Restrict agent management on the group and project level
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Currently, we have Allow agent CI access sharing across top-level groups with the ci_access variable, and Allow granting agent user access across top-level groups
Both work to restrict access to working K8 agents to specific users and groups.
What we do not currently have is a way to prevent users from adding their own/new K8 clusters at the lower levels.
There is a customer need to limit these features from a security standpoint.
As an admin, we do not want any users to be able to add agents or k8s clusters for CICD purposes. We would like them to be forced to use the cluster we provide.
See internal ZD ticket
Further details
To achieve this, now. Admins would need to not allow Maintainers or above in groups or projects. Only Maintainer and above can manage agents in the group/project.
We do not have anything in custom roles that could limit this either.
Proposal
We should give administrators more power to enforce K8 in Gitlab by allowing them to restrict adding of K8 clusters at the lower project/group level. Rather than limiting them to a specific role, this would be better suited as a backend setting