diff --git a/chart/templates/role-app-subagents.yaml b/chart/templates/role-app-subagents.yaml
new file mode 100644
index 0000000..afec15e
--- /dev/null
+++ b/chart/templates/role-app-subagents.yaml
@@ -0,0 +1,27 @@
+{{- $openopsEnv := .Values.openopsEnv | default dict }}
+{{- if and (eq (toString (get $openopsEnv "OPS_SUBAGENTS_ENABLED")) "true") (eq (default "k8s" (get $openopsEnv "OPS_SUBAGENT_EXECUTOR_TYPE")) "k8s") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "get", "list", "delete"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+{{- end }}
diff --git a/chart/templates/rolebinding-app-subagents.yaml b/chart/templates/rolebinding-app-subagents.yaml
new file mode 100644
index 0000000..fa8559e
--- /dev/null
+++ b/chart/templates/rolebinding-app-subagents.yaml
@@ -0,0 +1,25 @@
+{{- $openopsEnv := .Values.openopsEnv | default dict }}
+{{- if and (eq (toString (get $openopsEnv "OPS_SUBAGENTS_ENABLED")) "true") (eq (default "k8s" (get $openopsEnv "OPS_SUBAGENT_EXECUTOR_TYPE")) "k8s") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "openops.fullname" . }}-subagent-manager
+  namespace: {{ .Values.subagents.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "openops.componentLabels" (dict "root" . "component" "app") | nindent 4 }}
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.global.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "openops.fullname" . }}-subagent-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "openops.serviceAccountName" (dict "root" . "component" "app") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index a35c69f..3c6fa95 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -143,6 +143,15 @@ openopsEnv:
   OPS_CODE_BLOCK_MEMORY_LIMIT_IN_MB: "256"
   OPS_SLACK_ENABLE_INTERACTIONS: "true"
 
+  # Subagent configuration
+  OPS_SUBAGENTS_ENABLED: "false"
+  OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
+  OPS_SUBAGENT_K8S_NAMESPACE: '{{ .Values.subagents.namespace | default .Release.Namespace }}'
+  OPS_SUBAGENT_S3_BUCKET: ""
+  OPS_SUBAGENT_S3_REGION: ""
+  OPS_SUBAGENT_S3_ENDPOINT: ""
+  OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:0fdbc6b1"
+
 # Secret environment variables
 # Any var in this section is treated as a secret (stored in K8s Secret, referenced via secretKeyRef).
 # Generate secure values with: openssl rand -hex 16
@@ -629,3 +638,8 @@ externalSecrets:
     create: false
     name: external-secrets-sa
     annotations: {}
+
+# Subagent configuration
+subagents:
+  # Namespace where subagent pods run (defaults to same namespace as app)
+  namespace: ""