Confirming this is reproducible for the mentioned users. I was able to run scap backport without incident.

I'm guessing something like a missing group for sudo, although nothing here stands out to me as obvious:

21:38:13 brennen@deploy1002 ~ $ groups cjming
cjming : wikidev deployment
21:41:12 brennen@deploy1002 ~ $ groups brennen
brennen : wikidev deployment deploy-phabricator gerrit-deployers zuul-deployers contint-admins deployment-ci-admins

I'll poke around a bit.

The sudoer rule allowing 'ALL = (mwbuilder) NOPASSWD: /usr/local/bin/update-mediawiki-tools-release' is attached to the deployment-ci-admins group in ops/puppet.git:modules/admin/data/data.yaml.

Yep, that sure seems like it'd do it.

@jnuche I'm guessing this is a side effect of rOPUP77bcab706ae7: scap.cfg: enable image building in production cluster?

From #wikimedia-releng:

<bd808> that script looks pretty boring -- https://gerrit.wikimedia.org/g/operations/puppet/+/bb46a57262c553cf5822fd7bd06bffd9252d2399/modules/profile/manifests/kubernetes/deployment_server/mediawiki/builder.pp#34 -- so I'd guess the sudoers rule can be attached to the deployers group without a lot of controversy

Seems reasonable...

Change 860121 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[operations/puppet@production] sudo: add update-mediawiki-tools release to deployers

https://gerrit.wikimedia.org/r/860121

Change 860121 merged by Giuseppe Lavagetto:

[operations/puppet@production] k8s builder: allow deployers to sudo update-mediawiki-tools-release

https://gerrit.wikimedia.org/r/860121