From c61b958bfc7918a51b578c4d91fe570cfe47aee7 Mon Sep 17 00:00:00 2001
From: Akos Eros <aeros@redhat.com>
Date: Mon, 1 Jun 2026 14:23:09 +0200
Subject: [PATCH 1/2] feat: Add cluster role binding with sudoers

The groups added to Values.rbac.sudoerGroups will have the right to
impersonate system:admin.
---
 templates/rbac/hcp-sudo-crolebinding.yaml | 16 ++++++++++++++++
 values.yaml                               |  1 +
 2 files changed, 17 insertions(+)
 create mode 100644 templates/rbac/hcp-sudo-crolebinding.yaml

diff --git a/templates/rbac/hcp-sudo-crolebinding.yaml b/templates/rbac/hcp-sudo-crolebinding.yaml
new file mode 100644
index 0000000..4e8f2c8
--- /dev/null
+++ b/templates/rbac/hcp-sudo-crolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+{{- range .Values.rbac.sudoerGroups }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ lower . }}-sudoer-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sudoer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ . }}
+{{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index 3c9eccc..0636f6d 100644
--- a/values.yaml
+++ b/values.yaml
@@ -12,6 +12,7 @@ rbac:
     name: hcp-admins-crb
   users: []
   groups: []
+  sudoerGroups: []
 
 clusterGroup:
   isHubCluster: true

From 9026459e0f4bb023ef631426f7a77c6e13733c8e Mon Sep 17 00:00:00 2001
From: day0hero <jonny@redhat.com>
Date: Mon, 1 Jun 2026 14:02:32 +0100
Subject: [PATCH 2/2] update .trivyignore to use fqid

---
 .trivyignore | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index bf1636b..dc78753 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,6 +1,6 @@
 # Hypershift admin ClusterRole is intentionally privileged; suppress noisy RBAC policy checks.
-KSV-0041
-KSV-0045
-KSV-0046
-KSV-0049
-KSV-0056
+AVD-KSV-0041
+AVD-KSV-0045
+AVD-KSV-0046
+AVD-KSV-0049
+AVD-KSV-0056