Draft: Set default ACL for project cloned in workspace
What does this MR do and why?
Issue: Investigation: Allow users to use Workspaces wi... (#474838)
This is currently a PoC MR. Do not merge.
Set default ACL for project cloned in workspace
Do not set runAsUser for user provided containers.
Set runAsGroup for workspace injected containers for consistency.
A good article explaining ACLs - https://www.novell.com/documentation/suse91/suselinux-adminguide/html/apbs03.html
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
A fully configured test environment has been setup to test this MR. The details of how to access it will be shared with you on Slack when you are assigned as a reviewer/maintainer.
For posterity, following are the steps to setup the said test environment.
-
Setup 3 Kubernetes clusters and configure Sysbox, Kata Containers and User Namespaces respectively. Configure GitLab Workspaces Proxy in all of them.
-
Create a new GitLab instance on AWS EC2 by following the below steps. EC2 instance type c5.4xlarge, disk size 100 gb, Ubuntu 24
-
Login to instance
ssh -i ~/.ssh/key-pair.pem ubuntu@PUBLIC_IP mkdir -p gdk cd gdk
-
Install GDK - https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/index.md#one-line-installation
-
Follow local network binding guide for
172.16.123.1
- https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/index.md#one-line-installation -
Setup the
gdk.yml
--- gitlab_k8s_agent: enabled: true listen_address: 172.16.123.1 gitlab: rails: hostname: 'gitlab.remote-development-test.com' allowed_hosts: - 'gitlab.remote-development-test.com' vite: enabled: true webpack: enabled: false
-
Checkout relevant branch in GitLab repository and run db migrations
cd ~/gdk/gitlab-development-kit/gitlab git checkout vtak/workspace_sudo_access_backend bin/rails db:migrate RAILS_ENV=development
-
Because of the way the GDK will be exposed publicly, we need to make a small patch to the project URL to make it accessible. Save the following patch inside
~/gdk/gitlab-development-kit/gitlab
folder asproject_url.patch
and apply it usinggit apply project_url.patch
. Workspaces not working for public GDK (#486020) is created to look into this further.diff --git a/ee/lib/remote_development/workspace_operations/create/project_cloner_component_injector.rb b/ee/lib/remote_development/workspace_operations/create/project_cloner_component_injector.rb index 1813da2d51d4..c8001b62f8a7 100644 --- a/ee/lib/remote_development/workspace_operations/create/project_cloner_component_injector.rb +++ b/ee/lib/remote_development/workspace_operations/create/project_cloner_component_injector.rb @@ -30,7 +30,7 @@ def self.inject(context) # replace the alpine/git docker image with one that is published by gitlab for security / reliability # reasons clone_dir = "#{volume_path}/#{project.path}" - project_url = project.http_url_to_repo + project_url = project.http_url_to_repo.sub('http://', 'https://').sub(':3000', '') # The project should be cloned only if one is not cloned successfully already. # This is required to avoid resetting user's modifications to the files. diff --git a/ee/lib/remote_development/workspace_operations/create/workspace_variables.rb b/ee/lib/remote_development/workspace_operations/create/workspace_variables.rb index 3a4ade8e8498..d6ddd91b054e 100644 --- a/ee/lib/remote_development/workspace_operations/create/workspace_variables.rb +++ b/ee/lib/remote_development/workspace_operations/create/workspace_variables.rb @@ -138,7 +138,7 @@ def self.variables( # variables with prefix `GITLAB_WORKFLOW_` are used for configured GitLab Workflow extension for VS Code { key: 'GITLAB_WORKFLOW_INSTANCE_URL', - value: Gitlab::Routing.url_helpers.root_url, + value: Gitlab::Routing.url_helpers.root_url.sub('http://', 'https://').sub(':3000', ''), variable_type: RemoteDevelopment::Enums::Workspace::WORKSPACE_VARIABLE_TYPES[:environment], workspace_id: workspace_id },
-
Enable workspaces extensions marketpalces feature flag
cd ~/gdk/gitlab-development-kits/gitlab bin/rails c Feature.enable(:allow_extensions_marketplace_in_workspace, Group.find_by_path('gitlab-org'))
-
Install Bazel - Follow step 1 of https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/kubernetes_agent.md
-
Expose gdk publically - https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/public_gdk.md
cd ~/gdk/gitlab-development-kit cat >Caddyfile <<EOL gitlab.remote-development-test.com { reverse_proxy 172.16.123.1:3000 } EOL
sudo caddy start
If nginx service is running on the instance, disbale it
sudo systemctl disable nginx && sudo systemctl stop nginx
. -
Reconfigure and restart GDK
cd ~/gdk/gitlab-development-kit gdk reconfigure gdk restart
-
Login to GitLab instance as root user, disable sign ups, add license
-
Setup AWS CLI by following https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
-
Create new access keys and set them up.
