diff --git a/.sops.yaml b/.sops.yaml
index 1bd5ecfe1a5daee984b89c796dd5ce69928b6649..6bfa5b0c01fd67d6147469421248545e5269793b 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,6 +1,6 @@
 creation_rules:
   - path_regex: (clusters|apps)/k8s01/.*.yaml
-    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain|password)$
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain|password|subjects)$
     pgp: >-
       286791FB6648539775DB31B8FCB98C2A3EC6F601,
       B137EE1549DFAF960DD1E2B15147025FB9F09E07
diff --git a/clusters/k8s01/kube-system/cluster-admin.yaml b/clusters/k8s01/kube-system/cluster-admin.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..70d1335a14b675f98df15de7c897c7e92d1d3243
--- /dev/null
+++ b/clusters/k8s01/kube-system/cluster-admin.yaml
@@ -0,0 +1,67 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: k8s01-admins
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+subjects:
+    - apiGroup: ENC[AES256_GCM,data:E3LnGy+s2sUTvFhLWb6rphY6s8terJprkQ==,iv:zQdjNIMAaajWt5QZHC9cYy0i8NpcQXAb7OFDcxBeiWM=,tag:kSLSkBUSwXK7NV2kYL3qzw==,type:str]
+      kind: ENC[AES256_GCM,data:/DI0uQ==,iv:gQ2+q5QUtisJZAGH/eQQ0sx6r/wQjGbbvvKe9lTBGaA=,tag:OWHpXBIHDQ1hCytBTFBw5A==,type:str]
+      name: ENC[AES256_GCM,data:tFtYFi+O5CKCaQ==,iv:5s3kuxtncX2flu78u/lX1x1WkLiTQDBG+FzyvvZkNro=,tag:qXJNwavLrTtkn8GdTYZKBg==,type:str]
+    - apiGroup: ENC[AES256_GCM,data:fd6m8ozdnqGYcPleeY55IdBfIcNt3wt7og==,iv:CZBJudiK+1ntbEn/t9jhryMj/TNTjSNWiV9lYfrkfdI=,tag:Ii8hfOu5AyOmH0CTmkD7PQ==,type:str]
+      kind: ENC[AES256_GCM,data:a/J9uw==,iv:/QgFSXMYQY9Brq5K/ZZHP6jtAeOUgERv6bpwczOSFQE=,tag:ScO+pWGiiu2tG71t3oQCiQ==,type:str]
+      name: ENC[AES256_GCM,data:1uDQRdyf7fjoBJCmp4dYLA==,iv:XquV79h8GvdViavacrKpyrmxjDBWfEOY6XgGecwGod8=,tag:W5pDvCCcWVcVTc4jJDH2Cw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-02-02T22:28:52Z"
+    mac: ENC[AES256_GCM,data:mrSuYzlO3LvhuQAEOOehNITzdajDApYtT1IU6qvaO4LeZQ5uMyoF6iKHFSx+ZXtishYHJj+tFQdnilWTjBwiwiqYjlUNpKK0johrOthGd9EGGReXf21e1/17mM40fUOQDhdYLHconPjaskqPbaEcotRwGGfTAKGwNOSwoThLpY4=,iv:5GqPgkUbnbVVAVVFDomd7SP/nns2EviLJ/xUeir1NIk=,tag:tqqiXDTT2wk7E7ZNsWN/Zw==,type:str]
+    pgp:
+        - created_at: "2022-02-02T22:28:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAR9YPXro+L2ItjWhxHCzqDqzX91+LATSkXNRWMzwUYsnJ
+            g1bkV2e66ANLDnNQQ6RddfI5mmI8XtDHCzvnFDa1nm+xqYBUbg6yezK2bhpwPDSB
+            rMhUeUlikIs7aJtvkj4qDASNye1it7VZqTVNggtNPhTvyho3JtxfyQ+lSKN2vxTM
