Limit the gitlab-workspace-proxy permission needs to a specific namespace

Background

A customer asked the following question:

Would it be possible to limit the gitlab-workspace-proxy permission needs to a specific namespace? An idea was to allow a namespace variable to be fed to L59 in the client.go file to limit where services are being search for.

@vtak responded with the following in the #g_create_remote_development Slack channel:

Each workspace gets created in a new namespace. We have started adding labels to the namespace created recently . So we can use this list of agent id labels as a filter for the Kubernetes informer. Can you open up an issue for this and explain the customer requirements in detail.

Ticket ID (Internal Link)

https://gitlab.zendesk.com/agent/tickets/585386

Customer requirements (quoted from them)

We use a multi-tenant cluster setup where each team is provisioned a namespace within the cluster. The owner of the namespace is given a default admin role that gives them, and any service accounts they bind it to, broad control over the namespace, but no control at the cluster level. While we can get around the RBAC issues with pre-creating ClusterRole and ClusterRoleBindings resources, we run into problems with any functionality within the gitlab-workspaces-proxy image that requires cluster level permissions

The specific functionality in the image we are having problems with is the SubscribeToInformerEvents (https://gitlab.com/gitlab-org/workspaces/gitlab-workspaces-proxy/-/blob/main/pkg/k8s/client.go?ref_type=heads#L56) in the client.go file as it creates an informer that attempts to list and watch services across the cluster. We seem to have found a short-term solution hack that works for our use case, where we modified this function to accept a namespace variable fed by an environment variable that we use to create a namespaced informer factory.

L57 in client.go (https://gitlab.com/gitlab-org/workspaces/gitlab-workspaces-proxy/-/blob/main/pkg/k8s/client.go?ref_type=heads#L57) being modified to the below (along with tweaks to the function and main.go to feed in the variable) seems like it might do the trick (still need to test it):

factory := informers.NewSharedInformerFactoryWithOptions(c.clientset, informerResyncPeriod, informers.WithNamespace(namespace), informers.WithTweakListOptions(tweakListOptions))

This works for our setup, but I’m guessing it breaks others.

So the TL;DR version of the above in a user story format would be:

** As a k8s namespace administrator, I want to configure the gitlab-workspaces-proxy image to be namespaced so that I can operate it in a multi-tenant k8s cluster environment where I only have permissions within the namespace.

Let me know if you need more info!