboard.enabled: true
-      ingressRoute.healthcheck.enabled: true
       autoscaling.enabled: true
       autoscaling.maxReplicas: 10
+      ingressRoute.dashboard.enabled: true
+      ingressRoute.healthcheck.enabled: true
+      persistence.enabled: true
       podDisruptionBudget.enabled: true
+      podSecurityPolicy.enabled: true
+      providers.kubernetesGateway.enabled: true
       metrics.prometheus.prometheusRule.enabled: true
       metrics.prometheus.prometheusRule.namespace: test
       metrics.prometheus.serviceMonitor.enabled: true
       metrics.prometheus.serviceMonitor.namespace: test
       metrics.prometheus.service.enabled: true
+      rbac.enabled: true
       service.internal.a: {}
-      persistence.enabled: true
-      tlsStore.a: {}
       tlsOptions.a: {}
-      podSecurityPolicy.enabled: true
-      rbac.enabled: true
-      rbac.namespaced: true
+      tlsStore.a: {}
       commonLabels:
         globalLabel: isConfigured
     capabilities:
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
index 6e539b8ef..07bb92312 100644
--- a/traefik/tests/rbac-config_test.yaml
+++ b/traefik/tests/rbac-config_test.yaml
@@ -68,26 +68,11 @@ tests:
       - isKind:
           of: RoleBinding
         template: rbac/rolebinding.yaml
-      - notContains:
-          path: rules
-          content:
-            - apiGroups:
-                - extensions
-                - networking.k8s.io
-              resources:
-                - ingresses
-              verbs:
-                - get
-                - list
-                - watch
-        template: rbac/clusterrole.yaml
-      - matchRegex:
-          path: metadata.name
-          pattern: ^.*-NAMESPACE$
+      - hasDocuments:
+          count: 0
         template: rbac/clusterrole.yaml
-      - matchRegex:
-          path: metadata.name
-          pattern: ^.*-NAMESPACE$
+      - hasDocuments:
+          count: 0
         template: rbac/clusterrolebinding.yaml
   - it: should not create cluster scoped RBAC related objects when namespaced and not using ingressclass and version <3.1
     set:
@@ -288,69 +273,13 @@ tests:
           value: default
         template: rbac/rolebinding.yaml
         documentIndex: 2
-  - it: should use multiple namespaces if provided to kubernetesGateway
-    set:
-      providers:
-        kubernetesIngress:
-          enabled: false
-        kubernetesCRD:
-          enabled: false
-        kubernetesGateway:
-          enabled: true
-          namespaces:
-            - default
-            - foobar
-      rbac:
-        namespaced: true
-    asserts:
-      - hasDocuments:
-          count: 3
-        template: rbac/role.yaml
-      - hasDocuments:
-          count: 3
-        template: rbac/rolebinding.yaml
-      - equal:
-          path: metadata.namespace
-          value: NAMESPACE
-        template: rbac/role.yaml
-        documentIndex: 0
-      - equal:
-          path: metadata.namespace
-          value: default
-        template: rbac/role.yaml
-        documentIndex: 1
-      - equal:
-          path: metadata.namespace
-          value: foobar
-        template: rbac/role.yaml
-        documentIndex: 2
-      - equal:
-          path: metadata.namespace
-          value: NAMESPACE
-        template: rbac/rolebinding.yaml
-        documentIndex: 0
-      - equal:
-          path: metadata.namespace
-          value: default
-        template: rbac/rolebinding.yaml
-        documentIndex: 1
-      - equal:
-          path: metadata.namespace
-          value: foobar
-        template: rbac/rolebinding.yaml
-        documentIndex: 2
-  - it: should use multiple namespaces if provided to all of 3 providers
+  - it: should use multiple namespaces if provided to all namespaced providers
     set:
       providers:
         kubernetesCRD:
           namespaces:
             - default
             - foo
-        kubernetesGateway:
-          enabled: true
-          namespaces:
-            - default
-            - foobar
         kubernetesIngress:
           namespaces:
             - default
@@ -359,10 +288,10 @@ tests:
         namespaced: true
     asserts:
       - hasDocuments:
-          count: 5
+          count: 4
         template: rbac/role.yaml
       - hasDocuments:
-          count: 5
+          count: 4
         template: rbac/rolebinding.yaml
       - equal:
           path: metadata.namespace
@@ -384,11 +313,6 @@ tests:
           value: foo
         template: rbac/role.yaml
         documentIndex: 3
-      - equal:
-          path: metadata.namespace
-          value: foobar
-        template: rbac/role.yaml
-        documentIndex: 4
       - equal:
           path: metadata.namespace
           value: NAMESPACE
@@ -409,11 +333,6 @@ tests:
           value: foo
         template: rbac/rolebinding.yaml
         documentIndex: 3
-      - equal:
-          path: metadata.namespace
