[Feature]: Namespace-scoped AuthZ/RBAC for Multi-Team Sharing

[KenKilty]

Is there an existing feature request for this?

• I have searched the existing issues

Problem or Motivation

Add basic (coarse) AuthZ to support multiple project teams sharing one KubeAirunway instance via namespace isolation (e.g., AKS-style). Avoids “one deploy per team” sprawl while ensuring security.

Motivation:

• IT teams need quick stamp-outs but shared GPU/compute efficiency.
• Current single-namespace limits multi-tenancy.

Requirements:

• Web UI auth (OIDC/basic) maps users/groups to namespaces
• RBAC enforcement:  can-i hecks for create/list in user’s ns only
• Inference CRDs scoped to spec.namespace
• Namespace quotas for resources/models

Prototype with Keycloak/OIDC proxy for feedback

Proposed Solution

Auth Flow:

1. Login -> Impersonate SA bound to user's ns.
2. UI filters resources to authorized ns.
3. Controller mutates/admits based on ns RBAC.

Quotas via K8s ResourceQuota.
MVP Scope:

• OIDC integration + ns selector in UI.
• Tests for cross-ns denial.

Alternatives Considered

Reverse ProxyBased Approach

Deploy as a sidecar or ingress proxy:
Auth Flow: User logs in via OIDC (Entra AD, etc.); proxy extracts groups/claims to map to namespaces (e.g., group “team-a” -> ns-team-a).
Headers: Injects  Impersonate-User / Impersonate-Group  for backend RBAC checks.
Routing: Path/Host-based (e.g., team-a.kubeairunway.example.com) or query param for ns selection, validated server-side.

Feature Area

Deployments / Model Management

How important is this feature to you?

Nice to have

Mockups or Examples

No response

Additional Context

No response

[sozercan]

please see #67

[KenKilty]

Sorry I missed that thank you. Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: Sertaç Özercan ***@***.***> Sent: Tuesday, February 10, 2026 7:41:27 PM To: kaito-project/kubeairunway ***@***.***> Cc: Author ***@***.***> Subject: Re: [kaito-project/kubeairunway] [Feature]: Namespace-scoped AuthZ/RBAC for Multi-Team Sharing (Issue #65) please see #67<#67> — Reply to this email directly, view it on GitHub<#65 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AB2H7WAY3NPIKLAQCL7HDY34LJ3DPBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFUY4DKMRXGUYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLKRZG44TGOJQG4ZDKMVENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZFAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWVDCMJRGI2TQMZYGUYIFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZTSMRTG4ZDINRTGOTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.