Design: Provide a user-based kubeconfig using the GitLab-Agent connection

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem Statement

As a Platform engineer, for security and compliance reasons, I want every engineer to access the cluster being authenticated as a specific user.

As an Application operator, in order to do my job, I want to access the cluster using my favourite tools.

Proposal

user navigates to Operations / Clusters
user clicks on the ... menu beside an agent connection and
selects "Create kubeconfig"
a dialog shows up with some explanatory text and the necessary commands

Explanatory text:

You can quickly create or update a kubeconfig to connect to the cluster from your local computer. The connection will happen under your GitLab username, and cluster-side RBAC rights can be applied. To learn more about the details included, read our documentation.

The command-list is similar to

kubectl config --kubeconfig=config-demo set-cluster development --server=https://kas.gitlab.tld/k8s-proxy/
kubectl config --kubeconfig=config-demo set-credentials developer --token='pat:<agent id>:<personal access token>'
kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer

Security

This feature should be enabled/disabled in the agent configuration. By default, the feature is enabled.

user_access:
  minimum_role: developer

In the first iteration setting the minimum_role won't be possible to reduce scope.

user_access: false | true

Edited Jul 16, 2025 by 🤖 GitLab Bot 🤖