Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Because cephadm must always be able to ‘chmod +x’ and read/write to files as root, modifying the sudoers file will inconvenience attackers but not provide a lot of security benefit.

Instead, for those who are more concerned about the cephadm user's level of privilege than the benefits of cephadm on the overcloud, the OpenStack team will provide two playbooks which do the following:

disable_cephadm.yml
- ceph orch pause
- ceph mgr module disable cephadm
- rm /home/ceph-admin/.ssh/* on every overcloud node

re_enable_cephadm.yml
- scp undercloud:/home/stack/.ssh/ceph-admin-id_rsa{,.pub} to overcloud nodes as needed
- ceph mgr module enable cephadm
- ceph orch unpause

Note that /home/stack/.ssh/ceph-admin-id_rsa{,.pub}, which was created on the undercloud during the initial deployment, was never removed but it becomes just as safe as the tripleo-admin key when the undercloud is shut down. 

These playbooks will not run by default, but are available for those who want them. Customers must accept that the Ceph workload will continue to run but that no changes can be made to the ceph cluster configuration (e.g. adding OSDs) until enable_cephadm.yml is run. Also you lose all cephadm benefits, e.g. no health warnings if a daemon fails. No changes required from Ceph org as they already have a procedure* to disable cephadm.

* https://docs.ceph.com/en/latest/cephadm/troubleshooting/#pausing-or-disabling-cephadm