1 files changed, 229 insertions, 35 deletions
diff --git a/doc/user/clusters/agent/ci_cd_tunnel.md b/doc/user/clusters/agent/ci_cd_tunnel.md
index 5fe772d9686..73a8470e025 100644
--- a/doc/user/clusters/agent/ci_cd_tunnel.md
+++ b/doc/user/clusters/agent/ci_cd_tunnel.md
@@ -4,60 +4,254 @@ group: Configure
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# CI/CD Tunnel **(FREE)**
+# Using a GitLab CI/CD workflow for Kubernetes **(FREE)**
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327409) in GitLab 14.1.
 > - The pre-configured `KUBECONFIG` was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/324275) in GitLab 14.2.
 > - The ability to authorize groups was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
 > - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/6290) to GitLab Free in 14.5.
 > - Support for Omnibus installations was [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/5686) in GitLab 14.5.
+> - The ability to switch between certificate-based clusters and agents was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/335089) in GitLab 14.9. The certificate-based cluster context is always called `gitlab-deploy`.
 
-To use GitLab CI/CD to safely deploy your application to a cluster, you can use the CI/CD Tunnel.
+You can use a GitLab CI/CD workflow to safely deploy to and update your Kubernetes clusters.
 
-You can authorize multiple projects to access the same cluster, so you
-can keep your application's codebase in one repository and configure
-your cluster in another. This method is scalable and can save you resources.
+To do so, you must first [install an agent in your cluster](install/index.md). When done, you have a Kubernetes context and can
+run Kubernetes API commands in your GitLab CI/CD pipeline.
 
-To ensure access to your cluster is safe, only the projects you
-authorize can access your Agent through the CI/CD Tunnel.
+To ensure access to your cluster is safe:
 
-## Prerequisites
+- Each agent has a separate context (`kubecontext`).
+- Only the project where the agent is configured, and any additional projects you authorize, can access the agent in your cluster.
 
-To use the CI/CD Tunnel, you need an existing Kubernetes cluster connected to GitLab through the
-[GitLab Agent](install/index.md#install-the-agent-onto-the-cluster).
+You do not need to have a runner in the cluster with the agent.
 
-To run your CI/CD jobs using the CI/CD Tunnel, you do not need to have a runner in the same cluster.
+## GitLab CI/CD workflow steps
 
-## How the CI/CD Tunnel works
+To update a Kubernetes cluster by using GitLab CI/CD, complete the following steps.
 
-When you authorize a project to use an Agent, the Tunnel automatically
-injects a `KUBECONFIG` variable into its CI/CD jobs. This way, you can
-run `kubectl` commands from GitLab CI/CD scripts that belong to the
-authorized project.
+1. Ensure you have a working Kubernetes cluster and the manifests are in a GitLab project.
+1. In the same GitLab project, [register and install the GitLab agent](install/index.md).
+1. [Update your `.gitlab-ci.yml` file](#update-your-gitlab-ciyml-file-to-run-kubectl-commands) to
+   select the agent's Kubernetes context and run the Kubernetes API commands.
+1. Run your pipeline to deploy to or update the cluster.
 
-When you authorize a group, all the projects that belong to that group
-become authorized to access the selected Agent.
+If you have multiple GitLab projects that contain Kubernetes manifests:
 
-An Agent can only authorize projects or groups in the same group
-hierarchy as the Agent's configuration project. You can authorize
-up to 100 projects and 100 groups per Agent.
+1. [Install the GitLab agent](install/index.md) in its own project, or in one of the
+   GitLab projects where you keep Kubernetes manifests.
+1. [Authorize the agent](#authorize-the-agent) to access your GitLab projects.
+1. Optional. For added security, [use impersonation](#use-impersonation-to-restrict-project-and-group-access).
+1. [Update your `.gitlab-ci.yml` file](#update-your-gitlab-ciyml-file-to-run-kubectl-commands) to
+   select the agent's Kubernetes context and run the Kubernetes API commands.
+1. Run your pipeline to deploy to or update the cluster.
 
