Increase Kubernetes agent authorization limit for projects/groups
Release notes
The GitLab agent for Kubernetes allows sharing a single agent connection within a group-hierarchy. As we aim to support a single agent across a large multi-tenant clusters, you might have faced a limitation on the number of connection sharing. Until now, we allowed an agent to be shared with only 100-100 projects and groups, separately for CI and user access. In GitLab 17.0, we raised these limits to 500.
If you face other reasons that require you to run multiple agents within a cluster, we would like to hear your feedback.
Problem to solve
When using the Kubernetes Agent, we need to authorize which projects or groups can have access to the cluster. We don't want to allow access for projects that don't need it. At the moment there is a hard limit of 100 projects/groups per agent.
You can authorize up to 100 projects.
You can authorize up to 100 groups.
At the moment the alternative is to create multiple agents (e.g. 100 limit each) on the same cluster to move forward.
Proposal
With some customers having large number of projects and subgroups, it might be a good idea to do either of the following:
- Increase the limit from 100 to 1000.
- or add a configuration option to control this limit.
Possible workarounds
- Using multiple agents. Cons: all the agents need to be upgraded, tokens rotated.
- Share the agent at the top of the group and use user impersonation with K8s RBAC to only authorize access to selected projects
Intended users
Feature Usage Metrics
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.