Add cookie-based user access to the k8s API proxy (!841) · Merge requests · GitLab.org / cluster-integration / GitLab Agent for Kubernetes

Hordur Freyr Yngvason requested to merge add-user-access-to-proxy into master Jan 25, 2023

This MR implements the KAS part of the following diagram:

sequenceDiagram

Frontend->>+Rails AgentClusterController: browse /:project/-/cluster_agents/:cluster
note over Frontend,Rails AgentClusterController: the cookie is bound to the `/k8s-proxy`<br/>path and the KAS domain and is `httponly`.
Rails AgentClusterController-->>-Frontend: set `_gitlab_kas` cookie, respond CSRF token
note over Frontend,KAS: The Frontend makes a pre-flight request to KAS to get the CORS headers<br/>This is necessary if KAS is on GitLab subdomain (SOP).
Frontend->>+KAS: Kube API call to /k8s-proxy 
note over Frontend,KAS: pass `_gitlab_kas` cookie, `X-CSRF-Token` and `GitLab-Agent-Id` headers 
KAS->>+Rails Internal Kubernetes API: call to internal/kubernetes/authorize_proxy_user API
note over KAS,Rails Internal Kubernetes API: forward `_gitlab_kas` cookie, CSRF Token and Agent Id
Rails Internal Kubernetes API-->>-KAS: user access information
note over KAS,Rails Internal Kubernetes API: information if the user was authorized or not
alt is authorized
    KAS->>+Kubernetes Cluster (via agentk): impersonated Kube API call
    note over KAS,Kubernetes Cluster (via agentk): the actual Kube API call from the Frontend
    Kubernetes Cluster (via agentk)-->>-KAS: Kube API response
end
KAS-->>-Frontend: Kube API response or unauthorized error

The Rails MR can be found here: gitlab-org/gitlab!104504 (merged)

Edited Feb 23, 2023 by Timo Furrer

Add cookie-based user access to the k8s API proxy

Merge request reports