From coreweave-pack
Configure RBAC and namespace isolation for CoreWeave multi-team GPU access. Use when managing team permissions, isolating GPU quotas, or implementing namespace-level access control. Trigger with phrases like "coreweave rbac", "coreweave permissions", "coreweave namespace isolation", "coreweave team access".
npx claudepluginhub flight505/skill-forge --plugin coreweave-packThis skill is limited to using the following tools:
CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key r...
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key rotation.
| Role | Permissions | Scope |
|---|---|---|
| Cluster Admin | Full CKS control, namespace creation, quota management | All namespaces |
| Team Lead | Deploy workloads, manage team API keys, adjust pod limits | Own namespace |
| ML Engineer | Launch jobs, access PVCs, view logs | Own namespace |
| Inference Operator | Deploy/scale inference endpoints, read metrics | Own namespace |
| Viewer | Read-only pod status, logs, GPU utilization metrics | Own namespace |
import { KubeConfig, RbacAuthorizationV1Api } from '@kubernetes/client-node';
async function checkNamespaceAccess(user: string, namespace: string, verb: string, resource: string): Promise<boolean> {
const kc = new KubeConfig();
kc.loadFromDefault();
const rbac = kc.makeApiClient(RbacAuthorizationV1Api);
const review = { apiVersion: 'authorization.k8s.io/v1', kind: 'SubjectAccessReview',
spec: { user, resourceAttributes: { namespace, verb, resource } } };
const result = await rbac.createSubjectAccessReview(review);
return result.body.status?.allowed ?? false;
}
async function assignTeamNamespace(team: string, group: string, gpuLimit: number): Promise<void> {
await kubectl(`create namespace ${team}`);
await kubectl(`create resourcequota ${team}-gpu --namespace=${team} --hard=requests.nvidia.com/gpu=${gpuLimit}`);
await kubectl(`create rolebinding ${team}-access --namespace=${team} --clusterrole=edit --group=${group}`);
console.log(`Namespace ${team} created with ${gpuLimit} GPU quota bound to ${group}`);
}
async function revokeAccess(team: string, binding: string): Promise<void> {
await kubectl(`delete rolebinding ${binding} --namespace=${team}`);
}
interface CoreWeaveAuditEntry {
timestamp: string; user: string; namespace: string;
action: 'gpu_request' | 'deploy' | 'scale' | 'delete' | 'quota_change';
resource: string; gpuCount?: number; result: 'allowed' | 'denied';
}
function logAccess(entry: CoreWeaveAuditEntry): void {
console.log(JSON.stringify({ ...entry, cluster: process.env.CW_CLUSTER_ID }));
}
| Issue | Cause | Fix |
|---|---|---|
Forbidden: GPU quota exceeded | Namespace quota reached | Increase ResourceQuota or free idle pods |
RoleBinding not found | Group name mismatch with IdP | Verify AD/OIDC group name matches RoleBinding subject |
Namespace not found | Team namespace not provisioned | Run namespace creation script before role assignment |
SubjectAccessReview denied | Missing ClusterRole binding | Check if ClusterRole exists and verb is permitted |
See coreweave-security-basics.