infra

Viktor Barzin 7114824c06 fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only namespace-owners could read all tenants' pods/configmaps/etc cluster-wide (read-only) via the broad namespace_owner_readonly role. Give the dashboard SAs a dedicated dashboard-nav-readonly ClusterRole = namespaces + nodes (list) only — enough for the dashboard namespace-picker/Nodes view, but no cross-tenant resource reads. Own-namespace access (admin) unchanged. Verified: gheorghe can list namespaces/nodes + full vabbit81, but list pods/configmaps -A = no, other namespaces = no. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-05 09:19:11 +00:00
..
rbac	fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only	2026-06-05 09:19:11 +00:00

Viktor Barzin 7114824c06 fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only

namespace-owners could read all tenants' pods/configmaps/etc cluster-wide
(read-only) via the broad namespace_owner_readonly role. Give the dashboard
SAs a dedicated dashboard-nav-readonly ClusterRole = namespaces + nodes (list)
only — enough for the dashboard namespace-picker/Nodes view, but no
cross-tenant resource reads. Own-namespace access (admin) unchanged. Verified:
gheorghe can list namespaces/nodes + full vabbit81, but list pods/configmaps -A
= no, other namespaces = no.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-05 09:19:11 +00:00

rbac

fix(rbac): tighten dashboard SA cluster-read to namespaces+nodes only

2026-06-05 09:19:11 +00:00