Ensure only gitlab-kas is allowed access to internal Kubernetes API
Given we now expose sensitive information since !38654 (merged), we need to restrict the internal Kubernetes API only to gitlab-kas
. Not the agent (that's on the cluster), nor someone with access to the agent token.
The following discussion from !38654 (merged) should be addressed:
-
@WarheadsSE started a discussion: (+3 comments) To be clear, is this
production.gitaly.token
directly fromgitlab.yml
?
Proposal
-
!39781 (diffs)
-
Add JWT authentication to lib/api/internal/kubernetes.rb -
Add configuration for the JWT secret for above (because certain installs have secrets outside of rails root)
-
-
Update gitlab-kas to sign with JWT (gitlab-org/cluster-integration/gitlab-agent!54 (merged)) - JWT header is
Gitlab-Kas-Api-Request
- iss is
gitlab-kas
- JWT header is
-
Update GDK to generate new JWT secret (gitlab-development-kit!1482 (merged))
Potentially out of scope / follow-up issues
- Update helm chart (gitlab-org/charts/gitlab!1465 (diffs))
- Update omnibus (
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
), because we haven't generally added support for kas in omnibus yet
Workaround / mitigation
Do not enable the kubernetes_agent_internal_api
feature flag. This is not ready for any use other then development.
Edited by Thong Kuah