viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/rbac/modules/rbac
History
Viktor Barzin 7114824c06 fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only 
namespace-owners could read all tenants' pods/configmaps/etc cluster-wide
(read-only) via the broad namespace_owner_readonly role. Give the dashboard
SAs a dedicated dashboard-nav-readonly ClusterRole = namespaces + nodes (list)
only — enough for the dashboard namespace-picker/Nodes view, but no
cross-tenant resource reads. Own-namespace access (admin) unchanged. Verified:
gheorghe can list namespaces/nodes + full vabbit81, but list pods/configmaps -A
= no, other namespaces = no.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-05 09:19:11 +00:00
..
apiserver-oidc.tf feat(rbac): apiserver multi-issuer OIDC via structured AuthenticationConfiguration 2026-06-05 09:19:09 +00:00
audit-policy.tf extract remaining 19 modules from platform, complete stack split [ci skip] 2026-03-17 21:42:16 +00:00
dashboard-sa.tf fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only 2026-06-05 09:19:11 +00:00
etcd-tuning.tf Reduce disk write amplification across cluster (~200-350 GB/day savings) [ci skip] 2026-04-09 19:01:21 +00:00
main.tf extract remaining 19 modules from platform, complete stack split [ci skip] 2026-03-17 21:42:16 +00:00