KAS CI/CD Tunnel ci_access does not work for projects/groups outside of the group with the agent config project

Summary

Kubernetes Agent CI/CD Tunnel CI Access, as documented at https://docs.gitlab.com/ee/user/clusters/agent/repository.html#authorize-projects-and-groups-to-use-an-agent, only works for projects within the group that contains the agent configuration project.

Despite defining the ci_access groups/projects, the KUBECONFIG variable is not injected for any groups projects other than the group containing the agent config.

I initially discovered this on a self-managed installation deployed using the GitLab Helm chart and have reproduced the issue on GitLab.com

This issue is currently blocking an Ultimate licensed customer with whom we are working.

Proposal

GitLab Hosted

On gitlab.com support the following CI/CD tunnel sharing:

gitlab.com/top-namespace/
|- infra-group/infra-project
|  |- my-agent
|- dev-group/app-project

my-agent can be shared with the dev-group and all its project.

Original bug report

Steps to reproduce

Create the following structure:

Group: Infrastructure (everything in here will get the KUBECONFIG variable)
- Project: Agent Config (add KAS config.yaml here, allowing access to the "Infrastructure" and "Another Group" groups)
Group: Another Group (nothing in here will get the KUBECONFIG variable)
- Project: Another Project (this won't get the KUBECONFIG variable)