Clarify "The Kubernetes projects must be in the same group hierarchy as the project where the agent’s configuration is."

I tried to use Auto DevOps on our on-premise GitLab 14.7.1-ee Premium, but deployment to our internal k8s does not work.

The section Authorize the agent has the following sentence, which I would like to have clarified:

The Kubernetes projects must be in the same group hierarchy as the project where the agent’s configuration is.

Suppose I have the following layout of groups and projects:

flowchart TD
    gTop((ROOT)) --> gPar((gPar)) & gOther((gOther))
    gPar --> pParent[pParent❓] & gSib((gSib)) & gOwn(((gOwn)))
    gSib --> pRelative[pRelative❓]
    gOwn --> pAgent{pAgent} & pSibling[pSibling✅] & gSub((gSub))
    gSub --> pDescendant[pDescendant❓]
    gOther --> pOther[pOther❌]
    pAgent -.-> gOwn

Suppose that pAgent is my project containing the "agents configuration" - in my case the Gitlab Cluser Management project. It's .gitlab/agents/phahn-k8s/config.yaml contains this:

ci_access:
  groups:
    - id: gPar/gOwn

Which of the following projects can use the agent phahn-k8s?

pParent – project in any parent group ❓
pRelative – project sharing any common parent group ❓
pSibling – project in the same group
pDescendant – project in any sub-group ❓
pOther – project in a different top-level-group ❌

Edited Mar 19, 2026 by Philipp Hahn