diff --git a/charts/chainlink-cluster/templates/rolebinding.yaml b/charts/chainlink-cluster/templates/rolebinding.yaml
new file mode 100644
index 00000000000..85468708f1b
--- /dev/null
+++ b/charts/chainlink-cluster/templates/rolebinding.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.createRoleBinding }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: crib-rolebinding
+subjects:
+- kind: Group
+  name: {{ .Values.rbac.roleBindingGroupName }}
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: {{ .Values.rbac.clusterRoleName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/chainlink-cluster/values.yaml b/charts/chainlink-cluster/values.yaml
index fefb819cf2f..f3050e98920 100644
--- a/charts/chainlink-cluster/values.yaml
+++ b/charts/chainlink-cluster/values.yaml
@@ -298,6 +298,12 @@ affinity:
 networkPolicies:
   enabled: true
 
+rbac:
+  createRoleBinding: true
+  # This assumes that a separate cluster role already exists with this name.
+  clusterRoleName: "crib-poweruser"
+  roleBindingGroupName: "eks-sso:crib-poweruser"
+
 # Configure the default network policy.
 networkPolicyDefault:
   ingress: