diff --git a/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml
new file mode 100644
index 00000000..66943b35
--- /dev/null
+++ b/cluster-scope/overlays/nerc-ocp-infra/clusterrolebindings/nerc-ops-portforward.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nerc-ops-portforward
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: allow-portforward-all
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: nerc-ops
diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
index 1a35fb7c..c4ebf9c7 100644
--- a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
+++ b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
 - groupsyncs/github-ocp-on-nerc.yaml
 - clusterrolebindings/nerc-ops-cluster-reader.yaml
 - clusterrolebindings/nerc-ops-sudoers.yaml
+- clusterrolebindings/nerc-ops-portforward.yaml
 
 patches:
 - path: oauths/cluster_patch.yaml