diff --git a/component/rbac.libsonnet b/component/rbac.libsonnet
index 134b6a3..5c2a3bf 100644
--- a/component/rbac.libsonnet
+++ b/component/rbac.libsonnet
@@ -30,7 +30,7 @@ local sudoGroupSubjects = std.map(
 
 local sudoClusterRole = kube.ClusterRole('sudo-impersonator') {
   rules: [ {
-    apiGroups: [ '' ],
+    apiGroups: [ '', 'authorization.k8s.io' ],
     resources: [ 'users', 'serviceaccounts', 'groups' ],
     verbs: [ 'impersonate' ],
   }, {
diff --git a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
index c37b238..2c50a0a 100644
--- a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
+++ b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts
diff --git a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
index 53e12df..a93db8f 100644
--- a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
+++ b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts