diff --git a/roles/openshift/cluster/tasks/main.yaml b/roles/openshift/cluster/tasks/main.yaml
index 867607dd9c..bcfd8471ba 100644
--- a/roles/openshift/cluster/tasks/main.yaml
+++ b/roles/openshift/cluster/tasks/main.yaml
@@ -15,7 +15,7 @@
   ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ cluster_filepath }}/{{ item }}"
-    mode: "0770"
+    mode: "0640"
   with_items:
     - sysadmin-openshift-group.yml
     - sysadmin-openshift-rolebinding.yml
diff --git a/roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2 b/roles/openshift/cluster/templates/webhooks-clusterrolebinding.yml.j2
similarity index 95%
rename from roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2
rename to roles/openshift/cluster/templates/webhooks-clusterrolebinding.yml.j2
index 7e5f29380c..8c6b146af6 100644
--- a/roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2
+++ b/roles/openshift/cluster/templates/webhooks-clusterrolebinding.yml.j2
@@ -1,7 +1,7 @@
 ---
 # Allow unauthenticated webhooks to kick off builds
 # https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/builds_using_buildconfig/triggering-builds-build-hooks
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: webhook-access-unauthenticated