viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
3951 commits 3 branches 0 tags 2.3 GiB
Commit graph

2 commits

Author SHA1 Message Date
Viktor Barzin
e436af8d8c fix(k8s-dashboard): drop group-restriction policy; RBAC is the gate 
The Authentik group policy denied admins: it gated on kubernetes-* group
membership, but cluster access is email-based RBAC (User bindings from
k8s_users), not group-based. vbarzin@gmail.com (Home Server Admins) gets
cluster-admin via oidc-admin-vbarzin but isn't in any kubernetes-* group,
so the gate locked him out. Apiserver RBAC is now the sole gate — matching
the kubelogin CLI (authenticate freely, RBAC decides actions).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-05 09:19:09 +00:00
Viktor Barzin
011c63c92d feat(k8s-dashboard): add Authentik OIDC app for dashboard SSO 
Confidential client k8s-dashboard + custom scope mapping emitting
aud=[kubernetes,k8s-dashboard] + group-restriction policy (kubernetes-*
RBAC groups). Additive — dashboard ingress unchanged. Token via Vault
secret/k8s-dashboard.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-05 09:19:07 +00:00