diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cf033110c..832a073c09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@
 
 ### Enhancements
 
+- Implement super-admin user and bind admin to built-in cluster-admins role
+  (PR[#4418](https://github.com/scality/metalk8s/pull/4418))
+
 - Bump Kubernetes version to
   [1.29.8](https://github.com/kubernetes/kubernetes/releases/tag/v1.29.8)
   (PR[#4417](https://github.com/scality/metalk8s/pull/4417))
diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
index 469cb77f11..6b7bc4fabc 100644
--- a/buildchain/buildchain/salt_tree.py
+++ b/buildchain/buildchain/salt_tree.py
@@ -477,6 +477,7 @@ def task(self) -> types.TaskDict:
     Path("salt/metalk8s/kubectl/configured.sls"),
     Path("salt/metalk8s/kubectl/init.sls"),
     Path("salt/metalk8s/kubectl/installed.sls"),
+    Path("salt/metalk8s/kubernetes/admin/deployed.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/init.sls"),
diff --git a/pillar/metalk8s/roles/master.sls b/pillar/metalk8s/roles/master.sls
index ef97b8a185..1341276930 100644
--- a/pillar/metalk8s/roles/master.sls
+++ b/pillar/metalk8s/roles/master.sls
@@ -11,6 +11,8 @@ certificates:
     files:
       admin:
         watched: True
+      super-admin:
+        watched: True
       controller-manager:
         watched: True
       kubelet:
diff --git a/salt/metalk8s/defaults.yaml b/salt/metalk8s/defaults.yaml
index 1be96ae713..7fd8b46d61 100644
--- a/salt/metalk8s/defaults.yaml
+++ b/salt/metalk8s/defaults.yaml
@@ -251,6 +251,12 @@ certificates:
     days_remaining: 90
     days_valid: 365
     files:
+      super-admin:
+        path: /etc/kubernetes/super-admin.conf
+        renew:
+          sls:
+            - metalk8s.kubernetes.apiserver.kubeconfig
+        watched: False
       admin:
         path: /etc/kubernetes/admin.conf
         renew:
diff --git a/salt/metalk8s/deployed/core.sls b/salt/metalk8s/deployed/core.sls
index 3c15cec60f..dc66d29d48 100644
--- a/salt/metalk8s/deployed/core.sls
+++ b/salt/metalk8s/deployed/core.sls
@@ -2,6 +2,7 @@ include:
   - metalk8s.kubernetes.kube-proxy.deployed
   - metalk8s.kubernetes.cni.calico.deployed
   - metalk8s.kubernetes.coredns.deployed
+  - metalk8s.kubernetes.admin.deployed
   - metalk8s.repo.deployed
   - metalk8s.salt.master.deployed
   - metalk8s.backup.deployed
diff --git a/salt/metalk8s/kubernetes/admin/deployed.sls b/salt/metalk8s/kubernetes/admin/deployed.sls
new file mode 100644
index 0000000000..2a88c146b4
--- /dev/null
+++ b/salt/metalk8s/kubernetes/admin/deployed.sls
@@ -0,0 +1,15 @@
+Deploy admin user ClusterRoleBinding:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          name: kubeadm:cluster-admin
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: cluster-admin
+        subjects:
+        - kind: Group
+          name: kubeadm:cluster-admins
+          apiGroup: rbac.authorization.k8s.io
diff --git a/salt/metalk8s/kubernetes/apiserver/kubeconfig.sls b/salt/metalk8s/kubernetes/apiserver/kubeconfig.sls
index d4f88c6a1b..c5053c9648 100644
--- a/salt/metalk8s/kubernetes/apiserver/kubeconfig.sls
+++ b/salt/metalk8s/kubernetes/apiserver/kubeconfig.sls
@@ -13,6 +13,25 @@ include:
 
 {%- set apiserver = 'https://' ~ apiserver_ip ~ ':6443' %}
 
+Create kubeconfig file for super-admin:
+  metalk8s_kubeconfig.managed:
+    - name: {{ certificates.kubeconfig.files["super-admin"].path }}
+    - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
+    - signing_policy: {{ kube_api.cert.client_signing_policy }}
+    - client_cert_info:
+        CN: "kubernetes-super-admin"
+        O: "system:masters"
+    - apiserver: {{ apiserver }}
+    - cluster: {{ kubernetes.cluster }}
+    - days_valid: {{
+        certificates.kubeconfig.files["super-admin"].days_valid |
+        default(certificates.kubeconfig.days_valid) }}
+    - days_remaining: {{
+        certificates.kubeconfig.files["super-admin"].days_remaining |
+        default(certificates.kubeconfig.days_remaining) }}
+    - require:
+      - metalk8s_package_manager: Install m2crypto
+
 Create kubeconfig file for admin:
   metalk8s_kubeconfig.managed:
     - name: {{ certificates.kubeconfig.files.admin.path }}
@@ -20,7 +39,7 @@ Create kubeconfig file for admin:
     - signing_policy: {{ kube_api.cert.client_signing_policy }}
     - client_cert_info:
         CN: "kubernetes-admin"
-        O: "system:masters"
+        O: "kubeadm:cluster-admins"
     - apiserver: {{ apiserver }}
     - cluster: {{ kubernetes.cluster }}
     - days_valid: {{
diff --git a/salt/tests/unit/formulas/config.yaml b/salt/tests/unit/formulas/config.yaml
index a553114029..58839a3cff 100644
--- a/salt/tests/unit/formulas/config.yaml
+++ b/salt/tests/unit/formulas/config.yaml
@@ -531,6 +531,7 @@ metalk8s:
                       # Client
                       - /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt
                       # Kubeconfig
+                      - /etc/kubernetes/super-admin.conf
                       - /etc/kubernetes/admin.conf
                       # Server
                       - /etc/kubernetes/pki/apiserver.crt
diff --git a/salt/tests/unit/formulas/data/base_pillar.yaml b/salt/tests/unit/formulas/data/base_pillar.yaml
index 67afe6360c..1e402c9a6b 100644
--- a/salt/tests/unit/formulas/data/base_pillar.yaml
+++ b/salt/tests/unit/formulas/data/base_pillar.yaml
@@ -144,6 +144,8 @@ certificates:
         watched: true
   kubeconfig:
     files:
+      super-admin:
+        watched: true
       admin:
         watched: true
       controller-manager: