Add granular control for cross-group Kubernetes Agent authorization

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem Statement

The current organization_cluster_agent_authorization_enabled application setting is binary and applies instance-wide. When enabled, it allows any agent configuration to authorize projects/groups from different top-level groups. This creates a security concern for administrators who want to enable cross-group authorization for specific top-level groups only, without opening it up for the entire instance.

Current behavior:

  • Disabled (default): Agents can only authorize projects/groups within the same top-level group
  • Enabled: Any agent can authorize any project/group on the instance

Security concern: Enabling instance-wide cross-group authorization may be too permissive for organizations that want to maintain stricter boundaries between certain top-level groups while allowing collaboration between others.

Proposal

Introduce more granular control over cross-group Kubernetes Agent authorization. Possible approaches:

Option 1: Top-level group allowlist

Add an admin setting to specify which top-level groups are allowed to be cross-authorized:

  • Administrators configure an allowlist of top-level group IDs/paths
  • Agent configurations can only authorize groups that are either:
    • Within the same top-level group (existing behavior), OR
    • Listed in the admin allowlist

Option 2: Per-group permission setting

Add a group-level setting that controls whether a group can be authorized by agents from other top-level groups:

  • Group owners/maintainers can enable "Allow cross-group agent authorization" for their group
  • Agents can only authorize groups that have this setting enabled

Option 3: Hybrid approach

Combine both options:

  • Admin setting to enable the feature
  • Admin allowlist for which top-level groups can participate
  • Per-group opt-in for groups that want to be authorizable cross-group

Related Issues/MRs

Edited by 🤖 GitLab Bot 🤖