What access can I give to kubernetes admin users, instead of root?

There is one team in our organization who is managing kubernetes cluster and setup. We deployed Linux VM (on VMWare) and gave them root credentials in past and now they are running all services and everything via root user privilege. Now as per security folks, ALL servers should be able to authenticate via AD credentials, which means nobody should be able to login as root directly, but they should login as their own AD account/credential and run required sudo commands. Whatever access that user needs, we can add those commands in group.
My question is, how will I restrict them to not use root? Since everything is setup and running by root account, is it possible to restrict this account now?
What commands they should run as root, which I can add on AD side?