diff --git a/roles/rbac/tasks/main.yml b/roles/rbac/tasks/main.yml
index 531461f0b..6f7f31575 100644
--- a/roles/rbac/tasks/main.yml
+++ b/roles/rbac/tasks/main.yml
@@ -22,6 +22,7 @@
     - {name: 'custom:system:node', file: 'custom:system:node-clusterrolebinding.yml', type: clusterrolebinding}
     - {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
     - {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
+    - {name: cluster-admin-local, file: cluster-admin-local-clusterrolebinding.yml, type: clusterrolebinding}
   register: manifests
   when: inventory_hostname == groups['kube-master'][0]
 
diff --git a/roles/rbac/templates/cluster-admin-local-clusterrolebinding.yml b/roles/rbac/templates/cluster-admin-local-clusterrolebinding.yml
new file mode 100644
index 000000000..646c392d1
--- /dev/null
+++ b/roles/rbac/templates/cluster-admin-local-clusterrolebinding.yml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin-local
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: root