aws configure --profile gl-sandbox-group-remote-vtak-root
-
Fetch the Kube Config for the 2 Kubernetes clusters
aws eks update-kubeconfig --name "eks-sysbox" --region "ap-south-1" --profile gl-sandbox-group-remote-vtak-root aws eks update-kubeconfig --name "eks-kata" --region "ap-south-1" --profile gl-sandbox-group-remote-vtak-root
-
Copy the kubeconfig file from the User Namespace Kubeadm Kubernetes cluster from location
/etc/kubernetes/admin.conf
(root user).- On kubeadm control plane machine -
cat /etc/kubernetes/admin.conf
- On GitLab instance machine, create the file at
~/.kube/userns-cluster.config
with the above content
- On kubeadm control plane machine -
-
Setup kubectl by following https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO https://dl.k8s.io/release/v1.30.0/bin/linux/amd64/kubectl sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl verify - kubectl get po -A # setup krew for kubectl - https://krew.sigs.k8s.io/docs/user-guide/setup/install/ # install ctx and ns plugins for kubectll - https://github.com/ahmetb/kubectx kubectl krew install ctx kubectl krew install ns
-
Create agent project at
gitlab-org/gitlab-agent-configurations
- Add file for sysbox -
.gitlab/agents/sysbox/config.yaml
remote_development: enabled: true dns_zone: sysbox-testing.remote-development-test.com allow_privilege_escalation: true default_runtime_class: sysbox-runc annotations: "io.kubernetes.cri-o.userns-mode": "auto:size=65536" # for debugging locally to increase log verbosity observability: logging: level: debug grpc_level: warn
- Add file for kata -
.gitlab/agents/kata/config.yaml
remote_development: enabled: true dns_zone: kata-testing.remote-development-test.com allow_privilege_escalation: true default_runtime_class: kata-qemu # for debugging locally to increase log verbosity observability: logging: level: debug grpc_level: warn
- Add file for userns -
.gitlab/agents/userns/config.yaml
remote_development: enabled: true dns_zone: userns-testing.remote-development-test.com allow_privilege_escalation: true use_kubernetes_user_namespaces: true # for debugging locally to increase log verbosity observability: logging: level: debug grpc_level: warn
- Add file for sysbox -
-
Run agentk' for the above configured config files
cd ~/gdk/gitlab-development-kit/gitlab-k8s-agent POD_NAMESPACE=default POD_NAME=remotedev AGENTK_TOKEN="" bazel run //cmd/agentk -- --kas-address=grpc://172.16.123.1:8150 --context="arn:aws:eks:ap-south-1:014073590673:cluster/eks-sysbox" --observability-listen-address=:8980 >sysbox-agent.log 2>&1 & POD_NAMESPACE=default POD_NAME=remotedev AGENTK_TOKEN="" bazel run //cmd/agentk -- --kas-address=grpc://172.16.123.1:8150 --context="arn:aws:eks:ap-south-1:014073590673:cluster/eks-kata" --observability-listen-address=:8981 >kata-agent.log 2>&1 & POD_NAMESPACE=default POD_NAME=remotedev AGENTK_TOKEN="" bazel run //cmd/agentk -- --kas-address=grpc://172.16.123.1:8150 --context="kubernetes-admin@test-user-ns-kubeadm" --kubeconfig="/home/ubuntu/.kube/userns-cluster.config" --observability-listen-address=:8982 >userns-agent.log 2>&1 &
-
Authorize the 3 agents at
gitlab-org
group by following https://docs.gitlab.com/ee/user/workspace/gitlab_agent_configuration.html#allow-a-cluster-agent-for-workspaces-in-a-group create.devfile.yaml
in project gitlab-org/gitlab-shell with the following content -
Create a devfile for
gitlab-org/gitlab-shell
projectschemaVersion: 2.2.0 components: - name: tooling-container attributes: gl/inject-editor: true container: image: "registry.gitlab.com/gitlab-org/remote-development/gitlab-remote-development-docs/ubuntu:22.04"
-
Create a workspace from the project and select the respective agent.
-
Run the following commands in terminal of each workspace.
sudo apt update sudo apt install -y acl getfacl /projects/gitlab-shell
-
For each workspace, verify all the pre-installed extensions are working as expected. Install/uninstall a new extension from the marketplace as well.