Merge branch 'cluster_management_projects_updating' into 'master'

Adds ability to set management project for cluster via API

See merge request gitlab-org/gitlab!18429

app/controllers/clusters/clusters_controller.rb

@@ -142,6 +142,7 @@ class Clusters::ClustersController < Clusters::BaseController
         :environment_scope,
         :managed,
         :base_domain,
+        :management_project_id,
         platform_kubernetes_attributes: [
           :api_url,
           :token,
@@ -155,6 +156,7 @@ class Clusters::ClustersController < Clusters::BaseController
         :environment_scope,
         :managed,
         :base_domain,
+        :management_project_id,
         platform_kubernetes_attributes: [
           :namespace
         ]

app/models/clusters/cluster.rb

@@ -117,6 +117,8 @@ module Clusters
 
     scope :default_environment, -> { where(environment_scope: DEFAULT_ENVIRONMENT) }
 
+    scope :for_project_namespace, -> (namespace_id) { joins(:projects).where(projects: { namespace_id: namespace_id }) }
+
     def self.ancestor_clusters_for_clusterable(clusterable, hierarchy_order: :asc)
       return [] if clusterable.is_a?(Instance)
 

app/models/clusters/clusters_hierarchy.rb

@@ -20,7 +20,7 @@ module Clusters
         .with
         .recursive(cte.to_arel)
         .from(cte_alias)
-        .order(DEPTH_COLUMN => :asc)
+        .order(depth_order_clause)
     end
 
     private
@@ -40,7 +40,7 @@ module Clusters
                    end
 
       if clusterable.is_a?(::Project) && include_management_project
-        cte << management_clusters_query
+        cte << same_namespace_management_clusters_query
       end
 
       cte << base_query
@@ -49,13 +49,42 @@ module Clusters
       cte
     end
 
+    # Returns project-level clusters where the project is the management project
+    # for the cluster. The management project has to be in the same namespace /
+    # group as the cluster's project.
+    #
+    # Support for management project in sub-groups is planned in
+    # https://gitlab.com/gitlab-org/gitlab/issues/34650
+    #
+    # NB: group_parent_id is un-used but we still need to match the same number of
+    # columns as other queries in the CTE.
+    def same_namespace_management_clusters_query
+      clusterable.management_clusters
+        .project_type
+        .select([clusters_star, 'NULL AS group_parent_id', "0 AS #{DEPTH_COLUMN}"])
+        .for_project_namespace(clusterable.namespace_id)
+    end
+
     # Management clusters should be first in the hierarchy so we use 0 for the
     # depth column.
     #
-    # group_parent_id is un-used but we still need to match the same number of
-    # columns as other queries in the CTE.
-    def management_clusters_query
-      clusterable.management_clusters.select([clusters_star, 'NULL AS group_parent_id', "0 AS #{DEPTH_COLUMN}"])
+    # Only applicable if the clusterable is a project (most especially when
+    # requesting project.deployment_platform).
+    def depth_order_clause
+      return { DEPTH_COLUMN => :asc } unless clusterable.is_a?(::Project) && include_management_project
+
+      order = <<~SQL
+        (CASE clusters.management_project_id
+          WHEN :project_id THEN 0
+          ELSE #{DEPTH_COLUMN}
+        END) ASC
+      SQL
+
+      values = {
+        project_id: clusterable.id
+      }
+
+      model.sanitize_sql_array([Arel.sql(order), values])
     end
 
     def group_clusters_base_query

app/models/concerns/deployment_platform.rb

@@ -12,7 +12,7 @@ module DeploymentPlatform
   private
 
   def cluster_management_project_enabled?
-    Feature.enabled?(:cluster_management_project, default_enabled: true)
+    Feature.enabled?(:cluster_management_project, self)
   end
 
   def find_deployment_platform(environment)

