Kubernetes User Impersonation for Namespace-Level RBAC Enforcement

## PRD: Kubernetes User Impersonation for Namespace-Level RBAC Enforcement

**Problem**: dot-ai uses a single shared ServiceAccount for all kubectl operations. Even with tool-level RBAC (PRD #392), a user restricted to `dotai-viewer` can still query resources in namespaces they shouldn't access because kubectl runs with the SA's full cluster permissions.

**Solution**: Use Kubernetes user impersonation (`--as`/`--as-group` flags) so kubectl commands execute with the authenticated user's identity. Kubernetes itself enforces namespace-level access — no application-level filtering needed. Disabled by default, enabled via Helm chart value.

**Detailed PRD**: See [prds/401-namespace-rbac-impersonation.md](https://github.com/vfarcic/dot-ai/blob/main/prds/401-namespace-rbac-impersonation.md)

**Priority**: High

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kubernetes User Impersonation for Namespace-Level RBAC Enforcement #401

PRD: Kubernetes User Impersonation for Namespace-Level RBAC Enforcement

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Kubernetes User Impersonation for Namespace-Level RBAC Enforcement #401

Description

PRD: Kubernetes User Impersonation for Namespace-Level RBAC Enforcement

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions