coreweave-enterprise-rbac

# CoreWeave Enterprise RBAC ## Overview CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key rotation. ## Role Hierarchy | Role | Permissions | Scope | |------|------------|-------| | Cluster Admin | Full CKS control, namespace creation, quota management | All namespaces | | Team Lead | Deploy workloads, manage team API keys, adjust pod limits | Own namespace | | ML Engineer | Launch jobs, access PVCs, view logs | Own namespace | | Inference Operator | Deploy/scale inference endpoints, read metrics | Own namespace | | Viewer | Read-only pod status, logs, GPU utilization metrics | Own namespace | ## Permission Check ```typescript import { KubeConfig, RbacAuthorizationV1Api } from '@kubernetes/client-node'; async function checkNamespaceAccess(user: string, namespace: string, verb: string, resource: string): Promise<boolean> { const kc = new KubeConfig(); kc.loadFromDefault(); const rbac = kc.makeApiClient(RbacAuthorizationV1Api); const review = { apiVersion: 'authorization.k8s.io/v1', kind: 'SubjectAccessReview', spec: { user, resourceAttributes: { namespace, verb, resource } } }; const result = await rbac.createSubjectA...