Add egress ip options in remote development agent configs
What does this MR do and why?
Issue: #427234 (closed)
Add options to configure the network policy egress rules for the remote development module of the gitlab agent for kubernetes.
These values will be set in Backend: Updates to agent configuration updates... (#427235 - closed) and used in Backend: Use agent's egress IP rules to generat... (#427236 - closed) .
The default allow list for egress is [{ "allow": "0.0.0.0/0", "except": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }]
i.e. allow all internet traffic except those to private IPs. Givings users the ability to configure these values would mean they can accommodate their network configuration while keeping workspaces egress controlled.
DB changes
Migration
main: == [advisory_lock_connection] object_id: 180680, pg_backend_pid: 52650
main: == 20231107062104 AddNetworkPolicyEgressToAgent: migrating ====================
main: -- add_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
main: -> 0.0040s
main: == 20231107062104 AddNetworkPolicyEgressToAgent: migrated (0.0210s) ===========
main: == [advisory_lock_connection] object_id: 180680, pg_backend_pid: 52650
ci: == [advisory_lock_connection] object_id: 180940, pg_backend_pid: 52652
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: migrating ====================
ci: -- add_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
ci: -> 0.0017s
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: migrated (0.0128s) ===========
ci: == [advisory_lock_connection] object_id: 180940, pg_backend_pid: 52652
Rollback Main
main: == [advisory_lock_connection] object_id: 180360, pg_backend_pid: 51731
main: == 20231107062104 AddNetworkPolicyEgressToAgent: reverting ====================
main: -- remove_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
main: -> 0.0030s
main: == 20231107062104 AddNetworkPolicyEgressToAgent: reverted (0.0172s) ===========
main: == [advisory_lock_connection] object_id: 180360, pg_backend_pid: 51731
Rollback CI
ci: == [advisory_lock_connection] object_id: 180380, pg_backend_pid: 52204
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: reverting ====================
ci: -- remove_column(:remote_development_agent_configs, :network_policy_egress, :jsonb, {:null=>false, :default=>[{:allow=>"0.0.0.0/0", :except=>["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]}]})
ci: -> 0.0014s
ci: == 20231107062104 AddNetworkPolicyEgressToAgent: reverted (0.0129s) ===========
ci: == [advisory_lock_connection] object_id: 180380, pg_backend_pid: 52204
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Configure an agent with Remote Development enabled.
- Run the migration in this MR.
- Open the DB and verify that the
network_policy_egress
is set to[{ "allow": "0.0.0.0/0", "except": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] }]
in theremote_development_agent_configs
table for all existing agents with remote development enabled.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.