+            k2FcGuZoEfikt+FwUvgVYxvLtBVJoVUAfMxXN9YyUA7UQMhhipjxNXATvOq0iD22
+            bNRi8hK48o3J5Nqhe/Vn42yNAxZE+coVV2eiXkYzEURYY5z9HosyBxsai137XxJ3
+            jzxqMHuIO5HlseZOAazZFs6wezYsOF4uvriUj1vk5/bSczAEJf8/UIm2nYdeQhmt
+            BIqna5xwi6Ubw2gp0JbuZwPHrTPTrY8XJ5XVaQjLw9NQEngXw8a2qY9teljpYPg1
+            /krOnJa6aqS7kTmee4a3bq7ann7FLL/GW+DMfCQHudjpUJdLJj4+Q5AwR1T/GfYW
+            I66Et0EsGgCL97QdIGy5gYg2wxyEVGvWRGlbRol82tuYypnBbWVSAnuigREDeJGc
+            T8+pxlm/tEJzFvkmwSNoJJCEg+Wkgb+gnl1kByTjfQhNWsu4mSsBSJnxgw8uL6hP
+            wG6gkF0UEu1zlHhVAjcu+z2gnqL8DqndhpJS6pTKBAVN2ujnrv3qcKAqoqGivmPS
+            5gHSsGPtVxOe1H5IjuDamucG519tnLXu0gsyFvM3Wdg4RpfXLiOR6AClAwjc6rif
+            zZKIn6m5SXjSX6CqPfAL6ark2PoOSe2VctZyC5CC3O+PxeIgH2CSAA==
+            =gI6k
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-02-02T22:28:51Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ/9F7dDgG2Pd4pYnjx6X6uH5rDtzheeoNb8QM+KMKB2xthI
+            lYCCtE/d4JxILqIjrBEMnU+Ugo526jRIKDQIcjYXJoZ/rrs9p9gQXzUsGYymE9hL
+            MnVjwirgT6r7XpNgxNGKJE1iwMnYW84dvUGKZSmM56SStppIjJaUg/hd1CJa5mcF
+            pNBTo0laAY7SrV7+488cCw/JeKhF+AWsLXKp4eS2jEguiuP9kQcmA1+jDKmafIE/
+            jX+s0wEJHP+7oJR8Rt9VMr4CwOeoNalBon8UGhqgOQXx7IFI8C6m8k5QfFGQWz+y
+            EbESOZMhhtoQSksy0VoRGXtlaLSD8fvlGJAYHE1/04kKPINyT362G3EhE/8V86Cb
+            PJ2YfhcjeWiiRZl+HI+kHCQrmlY0fv1DUrY1GGlcZg+EO2S4kr7MzLayHCzIaCv6
+            LKdqKi3XkBa0oGRNYAllcerWXuMQdcbIuF9CoeQEO3iPbwF9ew1sRpdyZXXMGdIA
+            6bOxt3RfaW0tB/Z3vreKIwKT8bA8qeTxXN71Fl3xYKywJktIj4D85YBaXGh0y0Co
+            DOZEySLQcRWlJGNM1bRs6k98lzfdgTSwBziBt23KmSXyOLgfTVyFAzg3RZXJZx28
+            TJMdLfx6Sq42wh0/vTdKmaMlIgGZNitDQwrYRGP0TlhwYA4HmxzkO+OygoP/cLfU
+            aAEJAhAaIRKpj2kJLrKkWPLjAFuV6+DUJhyTHzBDrXJ5HG43bg0CFGAgHKd6ZGBJ
+            6PUBr+LQn4TylCPBw076mndubZ7HSb3TQz0z7I4xPHxT4O4UdIUm15OptqnZbuqE
+            b0D/vegAjalk
+            =+jJS
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain|password|subjects)$
+    version: 3.7.1
diff --git a/clusters/k8s01/kube-system/kustomization.yaml b/clusters/k8s01/kube-system/kustomization.yaml
index 9aaf88317c0fc7798ce1cf7ba115973a008ecb25..e2c0d5217573def0241dc4c331774c9f83bb9d7c 100644
--- a/clusters/k8s01/kube-system/kustomization.yaml
+++ b/clusters/k8s01/kube-system/kustomization.yaml
@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 resources:
+  - cluster-admin.yaml
   - kubeadm.yaml