-          value: foobar
-        template: rbac/rolebinding.yaml
-        documentIndex: 4
   - it: should accept overridden namespace
     set:
       namespaceOverride: "traefik-ns-override"
@@ -428,20 +347,9 @@ tests:
           path: metadata.namespace
           value: "traefik-ns-override"
         template: rbac/serviceaccount.yaml
-  - it: should use helm managed namespace for clusterrolebinding sa
-    set:
-      rbac:
-        namespaced: true
-    asserts:
-      - equal:
-          path: subjects[0].namespace
-          value: NAMESPACE
-        template: rbac/clusterrolebinding.yaml
   - it: should accept overridden namespace for clusterrolebinding sa
     set:
       namespaceOverride: "traefik-ns-override"
-      rbac:
-        namespaced: true
     asserts:
       - equal:
           path: subjects[0].namespace
@@ -570,67 +478,6 @@ tests:
               - get
               - list
               - watch
-  - it: cluster rbac should not be created when rbac is namespaced, disableIngressClassLookup is true and version is < v3.1
-    set:
-      image:
-        tag: v3.0.0-beta3
-      rbac:
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          disableIngressClassLookup: true
-    asserts:
-      - isKind:
-          of: Role
-        template: rbac/role.yaml
-      - isKind:
-          of: RoleBinding
-        template: rbac/rolebinding.yaml
-      - hasDocuments:
-          count: 0
-        template: rbac/clusterrole.yaml
-      - hasDocuments:
-          count: 0
-        template: rbac/clusterrolebinding.yaml
-  - it: cluster rbac should be created when rbac is namespaced, disableIngressClassLookup is true and version is >= v3.1
-    set:
-      image:
-        tag: v3.1.0-rc2
-      rbac:
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          disableIngressClassLookup: true
-    asserts:
-      - isKind:
-          of: Role
-        template: rbac/role.yaml
-      - isKind:
-          of: RoleBinding
-        template: rbac/rolebinding.yaml
-      - isKind:
-          of: ClusterRole
-        template: rbac/clusterrole.yaml
-      - isKind:
-          of: ClusterRoleBinding
-        template: rbac/clusterrolebinding.yaml
-  - it: both cluster and namespace rbac should be created when rbac is namespaced, kubernetesIngress is enabled
-    set:
-      rbac:
-        namespaced: true
-    asserts:
-      - isKind:
-          of: Role
-        template: rbac/role.yaml
-      - isKind:
-          of: RoleBinding
-        template: rbac/rolebinding.yaml
-      - isKind:
-          of: ClusterRole
-        template: rbac/clusterrole.yaml
-      - isKind:
-          of: ClusterRoleBinding
-        template: rbac/clusterrolebinding.yaml
   - it: cluster rbac should be created when version is v3
     set:
       image:
@@ -747,29 +594,6 @@ tests:
         kubernetesGateway:
           enabled: true
     asserts:
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - namespaces
-            verbs:
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses
-            verbs:
-              - get
-              - list
-              - watch
       - template: rbac/clusterrole.yaml
         contains:
           path: rules
@@ -778,15 +602,6 @@ tests:
               - gateway.networking.k8s.io
             resources:
               - gatewayclasses/status
-            verbs:
-              - update
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
               - gateways/status
               - httproutes/status
               - tcproutes/status
@@ -800,6 +615,7 @@ tests:
             apiGroups:
               - gateway.networking.k8s.io
             resources:
+              - gatewayclasses
               - gateways
               - httproutes
               - referencegrants
@@ -817,19 +633,9 @@ tests:
               - ""
             resources:
               - namespaces
-            verbs:
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - services
               - endpoints
               - secrets
+              - services
             verbs:
               - get
               - list
@@ -842,17 +648,6 @@ tests:
         kubernetesGateway:
           enabled: true
     asserts:
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - namespaces
-            verbs:
-              - list
-              - watch
       - template: rbac/clusterrole.yaml
         contains:
           path: rules
@@ -861,15 +656,6 @@ tests:
               - gateway.networking.k8s.io
             resources:
               - gatewayclasses/status
-            verbs:
-              - update
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
               - gateways/status
               - httproutes/status
               - tcproutes/status
@@ -884,17 +670,6 @@ tests:
               - gateway.networking.k8s.io
             resources:
               - gatewayclasses
