Claude-code-plugins-plus-skills coreweave-enterprise-rbac

install

source · Clone the upstream repo

git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/coreweave-pack/skills/coreweave-enterprise-rbac" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-coreweave-enterprise-rbac && rm -rf "$T"

manifest: plugins/saas-packs/coreweave-pack/skills/coreweave-enterprise-rbac/SKILL.md

CoreWeave Enterprise RBAC

Overview

CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key rotation.

Role Hierarchy

Role	Permissions	Scope
Cluster Admin	Full CKS control, namespace creation, quota management	All namespaces
Team Lead	Deploy workloads, manage team API keys, adjust pod limits	Own namespace
ML Engineer	Launch jobs, access PVCs, view logs	Own namespace
Inference Operator	Deploy/scale inference endpoints, read metrics	Own namespace
Viewer	Read-only pod status, logs, GPU utilization metrics	Own namespace

Permission Check

import { KubeConfig, RbacAuthorizationV1Api } from '@kubernetes/client-node';

async function checkNamespaceAccess(user: string, namespace: string, verb: string, resource: string): Promise<boolean> {
  const kc = new KubeConfig();
  kc.loadFromDefault();
  const rbac = kc.makeApiClient(RbacAuthorizationV1Api);
  const review = { apiVersion: 'authorization.k8s.io/v1', kind: 'SubjectAccessReview',
    spec: { user, resourceAttributes: { namespace, verb, resource } } };
  const result = await rbac.createSubjectAccessReview(review);
  return result.body.status?.allowed ?? false;
}

Role Assignment

async function assignTeamNamespace(team: string, group: string, gpuLimit: number): Promise<void> {
  await kubectl(`create namespace ${team}`);
  await kubectl(`create resourcequota ${team}-gpu --namespace=${team} --hard=requests.nvidia.com/gpu=${gpuLimit}`);
  await kubectl(`create rolebinding ${team}-access --namespace=${team} --clusterrole=edit --group=${group}`);
  console.log(`Namespace ${team} created with ${gpuLimit} GPU quota bound to ${group}`);
}

async function revokeAccess(team: string, binding: string): Promise<void> {
  await kubectl(`delete rolebinding ${binding} --namespace=${team}`);
}

Audit Logging

interface CoreWeaveAuditEntry {
  timestamp: string; user: string; namespace: string;
  action: 'gpu_request' | 'deploy' | 'scale' | 'delete' | 'quota_change';
  resource: string; gpuCount?: number; result: 'allowed' | 'denied';
}

function logAccess(entry: CoreWeaveAuditEntry): void {
  console.log(JSON.stringify({ ...entry, cluster: process.env.CW_CLUSTER_ID }));
}

RBAC Checklist

Each team has a dedicated namespace with ResourceQuota
GPU limits set per namespace to prevent resource starvation
RoleBindings use AD/OIDC groups, not individual users
Network policies isolate namespace traffic
API keys scoped to team namespace, rotated quarterly
Viewer role assigned to finance/management for cost visibility
Audit logging enabled for all GPU allocation events

Error Handling

Issue	Cause	Fix
`Forbidden: GPU quota exceeded`	Namespace quota reached	Increase ResourceQuota or free idle pods
`RoleBinding not found`	Group name mismatch with IdP	Verify AD/OIDC group name matches RoleBinding subject
`Namespace not found`	Team namespace not provisioned	Run namespace creation script before role assignment
`SubjectAccessReview denied`	Missing ClusterRole binding	Check if ClusterRole exists and verb is permitted

Resources

Next Steps

See

coreweave-security-basics