viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

docs: dashboard SA cluster-read tightened to namespace-list + nodes only [ci skip]

Browse source 
Reflect the dashboard-nav-readonly ClusterRole: namespace-owners can list
namespaces/nodes (for dashboard nav) but not read other tenants' resources.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-04 12:22:35 +00:00
parent 7114824c06
commit 8f13fdeaf7
4 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/architecture/multi-tenancy.md
View file

@ -177,7 +177,8 @@ Namespace-owners just log into `https://k8s.viktorbarzin.me` with their Authenti
account and land straight in the dashboard scoped to their namespace — **no token
to paste**. A token-injector (`stacks/k8s-dashboard/dashboard_injector.tf`) maps
their Authentik identity (`X-authentik-username`) to their `dashboard-<user>` SA
token (`admin` on their namespace + cluster read-only) and injects it as
token (`admin` on their namespace + read-only on the namespace list & nodes
only — they can't read other tenants' resources) and injects it as
`Authorization: Bearer`. Forward-auth admits the `kubernetes-*` groups for this
host (`stacks/authentik/admin-services-restriction.tf`).