From 9dad07618d854cc780eb7256c03c13584babcf2a Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Tue, 17 Feb 2026 22:18:37 +0000
Subject: [PATCH] [ci skip] Add anca as namespace-owner for plotting-book

- Add ancaelena98@gmail.com as namespace-owner for plotting-book namespace
- Fix RBAC module: don't create namespaces (they're managed by service modules)
- RoleBinding to built-in admin ClusterRole + cluster-wide read-only access
- ResourceQuota: 2 CPU / 4Gi mem requests, 4 CPU / 8Gi limits, 20 pods
---
 modules/kubernetes/rbac/main.tf | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/modules/kubernetes/rbac/main.tf b/modules/kubernetes/rbac/main.tf
index 496a014d..9e6254d4 100644
--- a/modules/kubernetes/rbac/main.tf
+++ b/modules/kubernetes/rbac/main.tf
@@ -146,19 +146,6 @@ locals {
   ])
 }
 
-resource "kubernetes_namespace" "user_namespaces" {
-  for_each = { for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair }
-
-  metadata {
-    name = each.value.namespace
-    labels = {
-      tier                    = var.tier
-      "k8s-portal/owner"      = each.value.user_key
-      "k8s-portal/managed-by" = "rbac-module"
-    }
-  }
-}
-
 resource "kubernetes_role_binding" "namespace_owner" {
   for_each = { for pair in local.namespace_owner_pairs : "${pair.user_key}-${pair.namespace}" => pair }
 
@@ -178,8 +165,6 @@ resource "kubernetes_role_binding" "namespace_owner" {
     name      = each.value.email
     api_group = "rbac.authorization.k8s.io"
   }
-
-  depends_on = [kubernetes_namespace.user_namespaces]
 }
 
 # Read-only cluster-wide access for namespace owners
@@ -246,7 +231,7 @@ resource "kubernetes_resource_quota" "user_namespace_quota" {
     }
   }
 
-  depends_on = [kubernetes_namespace.user_namespaces]
+  depends_on = [kubernetes_role_binding.namespace_owner]
 }
 
 # ConfigMap with user-role mapping for the self-service portal