Allow the restriction of Kubernetes agent access to protected branches (!156626) · Merge requests · GitLab.org / GitLab · GitLab

Nicholas Wittstruck requested to merge gitlab-community/gitlab:467936-nwittstruck-limit-kubernetes-agent-access-to-protected-branches into master Jun 18, 2024

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

This MR allows the restriction of Kubernetes agent access to protected branches, see #467936 (closed).

🛠 with ❤ at Siemens

MR acceptance checklist

MR Checklist ( @nwittstruck)

Screenshots or screen recordings

How to set up and validate locally

Prerequisites:

Your GDK must be configured to run GitLab Runner and GitLab Agent Server (KAS)
Connect your Kubernetes cluster by installing agentk to the cluster.
Enable the feature flag with rails c:

Feature.enable(:kubernetes_agent_protected_branches)

You will need to include the changes of this MR of the GitLab Agent for Kubernetes. Your GDK should be set up to run the agent from source:

gitlab_k8s_agent:
  enabled: true
  run_from_source: true

Create a repository that contains the following file .gitlab/agents/k8s-kas-dev/config.yaml configuration to a repository:

ci_access:
  projects:
    - id: dev/gdk-kas-dev # This must be a valid project id in your GDK setup
      protected_branches_only: true # Toggle this flag to allow access only from protected branches

You can now create a .gitlab-ci.yml file in (un-)protected branches. Based on the setting of ci_access, you should either see a list of contexts or not.

deploy:
  image:
    name: bitnami/kubectl:latest
    entrypoint: ['']
  script:
    - echo "Listing pods from protected branch"
    - kubectl config get-contexts
    - kubectl config use-context dev/gdk-kas-dev:k8s-kas-dev # use your local context
    - kubectl get pods --all-namespaces

Edited Aug 08, 2024 by Nicholas Wittstruck