Skip to content

Allow the restriction of Kubernetes agent access to protected branches

Nicholas requested to merge gitlab-community/gitlab:467936-nwittstruck-limit-kubernetes-agent-access-to-protected-branches into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

This MR allows the restriction of Kubernetes agent access to protected branches, see #467936.

This is a proof of concept to show how the Kubernetes agent could be restricted to run on protected branches only and up to discussion. It needs a better spec coverage, however I'd like to know first if this the correct approach and the FilterService is the best place to implement this.

🛠 with at Siemens

MR acceptance checklist

MR Checklist ( @nwittstruck)

Screenshots or screen recordings

kas-demo

How to set up and validate locally

  1. Prerequisites:
Feature.enable(:packages_protected_packages)
  1. You will need to include the changes of this MR of the GitLab Agent for Kubernetes. Your GDK should be set up to run the agent from source:
gitlab_k8s_agent:
  enabled: true
  run_from_source: true
  1. Create a repository that contains the following file .gitlab/agents/k8s-kas-dev/config.yaml configuration to a repository:
ci_access:
  projects:
    - id: dev/gdk-kas-dev # This must be a valid project id in your GDK setup
  protected: false # Toggle this flag to allow access only from protected branches
  1. You can now create a .gitlab-ci.yml file in (un-)protected branches. Based on the setting of ci_access, you should either see a list of contexts or not.
deploy:
  image:
    name: bitnami/kubectl:latest
    entrypoint: ['']
  script:
    - echo "Listing pods from protected branch"
    - kubectl config get-contexts
    - kubectl config use-context dev/gdk-kas-dev:k8s-kas-dev # use your local context
    - kubectl get pods --all-namespaces
Edited by Nicholas

Merge request reports