Today, we have a bit of a problem. We let you create (or add) a cluster and have it associated with the
production environment which means we'll only pass those cluster credentials when deploying to
production. But we don't actually protect the cluster creds from malicious intent. What if a developer adds or edits a
.gitlab-ci.yml inside a topic branch and configures pushes to that topic branch to deploy to
production? What if they specify the deploy script as
env to just capture all the creds so they can maliciously use them later? Organizations need to be able to ensure production credentials are exposed with the principle of least permissions.
- Add a checkbox to protect a cluster, which would then only pass the cluster creds when acting on a protected branch, which presumably has been locked down correctly.