Follow-up: Restrict secret informer scope in remote-development gitlab-agent module

MR: Pending

Description

Agent: Copy image pull secrets before generatin... (#474994 - closed) is introducing support for accessing image_pull_secrets on the Kubernetes cluster to allow workspaces access to private container registries. Secrets data is sensitive and we would like to reduce the scope of secrets the remote-development module can observe. As part of the referenced issue, we apply filters to restrict informer access to secrets that match how an image_pull_secret looks. To further reduce the scope, we have the following ideas:

Listen in only on namespaces supplied as part of the agent-config

This entails fetching all the namespaces specified under the image_pull_secrets section in the configs for all returned workspaces we want the agent to reconcile and listen in only on those namespaces. This approach means we would need to restart the informer whenever there is a diff in the set of namespaces we previously had and a new set received from Rails.

This approach also introduces the need for a prerequisite fetch by the agent to retrieve a starting set of valid namespaces to listen in on remote-development module initialization.

Acceptance Criteria

TODO: update criteria with specifics when we get consensus regarding the idea(s) above.

• Reduce the scope of secret access in the remote-development module