Frontend access to Kubernetes API through KAS
Proposal
Build on the technical foundation of the CI tunnel to enable Kubernetes API access directly from the GitLab frontend.
Motivation
This would remove the need for building out bespoke endpoints in the GitLab rails backend or KAS for features that really only require K8S API access, enabling very rapid iteration on the frontend.
Use cases
- An obvious example is the resource dashboard
- This could also be used to enhance existing features, such as Deploy Boards without reactive caching, and more reliable Pod terminals
- Something more far out, but possibly exciting, like a webassembly.sh terminal with built-in
kubectl(compiled to wasm)
Security
Roughly the same as for the CI tunnel, but with the frontend replacing the role of the runner. The frontend obtains a token (or cookie) that it can use to call KAS, and KAS uses the token to route the request to the cluster.
Like the CI tunnel, there would be two tiers of authorization:
- GitLab-rails controls who can obtain a token
- In-cluster RBAC based on the identity reported by KAS
This should be an optional function, i.e. it should be possible to disable.
Edited by Hordur Freyr Yngvason