app/services/clusters/update_service.rb

@@ -9,7 +9,55 @@ module Clusters
     end
 
     def execute(cluster)
-      cluster.update(params)
+      if validate_params(cluster)
+        cluster.update(params)
+      else
+        false
+      end
+    end
+
+    private
+
+    def can_admin_pipeline_for_project?(project)
+      Ability.allowed?(current_user, :admin_pipeline, project)
+    end
+
+    def validate_params(cluster)
+      if params[:management_project_id]
+        management_project = management_project_scope(cluster).find_by_id(params[:management_project_id])
+
+        unless management_project
+          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
+
+          return false
+        end
+
+        unless can_admin_pipeline_for_project?(management_project)
+          # Use same message as not found to prevent enumeration
+          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
+
+          return false
+        end
+      end
+
+      true
+    end
+
+    def management_project_scope(cluster)
+      return ::Project.all if cluster.instance_type?
+
+      group =
+        if cluster.group_type?
+          cluster.first_group
+        elsif cluster.project_type?
+          cluster.first_project&.namespace
+        end
+
+      # Prevent users from selecting nested projects until
+      # https://gitlab.com/gitlab-org/gitlab/issues/34650 is resolved
+      include_subgroups = cluster.group_type?
+
+      ::GroupProjectsFinder.new(group: group, current_user: current_user, options: { only_owned: true, include_subgroups: include_subgroups }).execute
     end
   end
 end

changelogs/unreleased/cluster_management_projects_updating.yml

+---
+title: Adds ability to set management project for cluster via API
+merge_request: 18429
+author:
+type: added

doc/api/group_clusters.md

@@ -53,6 +53,16 @@ Example response:
       "api_url":"https://104.197.68.152",
       "authorization_type":"rbac",
       "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
+    },
+    "management_project":
+    {
+      "id":2,
+      "description":null,
+      "name":"project2",
+      "name_with_namespace":"John Doe8 / project2",
+      "path":"project2",
+      "path_with_namespace":"namespace2/project2",
+      "created_at":"2019-10-11T02:55:54.138Z"
     }
   },
   {
@@ -111,6 +121,16 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
   },
+  "management_project":
+  {
+    "id":2,
+    "description":null,
+    "name":"project2",
+    "name_with_namespace":"John Doe8 / project2",
+    "path":"project2",
+    "path_with_namespace":"namespace2/project2",
+    "created_at":"2019-10-11T02:55:54.138Z"
+  },
   "group":
   {
     "id":26,
@@ -135,6 +155,7 @@ Parameters:
 | `id` | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
 | `name` | String | yes | The name of the cluster |
 | `domain` | String | no | The [base domain](../user/group/clusters/index.md#base-domain) of the cluster |
+| `management_project_id` | integer | no | The ID of the [management project](../user/clusters/management_project.md) for the cluster |
 | `enabled` | Boolean | no | Determines if cluster is active or not, defaults to true |
 | `managed` | Boolean | no | Determines if GitLab will manage namespaces and service accounts for this cluster, defaults to true |
 | `platform_kubernetes_attributes[api_url]` | String | yes | The URL to access the Kubernetes API |
@@ -178,6 +199,7 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
   },
+  "management_project":null,
   "group":
   {
     "id":26,
@@ -248,6 +270,16 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":null
   },
+  "management_project":
+  {
+    "id":2,
+    "description":null,
+    "name":"project2",
+    "name_with_namespace":"John Doe8 / project2",
+    "path":"project2",
+    "path_with_namespace":"namespace2/project2",
+    "created_at":"2019-10-11T02:55:54.138Z"
+  },
   "group":
   {
     "id":26,

