Allow the restriction of Kubernetes agent access to protected branches only
Summary
Allow the restriction of Kubernetes agent access to protected branches only.
Video
Problem to solve
Currently, it is not possible to limit Kubernetes agent access to protected branches only. From a security perspective, it would be helpful to have a flag that allows restricting access to a cluster to protected branches.
The access to a Kubernetes agent can, however, be limited to jobs with specific environments.
It’s also possible to prevent runners from revealing sensitive information by limiting them to run only on protected branches.
Therefore, adding a flag to limit Kubernetes agent access to protected branches would result in feature parity. This ensures that only code that has gone through the proper review and protection processes can interact with critical Kubernetes agents.
Proposal
I suggest putting the following behind a feature flag, since there are some dependencies between the releases of rails-web and gitlab-kas.
We add a flag in ci_acess.yml:
ci_access:
projects:
- id: dev/gdk-kas-dev
protected_branches_only: true # Toggle this flag to allow access only from protected branches
projects:
- id: group-1/subgroup2
protected_branches_only: true # Toggle this flag to allow access only from protected branchesWe could implement this feature comparable to the implementation of the environments filter
In rails-web:
- Update the FilterService to also filter based on protected branches
- Update the allowed_agents GET endpoint to pass whether the brnach is protected or not
- Update the RefreshService to update the
protectedflag on KASPOST requests
On the KAS side:
- Add protobuf configuration for additional field like this.
I have added MRs of the implementation that are now ready to review.