--- name: coreweave-enterprise-rbac description: | Configure RBAC and namespace isolation for CoreWeave multi-team GPU access. Use when managing team permissions, isolating GPU quotas, or implementing namespace-level access control. Trigger with phrases like "coreweave rbac", "coreweave permissions", "coreweave namespace isolation", "coreweave team access". allowed-tools: Read, Write, Edit, Bash(kubectl:*), Grep version: 1.0.0 license: MIT author: Jeremy Longshore tags: [saas, gpu-cloud, kubernetes, inference, coreweave] compatible-with: claude-code --- # CoreWeave Enterprise RBAC ## Overview CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key rotation. ## Role Hierarchy | Role | Permissions | Scope | |------|------------|-------| | Cluster Admin | Full CKS control, namespace creation, quota management | All namespaces | | Team Lead | Deploy workloads, manage team API keys, adjust pod limits | Own namespace | | ML Engineer | Launch jobs, access PVCs, view logs | Own namespace | | Inference Operator | Deploy/scale inference endpoints, read metrics | Own namespace | | Viewer | Read-only pod status, logs, GPU utilization metrics | Own namespace | ## Permission Check ```typescript import { KubeConfig, RbacAuthorizationV1Api } from '@kubernetes/client-node'; async function checkNamespaceAccess(user: string, namespace: string, verb: string, resource: string): Promise { const kc = new KubeConfig(); kc.loadFromDefault(); const rbac = kc.makeApiClient(RbacAuthorizationV1Api); const review = { apiVersion: 'authorization.k8s.io/v1', kind: 'SubjectAccessReview', spec: { user, resourceAttributes: { namespace, verb, resource } } }; const result = await rbac.createSubjectAccessReview(review); return result.body.status?.allowed ?? false; } ``` ## Role Assignment ```typescript async function assignTeamNamespace(team: string, group: string, gpuLimit: number): Promise { await kubectl(`create namespace ${team}`); await kubectl(`create resourcequota ${team}-gpu --namespace=${team} --hard=requests.nvidia.com/gpu=${gpuLimit}`); await kubectl(`create rolebinding ${team}-access --namespace=${team} --clusterrole=edit --group=${group}`); console.log(`Namespace ${team} created with ${gpuLimit} GPU quota bound to ${group}`); } async function revokeAccess(team: string, binding: string): Promise { await kubectl(`delete rolebinding ${binding} --namespace=${team}`); } ``` ## Audit Logging ```typescript interface CoreWeaveAuditEntry { timestamp: string; user: string; namespace: string; action: 'gpu_request' | 'deploy' | 'scale' | 'delete' | 'quota_change'; resource: string; gpuCount?: number; result: 'allowed' | 'denied'; } function logAccess(entry: CoreWeaveAuditEntry): void { console.log(JSON.stringify({ ...entry, cluster: process.env.CW_CLUSTER_ID })); } ``` ## RBAC Checklist - [ ] Each team has a dedicated namespace with ResourceQuota - [ ] GPU limits set per namespace to prevent resource starvation - [ ] RoleBindings use AD/OIDC groups, not individual users - [ ] Network policies isolate namespace traffic - [ ] API keys scoped to team namespace, rotated quarterly - [ ] Viewer role assigned to finance/management for cost visibility - [ ] Audit logging enabled for all GPU allocation events ## Error Handling | Issue | Cause | Fix | |-------|-------|-----| | `Forbidden: GPU quota exceeded` | Namespace quota reached | Increase ResourceQuota or free idle pods | | `RoleBinding not found` | Group name mismatch with IdP | Verify AD/OIDC group name matches RoleBinding subject | | `Namespace not found` | Team namespace not provisioned | Run namespace creation script before role assignment | | `SubjectAccessReview denied` | Missing ClusterRole binding | Check if ClusterRole exists and verb is permitted | ## Resources - [CoreWeave CKS](https://docs.coreweave.com/docs/products/cks) - [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) ## Next Steps See `coreweave-security-basics`.