doc/api/project_clusters.md

@@ -54,6 +54,16 @@ Example response:
       "namespace":"cluster-1-namespace",
       "authorization_type":"rbac",
       "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
+    },
+    "management_project":
+    {
+      "id":2,
+      "description":null,
+      "name":"project2",
+      "name_with_namespace":"John Doe8 / project2",
+      "path":"project2",
+      "path_with_namespace":"namespace2/project2",
+      "created_at":"2019-10-11T02:55:54.138Z"
     }
   },
   {
@@ -113,6 +123,16 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
   },
+  "management_project":
+  {
+    "id":2,
+    "description":null,
+    "name":"project2",
+    "name_with_namespace":"John Doe8 / project2",
+    "path":"project2",
+    "path_with_namespace":"namespace2/project2",
+    "created_at":"2019-10-11T02:55:54.138Z"
+  },
   "project":
   {
     "id":26,
@@ -205,6 +225,7 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":"-----BEGIN CERTIFICATE-----\r\nhFiK1L61owwDQYJKoZIhvcNAQELBQAw\r\nLzEtMCsGA1UEAxMkZDA1YzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM4ZDBj\r\nMB4XDTE4MTIyNzIwMDM1MVoXDTIzMTIyNjIxMDM1MVowLzEtMCsGA1UEAxMkZDA1\r\nYzQ1YjctNzdiMS00NDY0LThjNmEtMTQ0ZDJkZjM.......-----END CERTIFICATE-----"
   },
+  "management_project":null,
   "project":
   {
     "id":26,
@@ -253,6 +274,7 @@ Parameters:
 | `cluster_id` | integer | yes | The ID of the cluster |
 | `name` | String | no | The name of the cluster |
 | `domain` | String | no | The [base domain](../user/project/clusters/index.md#base-domain) of the cluster |
+| `management_project_id` | integer | no | The ID of the [management project](../user/clusters/management_project.md) for the cluster |
 | `platform_kubernetes_attributes[api_url]` | String | no | The URL to access the Kubernetes API |
 | `platform_kubernetes_attributes[token]` | String | no | The token to authenticate against Kubernetes |
 | `platform_kubernetes_attributes[ca_cert]` | String | no | TLS certificate (needed if API is using a self-signed TLS certificate |
@@ -300,6 +322,16 @@ Example response:
     "authorization_type":"rbac",
     "ca_cert":null
   },
+  "management_project":
+  {
+    "id":2,
+    "description":null,
+    "name":"project2",
+    "name_with_namespace":"John Doe8 / project2",
+    "path":"project2",
+    "path_with_namespace":"namespace2/project2",
+    "created_at":"2019-10-11T02:55:54.138Z"
+  },
   "project":
   {
     "id":26,

doc/user/clusters/management_project.md

@@ -4,7 +4,7 @@ CAUTION: **Warning:**
 This is an _alpha_ feature, and it is subject to change at any time without
 prior notice.
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/17866) in GitLab 12.4
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32810) in GitLab 12.5
 
 A project can be designated as the management project for a cluster.
 A management project can be used to run deployment jobs with
@@ -22,6 +22,14 @@ This can be useful for:
 Only the management project will receive `cluster-admin` privileges. All
 other projects will continue to receive [namespace scoped `edit` level privileges](../project/clusters/index.md#rbac-cluster-resources).
 
+Management projects are restricted to the following:
+
+- For project-level clusters, the management project must in the same
+  namespace (or descendants) as the cluster's project.
+- For group-level clusters, the management project must in the same
+  group (or descendants) as as the cluster's group.
+- For instance-level clusters, there are no such restrictions.
+
 ## Usage
 
 ### Selecting a cluster management project
@@ -87,9 +95,9 @@ configure production cluster:
     name: production
 ```
 
-## Disabling this feature
+## Enabling this feature
 
-This feature is enabled by default. To disable this feature, disable the
+This feature is disabled by default. To enable this feature, enable the
 feature flag `:cluster_management_project`.
 
 To check if the feature flag is enabled on your GitLab instance,

lib/api/entities.rb

@@ -1791,6 +1791,7 @@ module API
       expose :user, using: Entities::UserBasic
       expose :platform_kubernetes, using: Entities::Platform::Kubernetes
       expose :provider_gcp, using: Entities::Provider::Gcp
+      expose :management_project, using: Entities::ProjectIdentity
     end
 
     class ClusterProject < Cluster

lib/api/group_clusters.rb

@@ -84,6 +84,7 @@ module API
         requires :cluster_id, type: Integer, desc: 'The cluster ID'
         optional :name, type: String, desc: 'Cluster name'
         optional :domain, type: String, desc: 'Cluster base domain'
+        optional :management_project_id, type: Integer, desc: 'The ID of the management project'
         optional :platform_kubernetes_attributes, type: Hash, desc: %q(Platform Kubernetes data) do
           optional :api_url, type: String, desc: 'URL to access the Kubernetes API'
           optional :token, type: String, desc: 'Token to authenticate against Kubernetes'

lib/api/project_clusters.rb

@@ -88,6 +88,7 @@ module API
         requires :cluster_id, type: Integer, desc: 'The cluster ID'
         optional :name, type: String, desc: 'Cluster name'
         optional :domain, type: String, desc: 'Cluster base domain'
+        optional :management_project_id, type: Integer, desc: 'The ID of the management project'
         optional :platform_kubernetes_attributes, type: Hash, desc: %q(Platform Kubernetes data) do
           optional :api_url, type: String, desc: 'URL to access the Kubernetes API'
           optional :token, type: String, desc: 'Token to authenticate against Kubernetes'

locale/gitlab.pot

@@ -12701,6 +12701,9 @@ msgstr ""
 msgid "Project details"
 msgstr ""
 
+msgid "Project does not exist or you don't have permission to perform this action"
+msgstr ""
+
 msgid "Project export could not be deleted."
 msgstr ""
 

spec/models/clusters/cluster_spec.rb

@@ -152,6 +152,16 @@ describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
     end
   end
 
+  describe '.for_project_namespace' do
+    subject { described_class.for_project_namespace(namespace_id) }
+
+    let!(:cluster) { create(:cluster, :project) }
+    let!(:another_cluster) { create(:cluster, :project) }
+    let(:namespace_id) { cluster.first_project.namespace_id }
+
+    it { is_expected.to contain_exactly(cluster) }
+  end
+
   describe 'validations' do
     subject { cluster.valid? }
 

spec/models/clusters/clusters_hierarchy_spec.rb

@@ -42,6 +42,28 @@ describe Clusters::ClustersHierarchy do
       it 'returns clusters for project' do
         expect(base_and_ancestors(cluster.project)).to eq([cluster])
       end
+
+      context 'cluster has management project' do
+        let(:management_project) { create(:project, namespace: cluster.first_project.namespace) }
+
+        before do
+          cluster.update!(management_project: management_project)
+        end
+
+        context 'management_project is in same namespace as cluster' do
+          it 'returns cluster for management_project' do
+            expect(base_and_ancestors(management_project)).to eq([cluster])
+          end
+        end
+
+        context 'management_project is in a different namespace from cluster' do
+          let(:management_project) { create(:project) }
+
+          it 'returns nothing' do
+            expect(base_and_ancestors(management_project)).to be_empty
+          end
+        end
+      end
     end
 
     context 'cluster has management project' do
@@ -50,16 +72,12 @@ describe Clusters::ClustersHierarchy do
 
       let(:group) { create(:group) }
       let(:project) { create(:project, group: group) }
-      let(:management_project) { create(:project) }
+      let(:management_project) { create(:project, group: group) }
 
       it 'returns clusters for management_project' do
         expect(base_and_ancestors(management_project)).to eq([group_cluster])
       end
 
-      it 'returns nothing if include_management_project is false' do
-        expect(base_and_ancestors(management_project, include_management_project: false)).to be_empty
-      end
-
       it 'returns clusters for project' do
         expect(base_and_ancestors(project)).to eq([project_cluster, group_cluster])
       end
@@ -70,17 +88,21 @@ describe Clusters::ClustersHierarchy do
     end
 
     context 'project in nested group with clusters at some levels' do
-      let!(:child) { create(:cluster, :group, groups: [child_group], management_project: management_project) }
-      let!(:ancestor) { create(:cluster, :group, groups: [ancestor_group]) }
+      let!(:child) { create(:cluster, :group, groups: [child_group]) }
