feat(rbac): bind makeitworkcloud:admins GitHub team to cluster-admin (#22)

xnoto · web-flow · commit 783cb84132b2 · 2026-04-29T22:24:14.000-06:00
## Summary When Headlamp authenticates a user via Dex, the resulting ID token is forwarded to kube-apiserver. With the apiserver's \`--oidc-issuer-url\` / \`--oidc-client-id=headlamp\` / \`--oidc-username-claim=email\` / \`--oidc-groups-claim=groups\` flags (added to k3s cloud-init in the matching tfroot-libvirt PR), the apiserver validates the token and surfaces the user as e.g. \`steven@makeitwork.cloud\` with groups like \`makeitworkcloud:admins\`. Without an RBAC binding the user is recognized but not authorized → 401 from the apiserver, which Headlamp interprets as a failed login and re-prompts. This adds a single ClusterRoleBinding mapping the GitHub team \`makeitworkcloud:admins\` to cluster-admin. Anyone in that team gets full kubectl/Headlamp access; non-members get the standard denied response. ## Pairs with - tfroot-libvirt PR (incoming): adds \`--oidc-*\` apiserver args to k3s cloud-init. ## Test plan - [x] Already validated on the live cluster — the same binding was applied manually after restarting k3s with the OIDC apiserver flags, and Headlamp login completed (no more 401 loop). - [x] After merge: \`kubectl get clusterrolebinding oidc-makeitworkcloud-admins\` exists and is owned by ArgoCD. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/bootstrap/kustomization.yaml b/bootstrap/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
   # NOTE: cluster-admin ClusterRoleBinding is managed by ansible-role-crc
   #       (ArgoCD cannot grant itself permissions it doesn't have)
   - argocd-config.yaml
+  # Wave 0: GitHub-team-to-cluster-admin RBAC for OIDC users (Headlamp, kubectl)
+  - oidc-rbac.yaml
   # Wave 0: CI/CD service account with cluster-admin for GitHub Actions
   - ci-service-account.yaml
   # PostSync: Sync ci-deployer token to GitHub Actions secrets
diff --git a/bootstrap/oidc-rbac.yaml b/bootstrap/oidc-rbac.yaml
@@ -0,0 +1,22 @@
+---
+# Maps the GitHub team `makeitworkcloud:admins` (surfaced as a `groups` claim
+# by Dex's GitHub connector) to cluster-admin so OIDC-authenticated users
+# can use kubectl/Headlamp without a separate per-user binding.
+#
+# Pairs with the k3s apiserver flags in tfroot-libvirt cloud-init that point
+# at the same Dex issuer: --oidc-issuer-url, --oidc-client-id=headlamp,
+# --oidc-username-claim=email, --oidc-groups-claim=groups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-makeitworkcloud-admins
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+subjects:
+  - kind: Group
+    name: makeitworkcloud:admins
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
