diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/kustomization.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/kustomization.yaml
index 5591ef88a3a..ff47a7a7cdf 100644
--- a/components/sandbox/toolchain-host-operator/base/monitoring/kustomization.yaml
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/kustomization.yaml
@@ -4,3 +4,6 @@ namespace: toolchain-host-operator
 resources:
 - sandbox-registration-service-proxy.yaml
 - prometheus-network-policy.yaml
+- monitor.yaml
+- rbac.yaml
+- serviceaccount.yaml
diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/monitor.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/monitor.yaml
new file mode 100644
index 00000000000..941b21d0b8d
--- /dev/null
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/monitor.yaml
@@ -0,0 +1,21 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: host-operator-metrics
+  labels:
+    apps: host-operator
+spec:
+  endpoints:
+    - interval: 15s
+      scheme: https
+      path: /metrics
+      port: http
+      authorization:
+        credentials:
+          key: token
+          name: host-operator-metrics-reader
+      tlsConfig:
+        insecureSkipVerify: true
+  selector:
+    matchLabels:
+      apps: host-operator
diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/prometheus-network-policy.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/prometheus-network-policy.yaml
index 68bef24ca40..69327219c5c 100644
--- a/components/sandbox/toolchain-host-operator/base/monitoring/prometheus-network-policy.yaml
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/prometheus-network-policy.yaml
@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: allow-from-openshift-user-workload-monitoring
-  namespace: toolchain-host-operator
+  namespace: system
 spec:
   ingress:
     - from:
@@ -11,4 +11,4 @@ spec:
               kubernetes.io/metadata.name: openshift-user-workload-monitoring
   podSelector: {}
   policyTypes:
-    - Ingress
\ No newline at end of file
+    - Ingress
diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/rbac.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/rbac.yaml
new file mode 100644
index 00000000000..2e8c178c613
--- /dev/null
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/rbac.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-operator-metrics
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-host-operator-metrics-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: host-operator-metrics
+subjects:
+- kind: ServiceAccount
+  name: host-operator-metrics-reader
+  namespace: system
diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/sandbox-registration-service-proxy.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/sandbox-registration-service-proxy.yaml
index e0a6dc89a1e..ba1dac29a9d 100644
--- a/components/sandbox/toolchain-host-operator/base/monitoring/sandbox-registration-service-proxy.yaml
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/sandbox-registration-service-proxy.yaml
@@ -1,16 +1,16 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: metrics-reader
-  namespace: toolchain-host-operator
+  name: registration-service-metrics-reader
+  namespace: system
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: metrics-reader
-  namespace: toolchain-host-operator
+  name: registration-service-metrics-reader
+  namespace: system
   annotations:
-    kubernetes.io/service-account.name: metrics-reader
+    kubernetes.io/service-account.name: registration-service-metrics-reader
 type: kubernetes.io/service-account-token
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -33,14 +33,14 @@ roleRef:
   name: registration-service-metrics-reader
 subjects:
 - kind: ServiceAccount
-  name: metrics-reader
-  namespace: toolchain-host-operator
+  name: registration-service-metrics-reader
+  namespace: system
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: sandbox-registration-service-proxy
-  namespace: toolchain-host-operator
+  namespace: system
 spec:
   endpoints:
     - interval: 15s
@@ -48,8 +48,8 @@ spec:
       path: /metrics
       port: proxy-metrics
       bearerTokenSecret:
-        name: "metrics-reader"
+        name: "registration-service-metrics-reader"
         key: token
   selector:
     matchLabels:
-      run: proxy-metrics
\ No newline at end of file
+      run: proxy-metrics
diff --git a/components/sandbox/toolchain-host-operator/base/monitoring/serviceaccount.yaml b/components/sandbox/toolchain-host-operator/base/monitoring/serviceaccount.yaml
new file mode 100644
index 00000000000..ad1c82abe71
--- /dev/null
+++ b/components/sandbox/toolchain-host-operator/base/monitoring/serviceaccount.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: host-operator-metrics-reader
+  name: host-operator-metrics-reader
+  namespace: system
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: host-operator-metrics-reader
+  namespace: system