+      let!(:ancestor) { create(:cluster, :group, groups: [ancestor_group], management_project: management_project) }
 
       let(:ancestor_group) { create(:group) }
       let(:parent_group) { create(:group, parent: ancestor_group) }
       let(:child_group) { create(:group, parent: parent_group) }
       let(:project) { create(:project, group: child_group) }
-      let(:management_project) { create(:project) }
+      let(:management_project) { create(:project, group: child_group) }
+
+      it 'returns clusters for management_project' do
+        expect(base_and_ancestors(management_project)).to eq([ancestor, child])
+      end
 
       it 'returns clusters for management_project' do
-        expect(base_and_ancestors(management_project)).to eq([child])
+        expect(base_and_ancestors(management_project, include_management_project: false)).to eq([child, ancestor])
       end
 
       it 'returns clusters for project' do

spec/models/concerns/deployment_platform_spec.rb

@@ -13,7 +13,11 @@ describe DeploymentPlatform do
     end
 
     context 'when project is the cluster\'s management project ' do
-      let!(:cluster_with_management_project) { create(:cluster, :provided_by_user, management_project: project) }
+      let(:another_project) { create(:project, namespace: project.namespace) }
+
+      let!(:cluster_with_management_project) do
+        create(:cluster, :provided_by_user, projects: [another_project], management_project: project)
+      end
 
       context 'cluster_management_project feature is enabled' do
         it 'returns the cluster with management project' do
@@ -66,7 +70,11 @@ describe DeploymentPlatform do
       end
 
       context 'when project is the cluster\'s management project ' do
-        let!(:cluster_with_management_project) { create(:cluster, :provided_by_user, management_project: project) }
+        let(:another_project) { create(:project, namespace: project.namespace) }
+
+        let!(:cluster_with_management_project) do
+          create(:cluster, :provided_by_user, projects: [another_project], management_project: project)
+        end
 
         context 'cluster_management_project feature is enabled' do
           it 'returns the cluster with management project' do

spec/requests/api/group_clusters_spec.rb

@@ -286,12 +286,15 @@ describe API::GroupClusters do
     let(:update_params) do
       {
         domain: domain,
-        platform_kubernetes_attributes: platform_kubernetes_attributes
+        platform_kubernetes_attributes: platform_kubernetes_attributes,
+        management_project_id: management_project_id
       }
     end
 
     let(:domain) { 'new-domain.com' }
     let(:platform_kubernetes_attributes) { {} }
+    let(:management_project) { create(:project, group: group) }
+    let(:management_project_id) { management_project.id }
 
     let(:cluster) do
       create(:cluster, :group, :provided_by_gcp,
@@ -308,6 +311,8 @@ describe API::GroupClusters do
 
     context 'authorized user' do
       before do
+        management_project.add_maintainer(current_user)
+
         put api("/groups/#{group.id}/clusters/#{cluster.id}", current_user), params: update_params
 
         cluster.reload
@@ -320,6 +325,7 @@ describe API::GroupClusters do
 
         it 'updates cluster attributes' do
           expect(cluster.domain).to eq('new-domain.com')
+          expect(cluster.management_project).to eq(management_project)
         end
       end
 
@@ -332,6 +338,7 @@ describe API::GroupClusters do
 
         it 'does not update cluster attributes' do
           expect(cluster.domain).to eq('old-domain.com')
+          expect(cluster.management_project).to be_nil
         end
 
         it 'returns validation errors' do
@@ -339,6 +346,18 @@ describe API::GroupClusters do
         end
       end
 
+      context 'current user does not have access to management_project_id' do
+        let(:management_project_id) { create(:project).id }
+
+        it 'responds with 400' do
+          expect(response).to have_gitlab_http_status(400)
+        end
+
+        it 'returns validation errors' do
+          expect(json_response['message']['management_project_id'].first).to match('don\'t have permission')
+        end
+      end
+
       context 'with a GCP cluster' do
         context 'when user tries to change GCP specific fields' do
           let(:platform_kubernetes_attributes) do

spec/requests/api/project_clusters_spec.rb

@@ -281,11 +281,14 @@ describe API::ProjectClusters do
     let(:api_url) { 'https://kubernetes.example.com' }
     let(:namespace) { 'new-namespace' }
     let(:platform_kubernetes_attributes) { { namespace: namespace } }
+    let(:management_project) { create(:project, namespace: project.namespace) }
+    let(:management_project_id) { management_project.id }
 
     let(:update_params) do
       {
         domain: 'new-domain.com',
-        platform_kubernetes_attributes: platform_kubernetes_attributes
+        platform_kubernetes_attributes: platform_kubernetes_attributes,
+        management_project_id: management_project_id
       }
     end
 
@@ -310,6 +313,8 @@ describe API::ProjectClusters do
 
