Add kubernetes logs access to Protected Environment settings
Extracted from #218861 (closed)
Problem to solve
Kubernetes Logs are currently available only for users with Developer role or higher according to the Project permissions matrix. For some environments it may be required to limit access to logs, similar as deployments are safe guarded right now.
Intended users
User experience goal
Maintainers should be able to limit access to logs from selected environments.
Proposal
- Final solution could look like this (potentially split into several iterations)
- For an MVC we can add that the protected environment setting in CI/CD
- For protected environments an additional setting is introduced Allowed to access logs (similar to current Allowed to deploy)
Implementation
- Add database relation to store protected environment settings for access to k8s logs !38486 (closed)
- Update services at https://gitlab.com/gitlab-org/gitlab/-/tree/master/ee/app/services/protected_environments to be able to process params for new relation from point 1, and manipulate new relation records
- Update
Projects::ProtectedEnvironmentsController
actions to accept new relation (from point 1) attributes - Assure that new relations data is passed to CI/CD settings views https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/controllers/ee/projects/settings/ci_cd_controller.rb#L27
- Update Protected Environment form template https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/views/projects/protected_environments/_form.html.haml
- Include already existing Protected Environment log access settings into https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/views/projects/protected_environments/_environments_list.html.haml
- Apply Protected Environment settings into
read_pod_logs
atProjectPolicy
as it is done atEE::EnvironmentPolicy
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.