diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index fbdc09ca59..fb0cdf8f0e 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -29,3 +29,11 @@
   when: env == 'staging'
   tags:
     - ipa/client
+
+- name: Configure sudo on IPA cluster
+  delegate_to: "{{ ipa_server }}"
+  import_tasks: sudo.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
new file mode 100644
index 0000000000..e0847631fa
--- /dev/null
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -0,0 +1,52 @@
+- name: Check that configured sudo groups exist
+  command: "ipa group-show --no-members {{ item }}"
+  changed_when: False
+  loop: "{{ (ipa_client_sudo_groups | default([])) + (ipa_client_sudo_nopasswd_groups | default([])) | list }}"
+  tags:
+    - config
+
+- name: "Give members of `sysadmin-main` sudo access to anything, anywhere"
+  ipasudorule:
+    name: "group/sysadmin-main"
+    description: "Allow members of `sysadmin-main` to use sudo to do anything, anywhere"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    cmdcategory: "all"
+    hostcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    group:
+      - sysadmin-main
+  tags:
+    - config
+
+- name: "Give certain groups sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}"
+    description: "Allow members of groups sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+  when: ipa_client_sudo_groups is defined and ipa_client_sudo_groups | length > 0
+  tags:
+    - config
+
+- name: "Give certain groups password-less sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}/nopasswd"
+    description: "Allow members of groups password-less sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups_nopasswd | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  when: ipa_client_sudo_groups_nopasswd is defined and ipa_client_sudo_groups_nopasswd | length > 0
+  tags:
+    - config