[ci skip] Implement multi-user Kubernetes access with OIDC

- Add RBAC module (modules/kubernetes/rbac/) with admin, power-user,
  and namespace-owner roles, API server OIDC flags, and audit logging
- Add self-service portal (modules/kubernetes/k8s-portal/) SvelteKit app
  with kubeconfig download and setup instructions
- Configure Alloy to collect audit logs from kube-apiserver
- Add Grafana dashboard for Kubernetes audit log visualization
- Configure Authentik OIDC provider with groups scope mapping
- Wire up k8s_users and ssh_private_key variables through module chain

modules/kubernetes/monitoring/alloy.yaml

@@ -99,6 +99,25 @@ alloy:
         forward_to = [loki.write.default.receiver]
       }
 
+      // Kubernetes audit log collection from /var/log/kubernetes/audit.log
+      // Requires alloy.mounts.varlog=true to mount /var/log from the host
+      local.file_match "audit_logs" {
+        path_targets = [{
+          __path__ = "/var/log/kubernetes/audit.log",
+          job      = "kubernetes-audit",
+          node     = env("HOSTNAME"),
+        }]
+      }
+
+      loki.source.file "audit_logs" {
+        targets    = local.file_match.audit_logs.targets
+        forward_to = [loki.write.default.receiver]
+      }
+
+  # Mount /var/log from the host for file-based log collection (audit logs)
+  mounts:
+    varlog: true
+
   # Resource limits for DaemonSet pods
   # Alloy tails logs from all containers on the node via K8s API and batches
   # them to Loki. Memory scales with number of active log streams (~30-50 per node).