1 files changed, 9 insertions, 1 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index f07bb188265..c25766a5af8 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class GroupPolicy < BasePolicy
+  include ClusterableActions
+
   desc "Group is public"
   with_options scope: :subject, score: 0
   condition(:public_group) { @subject.public? }
@@ -27,6 +29,9 @@ class GroupPolicy < BasePolicy
     GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any?
   end
 
+  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
+  condition(:can_have_multiple_clusters) { multiple_clusters_available? }
+
   with_options scope: :subject, score: 0
   condition(:request_access_enabled) { @subject.request_access_enabled }
 
@@ -45,7 +50,7 @@ class GroupPolicy < BasePolicy
     enable :read_label
   end
 
-  rule { admin }             .enable :read_group
+  rule { admin }.enable :read_group
 
   rule { has_projects }.policy do
     enable :read_group
@@ -67,6 +72,7 @@ class GroupPolicy < BasePolicy
     enable :admin_pipeline
     enable :admin_build
     enable :read_cluster
+    enable :add_cluster
     enable :create_cluster
     enable :update_cluster
     enable :admin_cluster
@@ -106,6 +112,8 @@ class GroupPolicy < BasePolicy
 
   rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
 
+  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?