Design: Provide a user-based kubeconfig using the GitLab-Agent connection
Problem Statement
As a Platform engineer, for security and compliance reasons, I want every engineer to access the cluster being authenticated as a specific user.
As an Application operator, in order to do my job, I want to access the cluster using my favourite tools.
Proposal
- user navigates to Operations / Clusters
- user clicks on the
...
menu beside an agent connection and - selects "Create kubeconfig"
- a dialog shows up with some explanatory text and the necessary commands
Explanatory text:
You can quickly create or update a kubeconfig to connect to the cluster from your local computer. The connection will happen under your GitLab username, and cluster-side RBAC rights can be applied. To learn more about the details included, read our documentation.
The command-list is similar to
kubectl config --kubeconfig=config-demo set-cluster development --server=https://kas.gitlab.tld/k8s-proxy/
kubectl config --kubeconfig=config-demo set-credentials developer --token='pat:<agent id>:<personal access token>'
kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer
Security
This feature should be enabled/disabled in the agent configuration. By default, the feature is enabled.
user_access:
minimum_role: developer
In the first iteration setting the minimum_role
won't be possible to reduce scope.
user_access: false | true
Edited by Viktor Nagy (GitLab)