diff --git a/bundles/telegraf/files/sudoers b/bundles/telegraf/files/sudoers
new file mode 100644
index 0000000..34adf1e
--- /dev/null
+++ b/bundles/telegraf/files/sudoers
@@ -0,0 +1,3 @@
+% for command in sorted(node.metadata.get('telegraf/sudo_commands', set())):
+telegraf ALL=(ALL) NOPASSWD:${command}
+% endfor
diff --git a/bundles/telegraf/items.py b/bundles/telegraf/items.py
index 5cb8388..c987088 100644
--- a/bundles/telegraf/items.py
+++ b/bundles/telegraf/items.py
@@ -73,6 +73,10 @@ files = {
             'svc_systemd:telegraf:restart',
         },
     },
+    '/etc/sudoers.d/telegraf': {
+        'source': 'sudoers',
+        'content_type': 'mako',
+    },
 }
 
 svc_systemd = {