appuio · thobens · Nov 20, 2025 · Nov 18, 2025
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -7,8 +7,6 @@ parameters:
     sudoGroupName: null
     sudoGroups: []
 
-    # Username to be used for impersonation, aka sudo
-    adminUserName: cluster-admin
     identityProviders: {}
 
     templates:

diff --git a/component/rbac.libsonnet b/component/rbac.libsonnet
@@ -55,20 +55,6 @@ local sudoClusterRoleBindingView = kube.ClusterRoleBinding('sudo-view') {
   },
 };
 
-local clusterRoleBindingAdmin = kube.ClusterRoleBinding('impersonate-' + params.adminUserName) {
-  subjects: [ {
-    apiGroup: 'rbac.authorization.k8s.io',
-    kind: 'User',
-    name: params.adminUserName,
-  } ],
-  roleRef_: {
-    kind: 'ClusterRole',
-    metadata: {
-      name: 'cluster-admin',
-    },
-  },
-};
-
 local sudoAlertmanagerAccess =
   kube.RoleBinding('alertmanager-access-sudoer-groups') {
     metadata+: {
@@ -98,7 +84,6 @@ local sudoMonitoringRulesView =
   sudoClusterRole,
   sudoClusterRoleBinding,
   sudoClusterRoleBindingView,
-  clusterRoleBindingAdmin,
   sudoAlertmanagerAccess,
   sudoMonitoringRulesView,
 ]
diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc
@@ -39,11 +39,11 @@ In this scenario, if the LDAP sync cronjob is scheduled on the master nodes, we
 RBAC rules are set up in order to allow a sudo like method to gain cluster-admin privileges.
 
 By default only `cluster-read` and `impersonate` permissions are granted to the groups defined in `openshift4_authentication.sudoGroups`.
-Using https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation], permissions can be escalated to full `cluster-admin`:
+Using https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation], permissions can be escalated to full `system:admin`:
 
 [source,console]
 ----
-oc --as cluster-admin get secret
+oc --as=system:admin get secret
 ----
 
 The component also deploys a `RoleBinding` and a `ClusterRoleBinding` to ensure that users in the sudoers group can access the OpenShift cluster monitoring Alertmanager and its associated resources in the OpenShift console.
@@ -107,7 +107,7 @@ To avoid removing the user before other authentication methods are configured, t
 [NOTE]
 ====
 Removing this user doesn't affect the `kubeconfig` file generated by the OpenShift installer.
-The `kubeconfig` file uses a client certificate to authorize against the cluster as `cluster-admin`.
+The `kubeconfig` file uses a client certificate to authorize against the cluster as `system:admin`.
 This certificate remains valid even if the `kubeadmin` user is removed from the cluster.
 In order words, emergency access with `kubeconfig` is still possible.
 ====
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -50,14 +50,6 @@ sudoGroups:
 ----
 
 
-== `adminUserName`
-
-[horizontal]
-type:: string
-default:: `cluster-admin`
-
-The username used for cluster administrator impersonation.
-
 == `identityProviders`
 
 [horizontal]

diff --git a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -64,22 +64,6 @@ subjects:
     name: Team sudoers
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations: {}
-  labels:
-    name: impersonate-cluster-admin
-  name: impersonate-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - apiGroup: rbac.authorization.k8s.io
-    kind: User
-    name: cluster-admin
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations: {}

diff --git a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -52,22 +52,6 @@ roleRef:
 subjects: []
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations: {}
-  labels:
-    name: impersonate-cluster-admin
-  name: impersonate-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - apiGroup: rbac.authorization.k8s.io
-    kind: User
-    name: cluster-admin
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   annotations: {}