[FEEDBACK] GitLab Agent for Kubernetes: response header allowlist in Kubernetes API proxy

This feedback issue can be used to report if the response header allowlist in the GitLab Agent for Kubernetes API proxy is missing a "required" header value resulting in a breaking change.

We'll consider every reported header:

• it must be secure to proxy.
• it must be a header that is somewhat standardized and well-known.

Background context

The GitLab Agent for Kubernetes implements as Kubernetes API proxy that is able to proxy requests from customer Kubernetes tooling (like kubectl, helm, Kubernetes dashboards, ...) to the Kubernetes cluster attached to the agentk in the customers cluster. The challenge with such a proxy is that the customer operates the agent. A malicious party may craft a custom agent that response insecure HTTP response headers through the Kubernetes API proxy. This malicious party may trick a victim into using their user agent (e.g. web browser) to browse to a Kubernetes API URL that responds with those insecure HTTP response headers causing harm to the victim - most likely via an XSS. Examples of such attacks is the previously fixed NEL injection attack Injection of NEL headers in k8s proxy response ... (#504707 - closed). The introduced response header allowlist in the Kubernetes Agent Server (KAS) prevents this entire class of XSS attacks. However, since the allowlist has to grow overtime (due to new headers being support in Kubernetes itself or extensions) we might have to add them.