Set KAS connect-src CSP on demand
What does this MR do and why?
In Add user access functionality for KAS (!104504 - merged) we've
introduced a connect-src
directive for the KAS subdomain (in case it
is on a subdomain) globally. However, this is not really necessary and
an on-demand approach is preferred.
on-demand meaning that a controller can include the KasCookie
concern to configure the correct CSP so that the KAS cookie can actually
be used. The KAS cookie doesn't make any sense without the CSP config,
so it naturally makes sense for it to be part of the KasCookie
concern.
Screenshots or screen recordings
Page with a controller that includes the KasCookie
concern:
Page that doesn't include the KasCookie
concern:
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Setup KAS
- Setup agentk
- Enable KAS User Access Feature flags
- Browse to the cluster / agent page to check CSP
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.