Skip to content

Add user access functionality for KAS

Hordur Freyr Yngvason requested to merge add-kas-user-authorization-ff into master

What does this MR do and why?

Implements #381561 (closed) and #381566 (closed). Implements, behind a feature flag:

  • authorize_proxy_user API endpoint that looks up a user by session ID and returns the metadata for KAS
  • Setting the KAS cookie. Currently at the end of every request. Should limit it to relevant controllers.

The agent MR is here: gitlab-org/cluster-integration/gitlab-agent!841 (merged)

Screenshots or screen recordings

image

How to set up and validate locally

You have to be familiar with KAS and agentk to setup this up:

  1. Enable the feature flag
    Feature.enable(:kas_user_access)
  2. Setup your GitLab (GDK) with KAS and a working agentk from gitlab-org/cluster-integration/gitlab-agent!841 (merged)
  3. Register that agent in a project and enable the ff for that project, too:
    Feature.enable(:kas_user_access_project, Project.find(<project-id>))
  4. Browse to the agent overview page
  5. Open up the browser dev console and run something like this to query Kube API via KAS and agentk (make sure that the KAS address is correct for your setup):
    fetch('https://kas.gdk.test:3443/-/k8s-proxy/api/v1/namespaces', {credentials: 'include', headers: {'X-Csrf-TOKEN': document.head.querySelector('meta[name="csrf-token"]').content, 'GitLab-Agent-Id': '1'}}).then((response) => response.json()).then((data) => console.log(data));
  6. Verify that the response is a NamespaceList Kube API response

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Timo Furrer

Merge request reports

Loading