GitLab as the authentication engine for Kubernetes
It would be great if we could set up the authentication of a Kubernetes cluster to use GitLab. This way users could login to a dashboard, CLI, or other utility with their GitLab credentials and get their appropriate access.
For example with group or instance wide clusters:
- You assign a namespace to a project or group
- Members of that project (maybe Maintainer or above) are then granted access to that namespace
This would be a much easier way to manage access, than some alternative solutions like trying to tie this to LDAP or another data store. The ACL would already be done for you, since you are already controlling access in GitLab anyway.
Further, as we eventually replicate more and more of the features of the Kubernetes Dashboard, you will no longer need to use it. And with this feature in place, we can rely on k8s enforcing access controls rather than just GitLab application code, which will be more secure.
Additional reading
k8s authentication: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies