Add egress ip options in remote development agent configs (!135497) · Merge requests · GitLab.org / GitLab

Vishal Tak requested to merge vtak/egress_agent_config_db into master Oct 30, 2023

What does this MR do and why?

Add options to configure the network policy egress rules for the remote development module of the gitlab agent for kubernetes.

These values will be set in Backend: Updates to agent configuration updates... (#427235 - closed) and used in Backend: Use agent's egress IP rules to generat... (#427236 - closed) .

The default allow list for egress is [{ "allow": "0.0.0.0/0", "except": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }] i.e. allow all internet traffic except those to private IPs. Givings users the ability to configure these values would mean they can accommodate their network configuration while keeping workspaces egress controlled.

DB changes

Migration

main: == [advisory_lock_connection] object_id: 180680, pg_backend_pid: 52650
main: == 20231107062104 AddNetworkPolicyEgressToAgent: migrating ====================
main: -- add_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
main:    -> 0.0040s
main: == 20231107062104 AddNetworkPolicyEgressToAgent: migrated (0.0210s) ===========

main: == [advisory_lock_connection] object_id: 180680, pg_backend_pid: 52650
ci: == [advisory_lock_connection] object_id: 180940, pg_backend_pid: 52652
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: migrating ====================
ci: -- add_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
ci:    -> 0.0017s
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: migrated (0.0128s) ===========

ci: == [advisory_lock_connection] object_id: 180940, pg_backend_pid: 52652

Rollback Main

main: == [advisory_lock_connection] object_id: 180360, pg_backend_pid: 51731
main: == 20231107062104 AddNetworkPolicyEgressToAgent: reverting ====================
main: -- remove_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
main:    -> 0.0030s
main: == 20231107062104 AddNetworkPolicyEgressToAgent: reverted (0.0172s) ===========

main: == [advisory_lock_connection] object_id: 180360, pg_backend_pid: 51731

Rollback CI

ci: == [advisory_lock_connection] object_id: 180380, pg_backend_pid: 52204
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: reverting ====================
ci: -- remove_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
ci:    -> 0.0014s
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: reverted (0.0129s) ===========

ci: == [advisory_lock_connection] object_id: 180380, pg_backend_pid: 52204

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Configure an agent with Remote Development enabled.
Run the migration in this MR.
Open the DB and verify that the network_policy_egress is set to [{ "allow": "0.0.0.0/0", "except": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }] in the remote_development_agent_configs table for all existing agents with remote development enabled.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 07, 2023 by Vishal Tak

Add egress ip options in remote development agent configs