Restrict access to a tunnel to specific branches
Release notes
The CI/CD tunnel provided by the GitLab Kubernetes Agent enables GitLab users to keep using their existing CI/CD based workflows, and still leverage the secure integration of a Kubernetes cluster with GitLab. A CI/CD tunnel can be shared among multiple groups and projects to save on resources and to simplify maintenance.
Until now, if a CI/CD tunnel was available for a project and the environment, the given tunnel could be used from all the branches for authorized environments. This functionality limited the use cases as some users would prefer to limit access to some tunnels to specific branches. This change will allow them to configure such access restriction. They now can limit access to the production cluster only from the main branch.
Access to the CI/CD tunnel can now be restricted to specific branches matching a wildcard pattern.
Problem to solve
As a Platform Engineer, I want to restrict ci_access
sharing of the production cluster connection to CI jobs that run on a protected branch.
As a Platform Engineer, I want to restrict ci_access
sharing of the staging cluster connection to CI jobs that run on the main branch.
As a Platform Engineer, I want to restrict ci_access
sharing of the dev cluster connection to CI jobs that run on a review branch.
A very detailed presentation of the problem is provided in #343885 (comment 1238366565)
Proposal
The feature can be configured in code
ci_access:
# This agent is accessible from CI jobs in projects in these groups
groups:
- id: group/subgroup
environments:
- staging
branches:
- development
- id: group/subgroup2
environments:
- dev
- review/*
branches:
- review/*
If not limited for specific project/group, the tunnel should be available on all branch
Intended users
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.