chrome-service: grant emo shared browser access (noVNC + homelab browser CLI)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Viktor asked to give emo access to the cluster's headed Chrome so he can fill in forms and get past anti-bot / captcha pages. emo was deliberately locked out of chrome-service (noVNC Authentik allowlist was Viktor-only + his power-user RBAC has no pods/portforward). Viktor's explicit decision: SHARE his existing browser rather than stand up an isolated per-user instance, accepting that emo can therefore reach Viktor's warmed logged-in sessions (CDP has no per-context auth, so the single shared persistent profile is reachable by anyone who can drive the browser). emo's CLI use is hands-off (his agent can run it unattended). - authentik: add emo (emil.barzin / emil.barzin@gmail.com) to CHROME_ALLOWED so the admin-services-restriction policy admits him to chrome.viktorbarzin.me (noVNC). Reverses the prior Viktor-only lock; comment updated to record why. - chrome-service/rbac.tf (new): emo-browser ServiceAccount + long-lived token (dashboard-sa.tf pattern), a chrome-service-portforward Role granting pods/portforward, and a cluster read-only binding (oidc-power-user-readonly) so the SA can resolve the Service and emo's normal read access doesn't regress. - t3-provision-users.sh: install_browser_kubeconfig installs a dual-context kubeconfig for any user with a <user>-browser SA — SA token as the default context (non-interactive, works headless), personal OIDC retained as the oidc@homelab named context. emo's OIDC-only kubeconfig can't authenticate the headless agent session that homelab browser needs. - docs/architecture/chrome-service.md: document the shared-browser multi-user access model, the session-exposure trade-off, and how to grant/revoke a user. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
50077b43d4
commit
2e50c1235c
4 changed files with 214 additions and 8 deletions
|
|
@ -49,14 +49,15 @@ resource "authentik_policy_expression" "admin_services_restriction" {
|
|||
|
||||
host = request.context.get("host", "")
|
||||
|
||||
# chrome-service noVNC (chrome.viktorbarzin.me) exposes Viktor's LIVE
|
||||
# logged-in browser sessions, so lock it to Viktor's own accounts ONLY.
|
||||
# "Home Server Admins" is NOT sufficient — emo (emil.barzin@gmail.com) is a
|
||||
# member. akadmin kept as break-glass. The homelab-browser CDP path is
|
||||
# already RBAC-gated (emo = oidc-power-user-readonly, no pods/portforward),
|
||||
# so this closes the only remaining, human, noVNC path. Match username OR
|
||||
# email so neither attribute alone can lock Viktor out.
|
||||
CHROME_ALLOWED = {"akadmin", "akadmin@viktorbarzin.me", "vbarzin@gmail.com"}
|
||||
# chrome-service noVNC (chrome.viktorbarzin.me) exposes LIVE logged-in browser
|
||||
# sessions from the SHARED persistent profile. Originally Viktor-only.
|
||||
# 2026-06-28 (Viktor's explicit decision): emo SHARES Viktor's browser, so emo
|
||||
# (emil.barzin / emil.barzin@gmail.com) is allowed in for noVNC form-filling +
|
||||
# captcha solving. Trade-off accepted: emo can therefore reach Viktor's warmed
|
||||
# sessions (the CLI half is the emo-browser ServiceAccount in
|
||||
# stacks/chrome-service/rbac.tf). akadmin kept as break-glass. Match username OR
|
||||
# email so neither attribute alone can lock anyone out.
|
||||
CHROME_ALLOWED = {"akadmin", "akadmin@viktorbarzin.me", "vbarzin@gmail.com", "emil.barzin", "emil.barzin@gmail.com"}
|
||||
if host == "chrome.viktorbarzin.me":
|
||||
return request.user.username in CHROME_ALLOWED or request.user.email in CHROME_ALLOWED
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue