diff --git a/.trivyignore b/.trivyignore
index bf1636b..dc78753 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,6 +1,6 @@
 # Hypershift admin ClusterRole is intentionally privileged; suppress noisy RBAC policy checks.
-KSV-0041
-KSV-0045
-KSV-0046
-KSV-0049
-KSV-0056
+AVD-KSV-0041
+AVD-KSV-0045
+AVD-KSV-0046
+AVD-KSV-0049
+AVD-KSV-0056
diff --git a/templates/rbac/hcp-sudo-crolebinding.yaml b/templates/rbac/hcp-sudo-crolebinding.yaml
new file mode 100644
index 0000000..4e8f2c8
--- /dev/null
+++ b/templates/rbac/hcp-sudo-crolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+{{- range .Values.rbac.sudoerGroups }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ lower . }}-sudoer-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sudoer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ . }}
+{{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index 3c9eccc..0636f6d 100644
--- a/values.yaml
+++ b/values.yaml
@@ -12,6 +12,7 @@ rbac:
     name: hcp-admins-crb
   users: []
   groups: []
+  sudoerGroups: []
 
 clusterGroup:
   isHubCluster: true