diff --git a/vcluster/oidc-cluster-admin.yaml b/vcluster/oidc-cluster-admin.yaml
new file mode 100644
index 00000000..41c72412
--- /dev/null
+++ b/vcluster/oidc-cluster-admin.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oidc-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: Group
+  name: eb17a659-4ce6-41bc-9153-d9b117c44479
+
diff --git a/vcluster/update-argo-cluster-connection-token.sh b/vcluster/update-argo-cluster-connection-token.sh
new file mode 100755
index 00000000..9d6a4efb
--- /dev/null
+++ b/vcluster/update-argo-cluster-connection-token.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+
+if [ ! $# -ge 1 ]; then
+    echo "usage: $0 cluster [helm args]"
+    exit 1
+fi
+
+if [ ! -d chart ]; then
+    echo "error: must be run from toplevel directory"
+    exit 1
+fi
+
+k='kubectl --context oceanbox'
+
+name=$1
+cluster=$name-vcluster
+shift
+
+token=$(kubectl get secret --context $cluster -n kube-system admin-token -o json | jq .data.token | tr -d '"')
+config=$(echo "{\"bearerToken\": \"$token\", \"tlsClientConfig\": { \"insecure\" : true }}" | base64 -w0)
+$k patch -n argocd secret cluster-$cluster -p "{\"data\":{\"config\":\"$config\"}}"