diff --git a/metropolis/proto/api/management.proto b/metropolis/proto/api/management.proto
index 17ff6af..ba20cee 100644
--- a/metropolis/proto/api/management.proto
+++ b/metropolis/proto/api/management.proto
@@ -60,6 +60,13 @@
             need: PERMISSION_APPROVE_NODE
         };
     }
+
+    // UpdateNodeRoles updates a single node's roles.
+    rpc UpdateNodeRoles(UpdateNodeRolesRequest) returns (UpdateNodeRolesResponse) {
+        option (metropolis.proto.ext.authorization) = {
+            need: PERMISSION_UPDATE_NODE_ROLES
+        };
+    }
 }
 
 message GetRegisterTicketRequest {
@@ -144,3 +151,20 @@
 
 message ApproveNodeResponse {
 }
+
+// UpdateNodeRolesRequest updates roles of a single node matching pubkey. All
+// role fields are optional, and no change will result if they're either unset
+// or if their value matches existing state.
+message UpdateNodeRolesRequest {
+  // pubkey is the Ed25519 public key of this node, which can be used to
+  // generate the node's ID. This is always set.
+  bytes pubkey = 1;
+
+  // kubernetesWorker adjusts the appropriate role when set. Nodes performing
+  // this role must also be consensus members. 
+  optional bool kubernetesWorker = 2;
+  optional bool consensusMember = 3;
+}
+
+message UpdateNodeRolesResponse {
+}