From 9858a1c44b4b81f80c2e36dddd861f1e47eeacaf Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 15:03:23 +0000 Subject: [PATCH] docs(add-user): document dashboard auto-login home-ns scope + foreign-namespace exception [ci skip] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Auto-login covers a user's k8s_users home namespace only (dashboard SA bound there). For workloads in a separate/pre-existing namespace (gheorghe→novelapp), that namespace must also grant the dashboard SA, not just the OIDC User. Best practice: set k8s_users namespace = where the workload runs. Co-Authored-By: Claude Opus 4.8 --- .claude/skills/add-user/SKILL.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.claude/skills/add-user/SKILL.md b/.claude/skills/add-user/SKILL.md index e88859af..f8025ea8 100644 --- a/.claude/skills/add-user/SKILL.md +++ b/.claude/skills/add-user/SKILL.md @@ -192,6 +192,18 @@ read-only on the namespace list & nodes for nav — no cross-tenant resource rea > Seamless OIDC SSO is built but blocked — see > `docs/plans/2026-06-04-k8s-dashboard-sso-design.md` §12. +> **Auto-login works only for the user's `k8s_users` HOME namespace.** The +> dashboard injects the user's `dashboard-` SA token, which the `rbac` +> stack binds to `admin` on their home namespace only. If their workload lives +> in a DIFFERENT / pre-existing namespace (e.g. gheorghe's app is in `novelapp`, +> not his home `vabbit81`), that namespace's stack must ALSO grant their +> **dashboard SA** — `kind: ServiceAccount, name: dashboard-, namespace: +> ` — not just their OIDC `User` email (the dashboard uses the SA, and +> apiserver OIDC is blocked). See `stacks/novelapp/main.tf` `novelapp_owner_vabbit81` +> for the pattern (two subjects: User + SA). Best practice: set the user's +> `k8s_users` namespace to where their workload actually runs, so the home-ns +> auto-path covers them with no extra binding. + The user can decrypt their stack's state with: ```bash vault login -method=oidc # authenticates via Authentik SSO