Use allowlist for response headers in Kubernetes API proxy

Timo Furrerrequested to merge
proxy-resp-header-allowlist into master
  • Use allowlist for response headers in Kubernetes API proxy

This change set switches the filtering strategy of safe and secure response headers in the Kubernetes API proxy from a denylist to an allowlist.

This might be a breaking change for some users who relied on custom headers that need to be proxied to Kubernetes tooling, like kubectl or custom tools integration with the Kubernetes API. Analysis on GitLab.com have shown that this is not the case. If anyone is still impacted, please configure extra allowed headers and if that header should be generally allowed, please post a comment in gitlab-org/gitlab#550614.

Refs https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/642

Merge request reports