-Also, each Agent has a separate context (`kubecontext`).
-The Tunnel uses this information to safely allow access to the cluster from
-jobs running in the projects you authorized.
+## Authorize the agent
 
-### `~/.kube/cache` permissions
- 
-`kubectl` and other tools based on the same libraries (such as Helm, `kpt`, and `kustomize`) cache information about
+You must authorize the agent to access the project where you keep your Kubernetes manifests.
+You can authorize the agent to access individual projects, or authorize a group or subgroup,
+so all projects within have access. For added security, you can also
+[use impersonation](#use-impersonation-to-restrict-project-and-group-access).
+
+### Authorize the agent to access your projects
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4.
+
+To authorize the agent to access the GitLab project where you keep Kubernetes manifests:
+
+1. On the top bar, select **Menu > Projects** and find the project that contains the agent configuration file (`config.yaml`).
+1. Edit the file. Under the `ci_access` keyword, add the `projects` attribute.
+1. For the `id`, add the path:
+
+   ```yaml
+   ci_access:
+     projects:
+     - id: path/to/project
+   ```
+
+   - The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is.
+   - You can authorize up to 100 projects.
+
+All CI/CD jobs now include a `KUBECONFIG` with contexts for every shared agent connection.
+Choose the context to run `kubectl` commands from your CI/CD scripts.
+
+### Authorize the agent to access projects in your groups
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
+
+To authorize the agent to access all of the GitLab projects in a group or subgroup:
+
+1. On the top bar, select **Menu > Projects** and find the project that contains the agent configuration file (`config.yaml`).
+1. Edit the file. Under the `ci_access` keyword, add the `groups` attribute.
+1. For the `id`, add the path:
+
+   ```yaml
+   ci_access:
+     groups:
+     - id: path/to/group/subgroup
+   ```
+
+   - The Kubernetes projects must be in the same group hierarchy as the project where the agent's configuration is.
+   - You can authorize up to 100 groups.
+
+All the projects that belong to the group are now authorized to access the agent.
+All CI/CD jobs now include a `KUBECONFIG` with contexts for every shared agent connection.
+Choose the context to run `kubectl` commands from your CI/CD scripts.
+
+## Update your `.gitlab-ci.yml` file to run `kubectl` commands
+
+In the project where you want to run Kubernetes commands, edit your project's `.gitlab-ci.yml` file.
+
+In the first command under the `script` keyword, set your agent's context.
+Use the format `path/to/agent/repository:agent-name`. For example:
+
+```yaml
+ deploy:
+   image:
+     name: bitnami/kubectl:latest
+     entrypoint: [""]
+   script:
+   - kubectl config get-contexts
+   - kubectl config use-context path/to/agent/repository:agent-name
+   - kubectl get pods
+```
+
+If you are not sure what your agent's context is, open a terminal and connect to your cluster.
+Run `kubectl config get-contexts`.
+
+### Environments with both certificate-based and agent-based connections
+
+When you deploy to an environment that has both a [certificate-based
+cluster](../../infrastructure/clusters/index.md) (deprecated) and an agent connection:
+
+- The certificate-based cluster's context is called `gitlab-deploy`. This context 
+  is always selected by default.
+- In GitLab 14.9 and later, agent contexts are included in the
+  `KUBECONFIG`. You can select them by using `kubectl config use-context
+  path/to/agent/repository:agent-name`.
+- In GitLab 14.8 and earlier, you can still use agent connections, but for environments that
+  already have a certificate-based cluster, the agent connections are not included in the `KUBECONFIG`.
+
+To use an agent connection when certificate-based connections are present, you can manually configure a new `kubectl`
+configuration context. For example:
+
+  ```yaml
+  deploy:
+    variables:
+      KUBE_CONTEXT: my-context # The name to use for the new context
+      AGENT_ID: 1234 # replace with your agent's numeric ID
+      K8S_PROXY_URL: wss://kas.gitlab.com/k8s-proxy/ # replace with your agent server (KAS) Kubernetes proxy URL
+      # ... any other variables you have configured
+    before_script:
+    - kubectl config set-credentials agent:$AGENT_ID --token="ci:${AGENT_ID}:${CI_JOB_TOKEN}"
+    - kubectl config set-cluster gitlab --server="${K8S_PROXY_URL}"
+    - kubectl config set-context "$KUBE_CONTEXT" --cluster=gitlab --user="agent:${AGENT_ID}"
+    - kubectl config use-context "$KUBE_CONTEXT"
+    # ... rest of your job configuration
+  ```
+
+## Use impersonation to restrict project and group access **(PREMIUM)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345014) in GitLab 14.5.
+
