## Release notes Allowing developers access to Kubernetes clusters either requires cloud accounts for the developers or 3rd party authentication tools and its management. This increases the complexity of cloud identity and access management. GitLab now allows users to connect to Kubernetes clusters using their GitLab identity and the agent for Kubernetes. Authorizations within the cluster can be managed using traditional Kubernetes RBAC. As developers already have access to GitLab, you are relieved from the additional complexity of managing cloud accounts or 3rd party tools. Together with the [OIDC cloud authentication](https://docs.gitlab.com/ee/ci/cloud_services/) offering in GitLab pipelines, these features together allow GitLab users to access your cloud resources without dedicated cloud accounts without jeopardizing security and compliance. In this first iteration of cluster access, the Kubernetes configuration needs to be managed manually following [the documentation](https://docs.gitlab.com/ee/user/clusters/agent/user_access.html). We want to simplify setup further by [extending the GitLab CLI with related commands](https://gitlab.com/gitlab-org/cli/-/issues/7288). ## Context As of today, the Kubernetes API proxy in KAS / agentk support authentication via a Job Token and a Session Cookie. The Job Token is used when accessing the API proxy from a GitLab CI/CD pipeline and the Session Cookie is used when accessing the API proxy via the GitLab frontend, e.g. the [Dashboard for Kubernetes](https://docs.gitlab.com/ee/ci/environments/kubernetes_dashboard.html). ## Goal KAS should support a new authentication mechanism in addition to the two aforementioned ones, that is via Personal Access Token (PAT). ## Proposal ### Authentication The user can authenticate a Kubernetes API proxy request by sending the PAT in the `Authorization` header, like this: ``` Authorization: Bearer pat:<agent-id>:<token> ``` This is very similar to the already existing Job Token auth which is: ``` Authorization: Bearer ci:<agent-id>:<token> ``` ### PAT scopes The PAT should have the new `k8s_proxy` scope. ### KAS <-> Rails authentication The new PAT method will leverage the `/internal/kubernetes/authorize_proxy_user` Rails endpoint, similar to the Session Cookie method and return a response containing the user id etc in the same format as via Cookie auth.