fix(k8s-dashboard): drop group-restriction policy; RBAC is the gate

The Authentik group policy denied admins: it gated on kubernetes-* group
membership, but cluster access is email-based RBAC (User bindings from
k8s_users), not group-based. vbarzin@gmail.com (Home Server Admins) gets
cluster-admin via oidc-admin-vbarzin but isn't in any kubernetes-* group,
so the gate locked him out. Apiserver RBAC is now the sole gate — matching
the kubelogin CLI (authenticate freely, RBAC decides actions).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/k8s-dashboard/authentik.tf

@@ -89,20 +89,12 @@ resource "authentik_application" "k8s_dashboard" {
   policy_engine_mode = "any"
 }
 
-# Restrict who can complete the OIDC flow to the K8s RBAC groups.
+# NO group-restriction policy: the kube-apiserver RBAC (per-user `User`
-resource "authentik_policy_expression" "k8s_dashboard_groups" {
+# bindings keyed on the OIDC email claim, from k8s_users in stacks/rbac) is the
-  name       = "k8s-dashboard-group-access"
+# real, authoritative gate — exactly like the kubelogin CLI. Any Authentik user
-  expression = <<-EOT
+# can complete the login, but only users with an RBAC binding can do anything
-    return (
+# (everyone else sees an empty/forbidden dashboard). A group gate here was
-        ak_is_group_member(request.user, name="kubernetes-admins")
+# both redundant with RBAC AND wrong: it gated on `kubernetes-*` group
-        or ak_is_group_member(request.user, name="kubernetes-power-users")
+# membership, but admins (e.g. vbarzin@gmail.com, in Home Server Admins) get
-        or ak_is_group_member(request.user, name="kubernetes-namespace-owners")
+# cluster-admin via their email binding, not via those groups — so the gate
-    )
+# locked out legitimate admins.
-  EOT
-}
-
-resource "authentik_policy_binding" "k8s_dashboard_groups" {
-  target = authentik_application.k8s_dashboard.uuid
-  policy = authentik_policy_expression.k8s_dashboard_groups.id
-  order  = 0
-}