+By default, your CI/CD job inherits all the permissions from the service account used to install the
+agent in the cluster.
+To restrict access to your cluster, you can use [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation).
+
+To specify impersonations, use the `access_as` attribute in your agent configuration file and use Kubernetes RBAC rules to manage impersonated account permissions.
+
+You can impersonate:
+
+- The agent itself (default).
+- The CI/CD job that accesses the cluster.
+- A specific user or system account defined within the cluster.
+
+### Impersonate the agent
+
+The agent is impersonated by default. You don't need to do anything to impersonate it.
+
+### Impersonate the CI/CD job that accesses the cluster
+
+To impersonate the CI/CD job that accesses the cluster, under the `access_as` key, add the `ci_job: {}` key-value.
+
+When the agent makes the request to the actual Kubernetes API, it sets the
+impersonation credentials in the following way:
+
+- `UserName` is set to `gitlab:ci_job:<job id>`. Example: `gitlab:ci_job:1074499489`.
+- `Groups` is set to:
+  - `gitlab:ci_job` to identify all requests coming from CI jobs.
+  - The list of IDs of groups the project is in.
+  - The project ID.
+  - The slug of the environment this job belongs to.
+
+    Example: for a CI job in `group1/group1-1/project1` where:
+
+    - Group `group1` has ID 23.
+    - Group `group1/group1-1` has ID 25.
+    - Project `group1/group1-1/project1` has ID 150.
+    - Job running in a prod environment.
+
+   Group list would be `[gitlab:ci_job, gitlab:group:23, gitlab:group:25, gitlab:project:150, gitlab:project_env:150:prod]`.
+
+- `Extra` carries extra information about the request. The following properties are set on the impersonated identity:
+
+| Property | Description |
+| -------- | ----------- |
+| `agent.gitlab.com/id` | Contains the agent ID. |
+| `agent.gitlab.com/config_project_id` | Contains the agent's configuration project ID. |
+| `agent.gitlab.com/project_id` | Contains the CI project ID. |
+| `agent.gitlab.com/ci_pipeline_id` | Contains the CI pipeline ID. |
+| `agent.gitlab.com/ci_job_id` | Contains the CI job ID. |
+| `agent.gitlab.com/username` | Contains the username of the user the CI job is running as. |
+| `agent.gitlab.com/environment_slug` | Contains the slug of the environment. Only set if running in an environment. |
+
+Example to restrict access by the CI/CD job's identity:
+
+```yaml
+ci_access:
+  projects:
+  - id: path/to/project
+    access_as:
+      ci_job: {}
+```
+
+### Impersonate a static identity
+
+For a given connection, you can use a static identity for the impersonation.
+
+Under the `access_as` key, add the `impersonate` key to make the request using the provided identity.
+
+The identity can be specified with the following keys:
+
+- `username` (required)
+- `uid`
+- `groups`
+- `extra`
+
+See the [official Kubernetes documentation for details](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation).
+
+## Troubleshooting
+
+### `kubectl` commands not supported
+
+The commands `kubectl exec`, `kubectl cp`, and `kubectl attach` are not supported.
+Anything that uses these API endpoints does not work, because they use the deprecated
+SPDY protocol.
+[An issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/346248) to add support for these commands.
+
+### Grant write permissions to `~/.kube/cache`
+
+Tools like `kubectl`, Helm, `kpt`, and `kustomize` cache information about
 the cluster in `~/.kube/cache`. If this directory is not writable, the tool fetches information on each invocation,
-making interactions slower and creating unnecessary load on the cluster. Make sure that this directory in the container image
-you use is writable for the best experience.
+making interactions slower and creating unnecessary load on the cluster. For the best experience, in the
+image you use in your .`gitlab-ci.yml` file, ensure this directory is writable.
+
+### Enable TLS
 
-## Configure the CI/CD Tunnel
+If you are on a self-managed GitLab instance, ensure your instance is configured with Transport Layer Security (TLS).
 
-The CI/CD Tunnel is configured directly through the
-Agent's configuration file ([`config.yaml`](repository.md)) to:
+If you attempt to use `kubectl` without TLS, you might get an error like:
 
-- Authorize [projects](repository.md#authorize-projects-to-use-an-agent) and [groups](repository.md#authorize-groups-to-use-an-agent) to use the same Agent.
-- [Run `kubectl` commands using the CI/CD Tunnel](repository.md#run-kubectl-commands-using-the-cicd-tunnel).
-- [Restrict access of authorized projects and groups through impersonation strategies](repository.md#use-impersonation-to-restrict-project-and-group-access).
+```shell
+$ kubectl get pods
+error: You must be logged in to the server (the server has asked for the client to provide credentials)
+```