Fire an audit even when the agent configuration file changes

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Release notes

Problem to solve

As a compliance manager, I want to ensure that all the agent to Kubernetes connections follow our standards and no changes go unnoticed, so I can ensure compliance.

As the agent for Kubernetes allows access to a cluster from projects and groups that the agent is shared with, while Kubernetes RBAC can be used extensively to restrict access in-cluster, even extending the scope of access is interesting from a compliance standpoint.

Proposal

Fire an audit event whenever an agent config file changes

Intended users

• Cameron (Compliance Manager)

Feature Usage Metrics

No new metrics

Does this feature require an audit event?

No

Implementation Plan

Prerequisits:

• Retrieve agent configuration directly from comm... (gitlab-org/cluster-integration/gitlab-agent!2004 - merged)

Rails Internal API Updates

• Update POST internal/kubernetes/agent_configuration:
  • Add support for:
    1. Commit SHA of the agent configuration file.

Rails Changes

1. Tiering: this must be implemented in the EE code as GitLab Premium and GitLab Ultimate features only. The API code must still accept all the fields even in GitLab Free because KAS is NOT aware of GitLab tiers.

2. Trigger Audit Event:

   • Use the POST internal/kubernetes/agent_configuration endpoint as the trigger to track changes and fire audit events.
   • This endpoint is invoked by KAS whenever changes to the agent configuration file are detected (via Gitaly).

3. Helper Function:

   • Add a helper in agent_helpers.rb to:
     1. Track Changes:
        • Use the received commit SHA to detect changes.
        • Record the last known commit in the agent table.
     2. Fire Audit Events:
        • If a new commit is detected, update the agent table and fire an audit event with the old and new commit SHAs.
   • The helper is always called, even if no changes occur, so ensure audit events are only fired when necessary.

KAS Changes (done)

1. (done) Send the commit SHA of the agent configuration file in the agent configuration module server code.

Impact

• Fire audit events the first time when the agent table fields are still NULL. We don't need backfills.