diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl
index 3c29e681f..2e06dc0c0 100644
--- a/traefik/templates/_helpers.tpl
+++ b/traefik/templates/_helpers.tpl
@@ -134,11 +134,15 @@ Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a
 based on semverCompare
 */}}
 {{- if $.Values.hub.token -}}
-{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "<v3.3.2-0" $.Values.image.tag) -}}
-v3.0
-{{- else -}}
-v3.1
-{{- end -}}
+ {{ $hubVersion := "v3.2" }}
+ {{- if regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag) -}}
+    {{- if semverCompare "<v3.3.2-0" $.Values.image.tag -}}
+        {{ $hubVersion = "v3.0" }}
+    {{- else if semverCompare "<3.7.0-0" $.Values.image.tag -}}
+        {{ $hubVersion = "v3.1" }}
+    {{- end -}}
+ {{- end -}}
+{{ $hubVersion }}
 {{- else -}}
 {{ (split "@" (default $.Chart.AppVersion $.Values.image.tag))._0 | replace "latest-" "" | replace "experimental-" "" }}
 {{- end -}}
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
index c1cd65b1f..7bc916880 100644
--- a/traefik/templates/rbac/clusterrole.yaml
+++ b/traefik/templates/rbac/clusterrole.yaml
@@ -151,15 +151,6 @@ rules:
       - get
       - list
       - watch
-    {{- if (semverCompare ">=v3.1.0-0" $version) }}
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-    {{- end }}
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
index e12219810..a57134e20 100644
--- a/traefik/tests/rbac-config_test.yaml
+++ b/traefik/tests/rbac-config_test.yaml
@@ -736,7 +736,7 @@ tests:
               - list
               - watch
 
-  - it: should provide expected role rbac when k8s gw api is enabled >=v3.2.0
+  - it: should provide expected role rbac when k8s gw api is enabled for Proxy >=v3.2.0
     set:
       image:
         tag: v3.2.0-rc1
@@ -794,6 +794,67 @@ tests:
               - get
               - list
               - watch
+  - it: should provide expected role rbac when k8s gw api is enabled for Hub >=v3.7.0
+    set:
+      image:
+        tag: v3.7.0
+      hub:
+        token: "xxx"
+      providers:
+        kubernetesGateway:
+          enabled: true
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies/status
+              - gatewayclasses/status
+              - gateways/status
+              - grpcroutes/status
+              - httproutes/status
+              - tcproutes/status
+              - tlsroutes/status
+            verbs:
+              - update
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies
+              - gatewayclasses
+              - gateways
+              - grpcroutes
+              - httproutes
+              - referencegrants
+              - tcproutes
+              - tlsroutes
+            verbs:
+              - get
+              - list
+              - watch
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - namespaces
+              - secrets
+              - services
+              - configmaps
+            verbs:
+              - get
+              - list
+              - watch
+
   - it: should contain additional RBACS for hub API gateway
     set:
       image:
@@ -1080,7 +1141,7 @@ tests:
               - list
               - get
               - watch
-  - it: should provide expected RBACS for version < v3.1
+  - it: should provide expected RBACS for Proxy version < v3.1
     set:
       image:
         tag: v3.0.1
@@ -1110,3 +1171,66 @@ tests:
               - list
               - get
               - watch
+  - it: should provide expected RBACS for Hub version <3.3.2
+    set:
+      image:
+        tag: v3.3.0
+      hub:
+        token: "xxx"
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - endpoints
+              - services
+            verbs:
+              - get
+              - list
+              - watch
+      - template: rbac/clusterrole.yaml
+        notContains:
+          path: rules
+          content:
+            apiGroups:
+              - discovery.k8s.io
+            resources:
+              - endpointslices
+            verbs:
+              - list
+              - get
+              - watch
+  - it: should provide expected RBACS for Hub version >3.3.2 and <3.7.0
+    set:
+      image:
+        tag: v3.6.0
+      hub:
+        token: "xxx"
+    asserts:
+      - template: rbac/clusterrole.yaml
+        notContains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - endpoints
+              - services
+            verbs:
+              - get
+              - list
+              - watch
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - discovery.k8s.io
+            resources:
+              - endpointslices
+            verbs:
+              - list
+              - watch