     context 'authorized user' do
       before do
+        management_project.add_maintainer(current_user)
+
         put api("/projects/#{project.id}/clusters/#{cluster.id}", current_user), params: update_params
 
         cluster.reload
@@ -323,6 +328,7 @@ describe API::ProjectClusters do
         it 'updates cluster attributes' do
           expect(cluster.domain).to eq('new-domain.com')
           expect(cluster.platform_kubernetes.namespace).to eq('new-namespace')
+          expect(cluster.management_project).to eq(management_project)
         end
       end
 
@@ -336,6 +342,7 @@ describe API::ProjectClusters do
         it 'does not update cluster attributes' do
           expect(cluster.domain).not_to eq('new_domain.com')
           expect(cluster.platform_kubernetes.namespace).not_to eq('invalid_namespace')
+          expect(cluster.management_project).not_to eq(management_project)
         end
 
         it 'returns validation errors' do
@@ -343,6 +350,18 @@ describe API::ProjectClusters do
         end
       end
 
+      context 'current user does not have access to management_project_id' do
+        let(:management_project_id) { create(:project).id }
+
+        it 'responds with 400' do
+          expect(response).to have_gitlab_http_status(400)
+        end
+
+        it 'returns validation errors' do
+          expect(json_response['message']['management_project_id'].first).to match('don\'t have permission')
+        end
+      end
+
       context 'with a GCP cluster' do
         context 'when user tries to change GCP specific fields' do
           let(:platform_kubernetes_attributes) do

spec/services/clusters/update_service_spec.rb

@@ -90,5 +90,115 @@ describe Clusters::UpdateService do
         end
       end
     end
+
+    context 'when params includes :management_project_id' do
+      context 'management_project is non-existent' do
+        let(:params) do
+          { management_project_id: 0 }
+        end
+
+        it 'does not update management_project_id' do
+          is_expected.to eq(false)
+
+          expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+          cluster.reload
+          expect(cluster.management_project_id).to be_nil
+        end
+      end
+
+      shared_examples 'setting a management project' do
+        context 'user is authorized to adminster manangement_project' do
+          before do
+            management_project.add_maintainer(cluster.user)
+          end
+
+          let(:params) do
+            { management_project_id: management_project.id }
+          end
+
+          it 'updates management_project_id' do
+            is_expected.to eq(true)
+
+            expect(cluster.management_project).to eq(management_project)
+          end
+        end
+
+        context 'user is not authorized to adminster manangement_project' do
+          let(:params) do
+            { management_project_id: management_project.id }
+          end
+
+          it 'does not update management_project_id' do
+            is_expected.to eq(false)
+
+            expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+            cluster.reload
+            expect(cluster.management_project_id).to be_nil
+          end
+        end
+      end
+
+      context 'project cluster' do
+        include_examples 'setting a management project' do
+          let(:management_project) { create(:project, namespace: cluster.first_project.namespace) }
+        end
+
+        context 'manangement_project is outside of the namespace scope' do
+          before do
+            management_project.update(group: create(:group))
+          end
+
+          let(:params) do
+            { management_project_id: management_project.id }
+          end
+
+          it 'does not update management_project_id' do
+            is_expected.to eq(false)
+
+            expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+            cluster.reload
+            expect(cluster.management_project_id).to be_nil
+          end
+        end
+      end
+
+      context 'group cluster' do
+        let(:cluster) { create(:cluster, :group) }
+
+        include_examples 'setting a management project' do
+          let(:management_project) { create(:project, group: cluster.first_group) }
+        end
+
+        context 'manangement_project is outside of the namespace scope' do
+          before do
+            management_project.update(group: create(:group))
+          end
+
+          let(:params) do
+            { management_project_id: management_project.id }
+          end
+
+          it 'does not update management_project_id' do
+            is_expected.to eq(false)
+
+            expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+            cluster.reload
+            expect(cluster.management_project_id).to be_nil
+          end
+        end
+      end
+
+      context 'instance cluster' do
+        let(:cluster) { create(:cluster, :instance) }
+
+        include_examples 'setting a management project' do
+          let(:management_project) { create(:project) }
+        end
+      end
+    end
   end
 end