diff --git a/bootstrap/kustomization.yaml b/bootstrap/kustomization.yaml
index 9699498..39ef060 100644
--- a/bootstrap/kustomization.yaml
+++ b/bootstrap/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
   # NOTE: cluster-admin ClusterRoleBinding is managed by ansible-role-crc
   #       (ArgoCD cannot grant itself permissions it doesn't have)
   - argocd-config.yaml
+  # Wave 0: GitHub-team-to-cluster-admin RBAC for OIDC users (Headlamp, kubectl)
+  - oidc-rbac.yaml
   # Wave 0: CI/CD service account with cluster-admin for GitHub Actions
   - ci-service-account.yaml
   # PostSync: Sync ci-deployer token to GitHub Actions secrets
diff --git a/bootstrap/oidc-rbac.yaml b/bootstrap/oidc-rbac.yaml
new file mode 100644
index 0000000..6a51340
--- /dev/null
+++ b/bootstrap/oidc-rbac.yaml
@@ -0,0 +1,22 @@
+---
+# Maps the GitHub team `makeitworkcloud:admins` (surfaced as a `groups` claim
+# by Dex's GitHub connector) to cluster-admin so OIDC-authenticated users
+# can use kubectl/Headlamp without a separate per-user binding.
+#
+# Pairs with the k3s apiserver flags in tfroot-libvirt cloud-init that point
+# at the same Dex issuer: --oidc-issuer-url, --oidc-client-id=headlamp,
+# --oidc-username-claim=email, --oidc-groups-claim=groups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-makeitworkcloud-admins
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+subjects:
+  - kind: Group
+    name: makeitworkcloud:admins
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io