## Problem Typically, agents are owned by a single project and shared with multiple deployment projects. Project members in the agent owner project can see the list of agents from "Infrastructure > Kubernetes clusters" page, however, project members in deployment projects might not have access to the owner project thus have no idea what agents are available in the project. Similarly, we recently added [a feature](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104504) to allow users to access agent via `user_access` keyword. This authentication [requires Agent ID](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_user_access.md?_gl=1%2akexwua%2a_ga%2aNzYxODI0OTkyLjE2NzQ0Mzc3NTU.%2a_ga_ENFH3X7M5Y%2aMTY3ODc2OTQ1My41MTUuMS4xNjc4NzY5Nzg0LjAuMC4w#authentication), however, project members in the deployment projects might not have access to the owner project thus can't fetch the Agent ID for the authentication. This effectively limits the feature usage to be inside the owner project only. ## Proposal Show **shared** agents in deployment projects from "Infrastructure > Kubernetes clusters" page. In this page, users see: - Shared agent names, IDs and it's connection status. - Shared by - The agent owner project that allowed the access to the agent(s). - Which keyword is used for sharing, either `ci_access`, `user_access` or both. - Permissions in the cluster with [the given impersonation](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html#restrict-project-and-group-access-by-using-impersonation). i.e. `ClusterRoleBinding` or `RoleBinding` details of the impersonated service account. - Future iteration: View resources in the cluster via [Kubernetes Dashboard](https://gitlab.com/gitlab-org/gitlab/-/issues/365901). (`user_access` only) - Future iteration: Connect to the Agent via [Web Terminal](https://docs.gitlab.com/ee/administration/integration/terminal.html). (`user_access` only) Example design at the group-level here: https://gitlab.com/gitlab-org/gitlab/-/issues/353468/designs/Agent_Group_Installed_agents.png ### Permissions Follow `View clusters` and `Manage clusters` from https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions ### Technical details - One of main purposes in this iteration is to let deployment project _see_ shared agents. To do so, we need to properly fix Agent permission in GitLab side. - We likely use `Clusters::Agents::ProjectAuthorization` and `Clusters::Agents::GroupAuthorization` for fetching available agent list. - Introduce `read_cluster_agent` permission. Stop reusing `read_cluster` as it technically infers deprecated certificate-based cluster integration. ### Design  ## Reference - How to share agents via `ci_access` => [doc](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html#authorize-the-agent-to-access-your-projects). - How to share agents via `user_access` => [doc](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_user_access.md). - We show shared [Deploy Keys](https://docs.gitlab.com/ee/user/project/deploy_keys/) in projects. See "Settings > Repository > Deploy Key" for the reference.