gitlab-org/gitlab
KAS / Kubernetes integration
The GitLab Kubernetes Agent Server (KAS) and the in-cluster agentk agent.
Components
| Component | Where | Role |
|---|---|---|
| KAS | external Go service (gitlab-org/cluster-integration/gitlab-agent) | Brokers connections between GitLab and agentk |
agentk |
Helm chart, in customer cluster | Long-lived gRPC client connected to KAS |
| Rails KAS bridge | lib/gitlab/kas.rb (~4K LoC), app/models/clusters/agent.rb, app/models/cluster_agent_token.rb |
Issues tokens, exposes APIs |
KAS version pinned in GITLAB_KAS_VERSION.
Why
Cluster admins don't want GitLab punching outbound holes into their cluster. KAS inverts the direction: the cluster opens an outbound gRPC stream to KAS, and Rails sends commands over that stream. The connection is multiplexed for many features.
Source
app/models/clusters/
├── agent.rb
├── agent_token.rb
├── agent_url_configuration.rb
└── ...
app/services/clusters/
├── agents/
└── agent_tokens/
ee/app/services/clusters/agents/
ee/app/models/clusters/agents/
ee/app/policies/clusters/agents/
lib/api/internal/kubernetes.rb # KAS callbacks
lib/api/clusters/agent_tokens.rb
config/initializers/kas.rbWhat flows over the gRPC stream
| Channel | Purpose |
|---|---|
| GitOps (Flux integration) | Push manifests / monitor sync |
| Kubectl proxy | Run kubectl from the GitLab UI |
| Vulnerability scanning | Continuous scan of cluster workloads |
| Observability | Metrics from cluster |
| Remote development | Remote IDE workspaces |
Tokens and auth
Clusters::AgentToken is the long-lived secret the in-cluster agent uses. It's verified by KAS, which then calls back into Rails internal API (/api/v4/internal/kubernetes/agent_info) to authenticate.
CI access from cluster
The ci_access mechanism lets CI jobs use kubectl against allowed agents without giving runners cluster credentials. Rails issues short-lived tokens scoped to a specific agent + project.
Remote Development workspaces
ee/lib/remote_development/, app/models/remote_development/, app/services/remote_development/. KAS-backed Web IDE workspaces that run pods in a customer cluster.
Related
- Authentication — agent tokens.
- Internal API —
/api/v4/internal/kubernetes/*.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.