diff --git a/Cargo.lock b/Cargo.lock
index 295482fd..f1d5f49c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -973,6 +973,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -3800,6 +3806,7 @@ dependencies = [
  "clevis-pin-trustee-lib",
  "compute-pcrs-lib",
  "env_logger",
+ "fs_extra",
  "http 1.4.0",
  "ignition-config",
  "k8s-openapi",
diff --git a/test_utils/Cargo.toml b/test_utils/Cargo.toml
index 8aaf4164..82913e09 100644
--- a/test_utils/Cargo.toml
+++ b/test_utils/Cargo.toml
@@ -31,3 +31,4 @@ tokio = { workspace = true, features = ["process"] }
 tower = { version = "0.5.2", features = ["full"] }
 uuid.workspace = true
 which = "8.0"
+fs_extra = "1.3.0"
diff --git a/test_utils/src/lib.rs b/test_utils/src/lib.rs
index 60bd4d87..91c4107a 100644
--- a/test_utils/src/lib.rs
+++ b/test_utils/src/lib.rs
@@ -2,6 +2,7 @@
 //
 // SPDX-License-Identifier: MIT
 
+use fs_extra::dir;
 use k8s_openapi::api::apps::v1::Deployment;
 use k8s_openapi::api::core::v1::{ConfigMap, Namespace};
 use kube::api::DeleteParams;
@@ -260,9 +261,11 @@ impl TestContext {
         );
 
         let crd_temp_dir = Path::new(&self.manifests_dir).join("crd");
+        let rbac_dir = workspace_root.join("config/rbac/");
+        let options = dir::CopyOptions::new();
+        dir::copy(rbac_dir, &self.manifests_dir, &options)?;
         let rbac_temp_dir = Path::new(&self.manifests_dir).join("rbac");
         std::fs::create_dir_all(&crd_temp_dir)?;
-        std::fs::create_dir_all(&rbac_temp_dir)?;
 
         let crd_temp_dir_str = crd_temp_dir
             .to_str()
@@ -300,7 +303,8 @@ impl TestContext {
                 trusted_cluster_gen_path.display()
             ));
         }
-
+        let repo = std::env::var("REGISTRY").unwrap_or_else(|_| "localhost:5000".to_string());
+        let tag = std::env::var("TAG").unwrap_or_else(|_| "latest".to_string());
         let manifest_gen_output = Command::new(&trusted_cluster_gen_path)
             .args([
                 "-namespace",
@@ -308,21 +312,20 @@ impl TestContext {
                 "-output-dir",
                 &self.manifests_dir,
                 "-image",
-                "localhost:5000/trusted-execution-clusters/trusted-cluster-operator:latest",
+                &format!("{repo}/trusted-cluster-operator:{tag}"),
                 "-pcrs-compute-image",
-                "localhost:5000/trusted-execution-clusters/compute-pcrs:latest",
+                &format!("{repo}/compute-pcrs:{tag}"),
                 "-trustee-image",
                 "quay.io/trusted-execution-clusters/key-broker-service:20260106",
                 "-register-server-image",
-                "localhost:5000/trusted-execution-clusters/registration-server:latest",
+                &format!("{repo}/registration-server:{tag}"),
                 "-attestation-key-register-image",
-                "localhost:5000/trusted-execution-clusters/attestation-key-register:latest",
+                &format!("{repo}/attestation-key-register:{tag}"),
                 "-approved-image",
                 "quay.io/trusted-execution-clusters/fedora-coreos@sha256:79a0657399e6c67c7c95b8a09193d18e5675b5aa3cfb4d75ea5c8d4d53b2af74"
             ])
             .output()
             .await?;
-
         if !manifest_gen_output.status.success() {
             let stderr = String::from_utf8_lossy(&manifest_gen_output.stderr);
             return Err(anyhow::anyhow!("Failed to generate manifests: {stderr}"));
@@ -395,25 +398,27 @@ impl TestContext {
         std::fs::write(&le_rb_dst, le_rb_content)?;
 
         test_info!(&self.test_name, "Preparing RBAC kustomization");
-        let kustomization_content = format!(
-            r#"# SPDX-FileCopyrightText: Generated for testing
-# SPDX-License-Identifier: CC0-1.0
-
-namespace: {}
-
-resources:
-  - service_account.yaml
-  - role.yaml
-  - role_binding.yaml
-  - leader_election_role.yaml
-  - leader_election_role_binding.yaml
-"#,
-            ns
-        );
-
+        let platform = std::env::var("PLATFORM").unwrap_or_else(|_| "kind".to_string());
+        let kustomization_src = workspace_root.join("config/rbac/kustomization.yaml.in");
+        let kustomization_content = std::fs::read_to_string(&kustomization_src)?
+            .replace("namespace: NAMESPACE", &format!("namespace: {}", ns))
+            .replace(
+                "resources:",
+                if platform == "openshift" {
+                    "resources:\n  - scc.yaml"
+                } else {
+                    "resources:"
+                },
+            );
         let temp_kustomization_path = rbac_temp_dir.join("kustomization.yaml");
         std::fs::write(&temp_kustomization_path, kustomization_content)?;
 
+        let scc_openshift_rb_src = workspace_root.join("config/openshift/scc.yaml");
+        let scc_openshift_rb_content =
+            std::fs::read_to_string(&scc_openshift_rb_src)?.replace("<NAMESPACE>", &ns);
+        let scc_openshift_rb_dst = rbac_temp_dir.join("scc.yaml");
+        std::fs::write(&scc_openshift_rb_dst, scc_openshift_rb_content)?;
+
         kube_apply!(
             rbac_temp_dir_str,
             &self.test_name,
@@ -436,7 +441,9 @@ resources:
             &self.test_name,
             "Updating CR manifest with publicTrusteeAddr"
         );
-        let trustee_addr = format!("kbs-service.{}.svc.cluster.local:8080", ns);
+        let cluster_url =
+            std::env::var("CLUSTER_URL").unwrap_or_else(|_| "svc.cluster.local".to_string());
+        let trustee_addr = format!("kbs-service.{}.{}:8080", ns, cluster_url);
         let cr_manifest_path = manifests_path.join("trusted_execution_cluster_cr.yaml");
 
         let cr_content = std::fs::read_to_string(&cr_manifest_path)?;