CoreWeave Enterprise RBAC
Overview
CoreWeave runs GPU workloads on Kubernetes, so RBAC maps directly to K8s namespace isolation and ResourceQuotas. Each team gets a dedicated namespace with GPU limits, storage caps, and network policies. This prevents noisy-neighbor problems where one team's training job starves another's inference service. SOC 2 and HIPAA workloads require namespace-level audit logging and team-scoped API key rotation.
Role Hierarchy
| Role | Permissions | Scope |
|---|---|---|
| Cluster Admin | Full CKS control, namespace creation, quota management | All namespaces |
| Team Lead | Deploy workloads, manage team API keys, adjust pod limits | Own namespace |
| ML Engineer | Launch jobs, access PVCs, view logs | Own namespace |
| Inference Operator | Deploy/scale inference endpoints, read metrics | Own namespace |
| Viewer | Read-only pod status, logs, GPU utilization metrics | Own namespace |
Permission Check
import { KubeConfig, RbacAuthorizationV1Api } from '@kubernetes/client-node';
async function checkNamespaceAccess(user: string, namespace: string, verb: string, resource: string): Promise<boolean> {
const kc = new KubeConfig();
kc.loadFromDefault();
const rbac = kc.makeApiClient(RbacAuthorizationV1Api);
const review = { apiVersion: 'authorization.k8s.io/v1', kind: 'SubjectAccessReview',
spec: { user, resourceAttributes: { namespace, verb, resource } } };
const result = await rbac.createSubjectAccessReview(review);
return result.body.status?.allowed ?? false;
}
Role Assignment
async function assignTeamNamespace(team: string, group: string, gpuLimit: number): Promise<void> {
await kubectl(`create namespace ${team}`);
await kubectl(`create resourcequota ${team}-gpu --namespace=${team} --hard=requests.nvidia.com/gpu=${gpuLimit}`);
await kubectl(`create rolebinding ${team}-access --namespace=${team} --clusterrole=edit --group=${group}`);
console.log(`Namespace ${team} created with ${gpuLimit} GPU quota bound to ${group}`);
}
async function revokeAccess(team: string, binding: string): Promise<void> {
await kubectl(`delete rolebinding ${binding} --namespace=${team}`);
}
Audit Logging
interface CoreWeaveAuditEntry {
timestamp: string; user: string; namespace: string;
action: 'gpu_request' | 'deploy' | 'scale' | 'delete' | 'quota_change';
resource: string; gpuCount?: number; result: 'allowed' | 'denied';
}
function logAccess(entry: CoreWeaveAuditEntry): void {
console.log(JSON.stringify({ ...entry, cluster: process.env.CW_CLUSTER_ID }));
}
RBAC Checklist
- Each team has a dedicated namespace with ResourceQuota
- GPU limits set per namespace to prevent resource starvation
- RoleBindings use AD/OIDC groups, not individual users
- Network policies isolate namespace traffic
- API keys scoped to team namespace, rotated quarterly
- Viewer role assigned to finance/management for cost visibility
- Audit logging enabled for all GPU allocation events
Error Handling
| Issue | Cause | Fix |
|---|---|---|
Forbidden: GPU quota exceeded |
Namespace quota reached | Increase ResourceQuota or free idle pods |
RoleBinding not found |
Group name mismatch with IdP | Verify AD/OIDC group name matches RoleBinding subject |
Namespace not found |
Team namespace not provisioned | Run namespace creation script before role assignment |
SubjectAccessReview denied |
Missing ClusterRole binding | Check if ClusterRole exists and verb is permitted |
Resources
Next Steps
See coreweave-security-basics.