diff --git a/app/models/clusters/agent.rb b/app/models/clusters/agent.rb
index 5feb3b0a1e6071c063b1405f27234787b9bc0855..c58a3bab1a9468c1448523c11fc7520087e576f5 100644
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -19,5 +19,9 @@ class Agent < ApplicationRecord
         with: Gitlab::Regex.cluster_agent_name_regex,
         message: Gitlab::Regex.cluster_agent_name_regex_message
       }
+
+    def has_access_to?(requested_project)
+      requested_project == project
+    end
   end
 end
diff --git a/changelogs/unreleased/authorize_same_project_agent.yml b/changelogs/unreleased/authorize_same_project_agent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bb2b4f05c791a0aed1d8deb6d582f2d4647ce291
--- /dev/null
+++ b/changelogs/unreleased/authorize_same_project_agent.yml
@@ -0,0 +1,5 @@
+---
+title: Authorize the project for the cluster agent if it is the agent's project
+merge_request: 48314
+author:
+type: changed
diff --git a/doc/user/clusters/agent/index.md b/doc/user/clusters/agent/index.md
index 321de69fabe40c7a4689305fd81f1cefca45fb74..d564a343a19b37c757aa559a2a9901d5ee04c869 100644
--- a/doc/user/clusters/agent/index.md
+++ b/doc/user/clusters/agent/index.md
@@ -378,9 +378,12 @@ subjects:
 In a previous step, you configured a `config.yaml` to point to the GitLab projects
 the Agent should synchronize. In each of those projects, you must create a `manifest.yaml`
 file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a
-templating engine or other means. Only public projects are supported as
-manifest projects. Support for private projects is planned in the issue
-[Agent authorization for private manifest projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
+templating engine or other means.
+
+The agent is authorized to download manifests for the configuration
+project, and public projects. Support for other private projects is
+planned in the issue [Agent authorization for private manifest
+projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
 
 Each time you commit and push a change to this file, the Agent logs the change:
 
diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb
index d4690709de4145a9b6d533e8ca0b1af238d6ab52..67c6510bf664e97576e7f98dfb12dd00d2c60dab 100644
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -85,9 +85,7 @@ def check_agent_token
           get '/project_info' do
             project = find_project(params[:id])
 
-            # TODO sort out authorization for real
-            # https://gitlab.com/gitlab-org/gitlab/-/issues/220912
-            unless Ability.allowed?(nil, :download_code, project)
+            unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
               not_found!
             end
 
diff --git a/spec/models/clusters/agent_spec.rb b/spec/models/clusters/agent_spec.rb
index 148bb3cf8705d36df30e110747a6b6934706b3dc..49f41570717aba46f76a1a86251b776dd08cc8b5 100644
--- a/spec/models/clusters/agent_spec.rb
+++ b/spec/models/clusters/agent_spec.rb
@@ -57,4 +57,16 @@
       end
     end
   end
+
+  describe '#has_access_to?' do
+    let(:agent) { build(:cluster_agent) }
+
+    it 'has access to own project' do
+      expect(agent.has_access_to?(agent.project)).to be_truthy
+    end
+
+    it 'does not have access to other projects' do
+      expect(agent.has_access_to?(create(:project))).to be_falsey
+    end
+  end
 end
diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb
index a532b8e59f28d54f7646d0ec6b811bac9ae0c692..b082dc400c064cdc61ead529f555bf4dd57db22c 100644
--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -137,9 +137,7 @@ def send_request(headers: {}, params: {})
     include_examples 'agent authentication'
 
     context 'an agent is found' do
-      let!(:agent_token) { create(:cluster_agent_token) }
-
-      let(:agent) { agent_token.agent }
+      let_it_be(:agent_token) { create(:cluster_agent_token) }
 
       context 'project is public' do
         let(:project) { create(:project, :public) }
@@ -186,6 +184,16 @@ def send_request(headers: {}, params: {})
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
+
+        context 'and agent belongs to project' do
+          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
+
+          it 'returns 200' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
       end
 
       context 'project is internal' do