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
               - gateways
               - httproutes
               - referencegrants
@@ -916,41 +691,6 @@ tests:
               - get
               - list
               - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - services
-              - secrets
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - discovery.k8s.io
-            resources:
-              - endpointslices
-            verbs:
-              - list
-              - watch
-
-  - it: should provide expected role rbac when k8s gw api is enabled with rbac namespaced
-    set:
-      image:
-        tag: v3.0.0
-      rbac:
-        namespaced: true
-      providers:
-        kubernetesGateway:
-          enabled: true
-    asserts:
       - template: rbac/clusterrole.yaml
         contains:
           path: rules
@@ -959,185 +699,13 @@ tests:
               - ""
             resources:
               - namespaces
-            verbs:
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses/status
-            verbs:
-              - update
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses/status
-              - gateways/status
-              - httproutes/status
-              - tcproutes/status
-              - tlsroutes/status
-            verbs:
-              - update
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gateways
-              - httproutes
-              - referencegrants
-              - tcproutes
-              - tlsroutes
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - endpoints
-              - services
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
               - secrets
-            verbs:
-              - get
-              - list
-              - watch
-
-  - it: should provide expected role rbac when k8s gw api is enabled with rbac namespaced >=v3.1.0
-    set:
-      image:
-        tag: v3.1.0-rc2
-      rbac:
-        namespaced: true
-      providers:
-        kubernetesGateway:
-          enabled: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - namespaces
-            verbs:
-              - list
-              - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses/status
-            verbs:
-              - update
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gatewayclasses/status
-              - gateways/status
-              - httproutes/status
-              - tcproutes/status
-              - tlsroutes/status
-            verbs:
-              - update
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - gateway.networking.k8s.io
-            resources:
-              - gateways
-              - httproutes
-              - referencegrants
-              - tcproutes
-              - tlsroutes
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
               - services
             verbs:
               - get
               - list
               - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - secrets
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
+      - template: rbac/clusterrole.yaml
         contains:
           path: rules
           content:
@@ -1148,18 +716,7 @@ tests:
             verbs:
               - list
               - watch
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - nodes
-            verbs:
-              - get
-              - list
-              - watch
+
   - it: should contain additional RBACS for hub API gateway
     set:
       image:
@@ -1455,88 +1012,3 @@ tests:
               - list
               - get
               - watch
-  - it: should not provide nodes RBACS for version < v3.1 if rbac are namespaced
-    set:
-      image:
-        tag: v3.0.1
-      rbac:
-        enabled: true
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          disableIngressClassLookup: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        hasDocuments:
-          count: 0
-  - it: should provide cluster-wide RBACS for version < v3.1 when rbac are namespaced and gateway is enabled
-    set:
-      image:
-        tag: v3.0.1
-      rbac:
-        enabled: true
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          disableIngressClassLookup: true
-        kubernetesGateway:
-          enabled: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        hasDocuments:
-          count: 1
-
-  - it: should provide nodes RBACS for version >= v3.1 even if rbac are namespaced
-    set:
-      image:
-        tag: v3.1.0
-      rbac:
-        enabled: true
-        namespaced: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - nodes
-            verbs:
-              - get
-              - list
-              - watch
-  - it: should not provide nodes RBACS for version < v3.1 if rbac are namespaced (experimental tag)
-    set:
-      image:
-        tag: experimental-v3.0
-      rbac:
-        enabled: true
