diff --git a/charts/external-dns/CHANGELOG.md b/charts/external-dns/CHANGELOG.md
index ad2643b86d..b05b77523a 100644
--- a/charts/external-dns/CHANGELOG.md
+++ b/charts/external-dns/CHANGELOG.md
@@ -22,6 +22,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Add option to configure `annotationFilter` via dedicated chart value. ([#5737](https://github.com/kubernetes-sigs/external-dns/pull/5737)) _@dshatokhin_
 
+### Changed
+
+- Grant `discovery.k8s.io/endpointslices` permission only when using `service` source. ([#5746](https://github.com/kubernetes-sigs/external-dns/pull/5746)) _@vflaux_
+
 ## [v1.18.0] - 2025-07-14
 
 ### Changed
diff --git a/charts/external-dns/templates/clusterrole.yaml b/charts/external-dns/templates/clusterrole.yaml
index f418416e2e..52c525ead2 100644
--- a/charts/external-dns/templates/clusterrole.yaml
+++ b/charts/external-dns/templates/clusterrole.yaml
@@ -20,6 +20,8 @@ rules:
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "service" .Values.sources }}
   - apiGroups: ["discovery.k8s.io"]
     resources: ["endpointslices"]
     verbs: ["get","watch","list"]
diff --git a/charts/external-dns/tests/rbac_test.yaml b/charts/external-dns/tests/rbac_test.yaml
index 91e1cd482a..4658d7ee2d 100644
--- a/charts/external-dns/tests/rbac_test.yaml
+++ b/charts/external-dns/tests/rbac_test.yaml
@@ -52,6 +52,50 @@ tests:
               resources: ["ingresses"]
               verbs: ["get","watch","list"]
 
+  - it: should create no RBAC rules when no sources are set
+    set:
+      sources: []
+    asserts:
+      - template: clusterrole.yaml
+        equal:
+          path: rules
+          value: null
+
+  - it: should create default RBAC rules for 'ingresses' with source 'ingress'
+    set:
+      sources:
+        - ingress
+    asserts:
+      - template: clusterrole.yaml
+        equal:
+          path: rules
+          value:
+            - apiGroups: ["extensions","networking.k8s.io"]
+              resources: ["ingresses"]
+              verbs: ["get","watch","list"]
+
+  - it: should create default RBAC rules for 'nodes', 'pods', 'services' and 'endpointslices' with source 'service'
+    set:
+      sources:
+        - service
+    asserts:
+      - template: clusterrole.yaml
+        equal:
+          path: rules
+          value:
+            - apiGroups: [""]
+              resources: ["nodes"]
+              verbs: ["list", "watch"]
+            - apiGroups: [""]
+              resources: ["pods"]
+              verbs: ["get", "watch", "list"]
+            - apiGroups: [""]
+              resources: ["services"]
+              verbs: ["get","watch","list"]
+            - apiGroups: ["discovery.k8s.io"]
+              resources: ["endpointslices"]
+              verbs: ["get","watch","list"]
+
   - it: should create default RBAC rules for 'ambassador-host'
     set:
       sources:
@@ -411,9 +455,6 @@ tests:
           - apiGroups: [""]
             resources: ["services"]
             verbs: ["get","watch","list"]
-          - apiGroups: ["discovery.k8s.io"]
-            resources: ["endpointslices"]
-            verbs: ["get","watch","list"]
           - apiGroups: ["extensions","networking.k8s.io"]
             resources: ["ingresses"]
             verbs: ["get","watch","list"]
@@ -443,9 +484,6 @@ tests:
             - apiGroups: [""]
               resources: ["services"]
               verbs: ["get","watch","list"]
-            - apiGroups: ["discovery.k8s.io"]
-              resources: ["endpointslices"]
-              verbs: ["get","watch","list"]
             - apiGroups: ["extensions","networking.k8s.io"]
               resources: ["ingresses"]
               verbs: ["get","watch","list"]
@@ -472,9 +510,6 @@ tests:
             - apiGroups: [""]
               resources: ["services"]
               verbs: ["get","watch","list"]
-            - apiGroups: ["discovery.k8s.io"]
-              resources: ["endpointslices"]
-              verbs: ["get","watch","list"]
             - apiGroups: ["extensions","networking.k8s.io"]
               resources: ["ingresses"]
               verbs: ["get","watch","list"]
diff --git a/docs/tutorials/godaddy.md b/docs/tutorials/godaddy.md
index fad0471717..66b36ebfad 100644
--- a/docs/tutorials/godaddy.md
+++ b/docs/tutorials/godaddy.md
@@ -103,9 +103,6 @@ rules:
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["list","watch"]
-- apiGroups: [""]
-  resources: ["endpoints"]
-  verbs: ["get","watch","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/docs/tutorials/ovh.md b/docs/tutorials/ovh.md
index 170fc4fe3c..58e5f06790 100644
--- a/docs/tutorials/ovh.md
+++ b/docs/tutorials/ovh.md
@@ -139,9 +139,6 @@ rules:
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["list"]
-- apiGroups: [""]
-  resources: ["endpoints"]
-  verbs: ["get","watch","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding