GitLab agent for K8s ci_access sharing does not work across top level groups

Problem to solve

On self-managed instances, sharing a registered agent across the whole instance should be possible.

History

This is a follow-up issue of KAS CI/CD Tunnel ci_access does not work for pr... (#346566 - closed)

Originally, the agent had to be a direct descendant of the group where the shared projects lived. We lifted this restriction as part of KAS CI/CD Tunnel ci_access does not work for pr... (#346566 - closed), but it's still required that the agent and the shared projects have a common top-level root group.

Proposal

gitlab.example.com/
|- infra-group/infra-project
|  |- my-agent
|- dev-group/app-project

my-agent can be shared with the dev-group and all its project.

Make it possible to enable/disable this feature to support large installations when the feature would cause a security or compliance risk.

Use the same admin setting that controls organization-level sharing (added in #357516 (closed)) to enable/disable this functionality.

KAS CI/CD Tunnel ci_access does not work for pr... (#346566 - closed)

Edited May 08, 2025 by Tiger Watson

GitLab agent for K8s ci_access sharing does not work across top level groups

Problem to solve

History

Proposal

Related