Allow disabling the local access when user_access is configured with the agent for Kubernetes

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

As a cluster admin, I want to give UI access to my users without giving them access from their local terminals.

Proposal

Add a configuration option to disable PAT access within user_access

user_access:
  pat_enabled: true | false  # true is default

Intended users

• Ingrid (Infrastructure Operator)

Feature Usage Metrics

Events:

• number of active (tunnel MAU > 0) agents with user_access used
• number of active agents with user_access used with pat_access disabled Metric: % of agents with user_access configured and pat_access disabled

Does this feature require an audit event?

No

Implementation Proposal

see #493888 (comment 2150279840)

• Handle authorization in Rails, which means that we check for enabled PAT access in the internal/kubernetes/authorize_proxy_user endpoint.
• For this to work we need access to the agent configuration which currently works via a DB config proxy.
• We have the internal/kubernetes/agent_configuration endpoint which stores the necessary parts of the agent configuration in the DB. Today, that's only data about ci and user access related to the authorized projects and groups.
• Thus, in the internal/kubernetes/agent_configuration endpoint we also need to store the new user_access.pat_enabled field.

• Make sure that in GitLab Free and GitLab Premium PAT access is NOT configurable - always returns true. Thus, it's only supported in GitLab Ultimate

• In the GitLab Agent code base we need to add the new user_access.pat_enabled field to the agent configuration schema. No further implementation required.