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          disableIngressClassLookup: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        hasDocuments:
-          count: 0
-  - it: should provide nodes RBACS for version >= v3.1 even if rbac are namespaced (experimental tag)
-    set:
-      image:
-        tag: experimental-v3.1
-      rbac:
-        enabled: true
-        namespaced: true
-    asserts:
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - nodes
-            verbs:
-              - get
-              - list
-              - watch
diff --git a/traefik/tests/requirements-config_test.yaml b/traefik/tests/requirements-config_test.yaml
index 28e92791c..5648615da 100644
--- a/traefik/tests/requirements-config_test.yaml
+++ b/traefik/tests/requirements-config_test.yaml
@@ -63,3 +63,27 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: "ERROR: Currently Traefik Hub doesn't support namespaced RBACs"
+  - it: should not be possible to namespace rbac without one of the required providers
+    set:
+      rbac:
+        namespaced: true
+      providers:
+        kubernetesCRD:
+          enabled: false
+        kubernetesIngress:
+          enabled: false
+      image:
+        tag: v3.1.2
+    asserts:
+      - failedTemplate:
+        errorMessage: "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider"
+  - it: should fail when enabling Kubernete Gateway provider with namespaced RBACs
+    set:
+      providers:
+        kubernetesGateway:
+          enabled: true
+      rbac:
+        namespaced: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced."
diff --git a/traefik/tests/traefik-config_test.yaml b/traefik/tests/traefik-config_test.yaml
index 165b425c0..a50bb85dc 100644
--- a/traefik/tests/traefik-config_test.yaml
+++ b/traefik/tests/traefik-config_test.yaml
@@ -573,21 +573,47 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetesingress.disableIngressClassLookup=true"
-  - it: kubernetesGateway should watched default namespace when rbacs are namespaced
+  - it: should set disableClusterScopeResources when version > v3.1.2+ on both providers
+    set:
+      rbac:
+        namespaced: true
+      image:
+        tag: v3.1.2
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetesingress.disableClusterScopeResources=true"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetescrd.disableClusterScopeResources=true"
+  - it: should set disableClusterScopeResources when version > v3.1.2+ only on crd enabled provider
     set:
       rbac:
         namespaced: true
       providers:
-        kubernetesGateway:
-          enabled: true
+        kubernetesIngress:
+          enabled: false
+      image:
+        tag: v3.1.2
     asserts:
       - contains:
           path: spec.template.spec.containers[0].args
-          content: "--providers.kubernetesgateway.namespaces=NAMESPACE"
-  - it: kubernetesGateway should watched specified namespaces when rbacs are namespaced
+          content: "--providers.kubernetescrd.disableClusterScopeResources=true"
+  - it: should set disableClusterScopeResources when version > v3.1.2+ only on ingress enabled provider
     set:
       rbac:
         namespaced: true
+      providers:
+        kubernetesCRD:
+          enabled: false
+      image:
+        tag: v3.1.2
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetesingress.disableClusterScopeResources=true"
+  - it: kubernetesGateway should be able to watch specified namespaces
+    set:
       providers:
         kubernetesGateway:
           enabled: true
diff --git a/traefik/values.yaml b/traefik/values.yaml
index 4c245e06b..78eeacf7a 100644
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@@ -281,10 +281,6 @@ providers:
     # labelSelector: environment=production,method=traefik
     # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
     namespaces: []
-    # - "default"
-    # Disable cluster IngressClass Lookup - Requires Traefik V3.
-    # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName.
-    disableIngressClassLookup: false
     # IP used for Kubernetes Ingress endpoints
     publishedService:
       enabled: false
@@ -838,9 +834,12 @@ hostNetwork: false
 # -- Whether Role Based Access Control objects like roles and rolebindings should be created
 rbac:
   enabled: true
-  # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
-  # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace.
-  # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled.
+  # When set to true:
+  # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`.
+  # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1
+  # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+
+  # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC.
+  # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details.
   namespaced: false
   # Enable user-facing roles
   # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles