diff options
Diffstat (limited to 'doc/user/clusters/agent')
| -rw-r--r-- | doc/user/clusters/agent/ci_cd_tunnel.md | 26 | ||||
| -rw-r--r-- | doc/user/clusters/agent/index.md | 445 | ||||
| -rw-r--r-- | doc/user/clusters/agent/install/index.md | 369 | ||||
| -rw-r--r-- | doc/user/clusters/agent/repository.md | 240 |
4 files changed, 659 insertions, 421 deletions
diff --git a/doc/user/clusters/agent/ci_cd_tunnel.md b/doc/user/clusters/agent/ci_cd_tunnel.md index 6c8b7c95771..0dfdb37dc1f 100644 --- a/doc/user/clusters/agent/ci_cd_tunnel.md +++ b/doc/user/clusters/agent/ci_cd_tunnel.md @@ -4,15 +4,13 @@ group: Configure info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- -# CI/CD Tunnel **(PREMIUM)** +# CI/CD Tunnel **(FREE)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327409) in GitLab 14.1. > - The pre-configured `KUBECONFIG` was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/324275) in GitLab 14.2. > - The ability to authorize groups was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. - -WARNING: -The CI/CD Tunnel is not supported for GitLab self-managed instances installed via Omnibus. We -plan to [add support for Omnibus](https://gitlab.com/gitlab-org/gitlab/-/issues/324272) in the future. +> - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/6290) to GitLab Free in 14.5. +> - Support for Omnibus installations was [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/5686) in GitLab 14.5. The CI/CD Tunnel enables users to access Kubernetes clusters from GitLab CI/CD jobs even if there is no network connectivity between GitLab Runner and a cluster. GitLab Runner does not have to be running in the same cluster. @@ -21,11 +19,11 @@ Only CI/CD jobs set in the configuration project can access one of the configure ## Prerequisites -- A running [`kas` instance](index.md#set-up-the-kubernetes-agent-server). -- A [configuration repository](index.md#define-a-configuration-repository) with an Agent config file +- A running [`kas` instance](install/index.md#set-up-the-kubernetes-agent-server). +- A [configuration repository](install/index.md#define-a-configuration-repository) with an Agent config file installed (`.gitlab/agents/<agent-name>/config.yaml`). -- An [Agent record](index.md#create-an-agent-record-in-gitlab). -- The Agent [installed in the cluster](index.md#install-the-agent-into-the-cluster). +- An [Agent record](install/index.md#create-an-agent-record-in-gitlab). +- The Agent [installed in the cluster](install/index.md#install-the-agent-into-the-cluster). ## Use the CI/CD Tunnel to run Kubernetes commands from GitLab CI/CD @@ -37,6 +35,16 @@ there isn't any context selected. Contexts are named in the following format: `<agent-configuration-project-path>:<agent-name>`. To get the list of available contexts, run `kubectl config get-contexts`. +## Share the CI/CD Tunnel provided by an Agent with other projects and groups + +The Agent can be configured to enable access to the CI/CD Tunnel to other projects or all the projects under a given group. This way you can have a single agent serving all the requests for several projects saving on resources and maintenance. + +You can read more on how to [authorize access in the Agent configuration reference](repository.md#authorize-projects-and-groups-to-use-an-agent). + +## Restrict access of authorized projects and groups **(PREMIUM)** + +You can [configure various impersonations](repository.md#use-impersonation-to-restrict-project-and-group-access) to restrict the permissions of a shared CI/CD Tunnel. + ## Example for a `kubectl` command using the CI/CD Tunnel The following example shows a CI/CD job that runs a `kubectl` command using the CI/CD Tunnel. diff --git a/doc/user/clusters/agent/index.md b/doc/user/clusters/agent/index.md index 557d389147d..80b9f3f17f5 100644 --- a/doc/user/clusters/agent/index.md +++ b/doc/user/clusters/agent/index.md @@ -4,31 +4,58 @@ group: Configure info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- -# GitLab Kubernetes Agent **(PREMIUM)** +# GitLab Kubernetes Agent **(FREE)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223061) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.4. -> - [Introduced](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/7) in GitLab 13.6, `grpcs` is supported. +> - Support for `grpcs` [introduced](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/7) in GitLab 13.6. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300960) in GitLab 13.10, KAS became available on GitLab.com under `wss://kas.gitlab.com` through an Early Adopter Program. > - Introduced in GitLab 13.11, the GitLab Kubernetes Agent became available to every project on GitLab.com. +> - The GitLab Kubernetes Agent was [moved](https://gitlab.com/groups/gitlab-org/-/epics/6290) to GitLab Free in 14.5. -The [GitLab Kubernetes Agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent) -is an active in-cluster component for solving GitLab and Kubernetes integration -tasks in a secure and cloud-native way. It enables: +The [GitLab Kubernetes Agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent) ("Agent", for short) +is an active in-cluster component for connecting Kubernetes clusters to GitLab safely to support cloud-native deployment, management, and monitoring. -- GitLab integration with a Kubernetes cluster behind a firewall or NAT - (network address translation). -- Pull-based GitOps deployments. -- [Inventory object](../../infrastructure/clusters/deploy/inventory_object.md) to keep track of objects applied to your cluster. -- Real-time access to API endpoints in a cluster. -- Alert generation based on [Container network policy](../../application_security/policies/index.md#container-network-policy). -- [CI/CD Tunnel](ci_cd_tunnel.md) that enables users to access Kubernetes clusters from GitLab CI/CD jobs even if there is no network connectivity between GitLab Runner and a cluster. +The Agent is installed into the cluster through code, providing you with a fast, safe, stable, and scalable solution. -Many more features are planned. Please review [our roadmap](https://gitlab.com/groups/gitlab-org/-/epics/3329) -and [our development documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/doc). +With GitOps, you can manage containerized clusters and applications from a Git repository that: -## GitLab Agent GitOps workflow +- Is the single source of truth of your system. +- Is the single place where you operate your system. +- Is a single resource to monitor your system. -The GitLab Agent, herein _Agent_, uses multiple GitLab projects to provide a flexible workflow +By combining GitLab, Kubernetes, and GitOps, it results in a robust infrastructure: + +- GitLab as the GitOps operator. +- Kubernetes as the automation and convergence system. +- GitLab CI/CD as the Continuous Integration and Continuous Deployment engine. + +Beyond that, you can use all the features offered by GitLab as +the all-in-one DevOps platform for your product and your team. + +## Agent's features + +By using the GitLab Kubernetes Agent, you can: + +- Connect GitLab with a Kubernetes cluster behind a firewall or a +Network Address Translation (NAT). +- Have real-time access to API endpoints in your cluster from GitLab CI/CD. +- Use GitOps to configure your cluster through the [Agent's repository](repository.md). +- Perform pull-based or push-based GitOps deployments. +- Configure [Network Security Alerts](#kubernetes-network-security-alerts) +based on [Container Network Policies](../../application_security/policies/index.md#container-network-policy). +- Track objects applied to your cluster through [inventory objects](../../infrastructure/clusters/deploy/inventory_object.md). +- Use the [CI/CD Tunnel](ci_cd_tunnel.md) to access Kubernetes clusters +from GitLab CI/CD jobs while keeping the cluster's APIs safe and unexposed +to the internet. +- [Deploy the GitLab Runner in a Kubernetes cluster](https://docs.gitlab.com/runner/install/kubernetes-agent.html). + +See the [GitLab Kubernetes Agent roadmap](https://gitlab.com/groups/gitlab-org/-/epics/3329) to track its development. + +To contribute to the Agent, see the [Agent's development documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/doc). + +## Agent's GitOps workflow **(PREMIUM)** + +The Agent uses multiple GitLab projects to provide a flexible workflow that can suit various needs. This diagram shows these repositories and the main actors involved in a deployment: @@ -50,365 +77,35 @@ sequenceDiagram end ``` -There are several components that work in concert for the Agent to accomplish GitOps deployments: - -- A properly-configured Kubernetes cluster where the Agent is running. -- A configuration repository that contains a `config.yaml` file, which tells the - Agent the repositories to synchronize with the cluster. -- A manifest repository that contains manifest files. Any changes to manifest files are applied to the cluster. - -You can use the same GitLab project or projects for configuration and manifest files, as follows: - -- Single GitLab project (recommended): when you use a single repository to hold both the manifest and the configuration files, these projects can be either private or public, as you prefer. -- Two GitLab projects: when you opt to use two different GitLab projects, one for manifest files, and another for configuration files, the manifests project must be public, while the configuration project can be either private or public. Our backlog contains issues for adding support for -[private manifest repositories outside of the configuration project](https://gitlab.com/gitlab-org/gitlab/-/issues/220912) and -[group level agents](https://gitlab.com/gitlab-org/gitlab/-/issues/283885) in the future. - -For more details, please refer to our [full architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture) in the Agent project. - -## Get started with GitOps and the GitLab Agent - -The setup process involves a few steps to enable GitOps deployments: - -1. [Set up the Kubernetes Agent Server](#set-up-the-kubernetes-agent-server) for your GitLab instance. -1. [Define a configuration repository](#define-a-configuration-repository). -1. [Create an Agent record in GitLab](#create-an-agent-record-in-gitlab). -1. [Install the Agent into the cluster](#install-the-agent-into-the-cluster). -1. [Generate and copy a Secret token used to connect to the Agent](#create-the-kubernetes-secret). -1. [Create manifest files](#create-manifest-files). - -<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a GitLab 14.2 [walking-through video](https://www.youtube.com/watch?v=XuBpKtsgGkE) with this process. - -### Upgrades and version compatibility - -As the GitLab Kubernetes Agent is a new product, we are constantly adding new features -to it. As a result, while shipped features are production ready, its internal API is -neither stable nor versioned yet. For this reason, GitLab only guarantees compatibility -between corresponding major.minor (X.Y) versions of GitLab and its cluster side -component, `agentk`. - -Upgrade your agent installations together with GitLab upgrades. To decide which version of `agentk` to install follow: - -1. Open the [`GITLAB_KAS_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_KAS_VERSION) file from the GitLab Repository, which contains the latest `agentk` version associated with the `master` branch. -1. Change the `master` branch and select the Git tag associated with your version. For instance, you could change it to GitLab [v13.5.3-ee release](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.5.3-ee/GITLAB_KAS_VERSION) - -The available `agentk` and `kas` versions can be found in -[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/). - -### Set up the Kubernetes Agent Server - -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10, the GitLab Kubernetes Agent Server (KAS) became available on GitLab.com under `wss://kas.gitlab.com`. - -To use the KAS: - -- If you are a self-managed user, follow the instructions to [install the Kubernetes Agent Server](../../../administration/clusters/kas.md). -- If you are a GitLab.com user, when you [set up the configuration repository](#define-a-configuration-repository) for your agent, use `wss://kas.gitlab.com` as the `--kas-address`. - -### Define a configuration repository - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the Agent manifest configuration can be added to multiple directories (or subdirectories) of its repository. -> - Group authorization was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. - -To configure an Agent, you need: - -1. A GitLab repository to hold the configuration file. -1. Install the Agent in a cluster. - -After installed, when you update the configuration file, GitLab transmits the -information to the cluster automatically without downtime. - -In your repository, add the Agent configuration file under: - -```plaintext -.gitlab/agents/<agent-name>/config.yaml -``` - -Your `config.yaml` file specifies all configurations of the Agent, such as: - -- The manifest projects to synchronize. -- The groups that can access this Agent via the [CI/CD Tunnel](ci_cd_tunnel.md). -- The address of the `hubble-relay` for the Network Security policy integrations. - -As an example, a minimal Agent configuration that sets up only the manifest -synchronizations is: - -```yaml -gitops: - manifest_projects: - - id: "path-to/your-manifest-project-1" - paths: - - glob: '/**/*.{yaml,yml,json}' -``` - -All the options for the [Kubernetes Agent configuration repository](repository.md) are documented separately. - -### Create an Agent record in GitLab - -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5786) in GitLab 14.1, you can create a new Agent record directly from the GitLab UI. - -Next, create a GitLab Rails Agent record to associate it with -the configuration repository project. Creating this record also creates a Secret needed to configure -the Agent in subsequent steps. - -In GitLab: - -1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**. -1. Select the **GitLab Agent managed clusters** tab. -1. Select **Integrate with the GitLab Agent**. -1. From the **Select an Agent** dropdown menu, select the Agent you want to connect and select **Next** to access the installation form. -1. The form reveals your registration token. Securely store this secret token as you cannot view it again. -1. Copy the command under **Recommended installation method**. - -In your computer: - -1. Open your local terminal and connect to your cluster. -1. Run the command you copied from the installation form. - -### Install the Agent into the cluster - -To install the in-cluster component of the Agent, first you need to define a namespace. To create a new namespace, -for example, `gitlab-kubernetes-agent`, run: - -```shell -kubectl create namespace gitlab-kubernetes-agent -``` - -To perform a one-liner installation, run the command below. Make sure to replace: - -- `your-agent-token` with the token received from the previous step (identified as `secret` in the JSON output). -- `gitlab-kubernetes-agent` with the namespace you defined in the previous step. -- `wss://kas.gitlab.example.com` with the configured access of the Kubernetes Agent Server (KAS). For GitLab.com users, the KAS is available under `wss://kas.gitlab.com`. -- `--agent-version=vX.Y.Z` with the latest released patch version matching your GitLab installation's major and minor versions. For example, for GitLab v13.9.0, use `--agent-version=v13.9.1`. You can find your GitLab version under the "Help/Help" menu. - -```shell -docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=your-agent-token --kas-address=wss://kas.gitlab.example.com --agent-version=vX.Y.Z --namespace gitlab-kubernetes-agent | kubectl apply -f - -``` - -WARNING: -`--agent-version stable` can be used to refer to the latest stable release at the time when the command runs. It's fine for -testing purposes but for production please make sure to specify a matching version explicitly. - -To find out the various options the above Docker container supports, run: - -```shell -docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --help -``` - -#### Advanced installation - -For more advanced configurations, we recommend to use [the `kpt` based installation method](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent). - -Otherwise, follow the manual installation steps described below. - -### Create the Kubernetes secret - -After generating the token, you must apply it to the Kubernetes cluster. - -To create your Secret, run: - -```shell -kubectl create secret generic -n gitlab-kubernetes-agent gitlab-kubernetes-agent-token --from-literal=token='YOUR_AGENT_TOKEN' -``` - -The following example file contains the -Kubernetes resources required for the Agent to be installed. You can modify this -example [`resources.yml` file](#example-resourcesyml-file) in the following ways: - -- Replace `namespace: gitlab-kubernetes-agent` with `namespace: <YOUR-DESIRED-NAMESPACE>`. -- You can configure `kas-address` (Kubernetes Agent Server) in several ways. - The agent can use the WebSockets or gRPC protocols to connect to the Agent Server. - Select the option appropriate for your cluster configuration and GitLab architecture: - - The `wss` scheme (an encrypted WebSockets connection) is specified by default - after you install the `gitlab-kas` sub-chart, or enable `gitlab-kas` for Omnibus GitLab. - When using the sub-chart, you must set `wss://kas.host.tld:443` as - `kas-address`, where `host.tld` is the domain you've setup for your GitLab installation. - When using Omnibus GitLab, you must set `wss://GitLab.host.tld:443/-/kubernetes-agent/` as - `kas-address`, where `GitLab.host.tld` is your GitLab hostname. - - When using the sub-chart, specify the `ws` scheme (such as `ws://kas.host.tld:80`) - to use an unencrypted WebSockets connection. - When using the Omnibus GitLab, specify the `ws` scheme (such as `ws://GitLab.host.tld:80/-/kubernetes-agent/`). - - Specify the `grpc` scheme if both Agent and Server are installed in one cluster. - In this case, you may specify `kas-address` value as - `grpc://gitlab-kas.<your-namespace>:8150`) to use gRPC directly, where `gitlab-kas` - is the name of the service created by `gitlab-kas` chart, and `<your-namespace>` - is the namespace where the chart was installed. - - Specify the `grpcs` scheme to use an encrypted gRPC connection. - - When deploying KAS through the [GitLab chart](https://docs.gitlab.com/charts/), it's possible to customize the - `kas-address` for `wss` and `ws` schemes to whatever you need. - Check the [chart's KAS Ingress documentation](https://docs.gitlab.com/charts/charts/gitlab/kas/#ingress) - to learn more about it. - - In the near future, Omnibus GitLab intends to provision `gitlab-kas` under a sub-domain by default, instead of the `/-/kubernetes-agent/` path. Please follow [this issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784) for details. -- If you defined your own secret name, replace `gitlab-kubernetes-agent-token` with your - secret name in the `secretName:` section. - -To apply this file, run the following command: - -```shell -kubectl apply -n gitlab-kubernetes-agent -f ./resources.yml -``` - -To review your configuration, run the following command: - -```shell -$ kubectl get pods -n gitlab-kubernetes-agent - -NAMESPACE NAME READY STATUS RESTARTS AGE -gitlab-kubernetes-agent gitlab-kubernetes-agent-77689f7dcb-5skqk 1/1 Running 0 51s -``` - -#### Example `resources.yml` file - -```yaml ---- -apiVersion: v1 -kind: Namespace -metadata: - name: gitlab-kubernetes-agent ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gitlab-kubernetes-agent ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gitlab-kubernetes-agent -spec: - replicas: 1 - selector: - matchLabels: - app: gitlab-kubernetes-agent - template: - metadata: - labels: - app: gitlab-kubernetes-agent - spec: - serviceAccountName: gitlab-kubernetes-agent - containers: - - name: agent - # Make sure to specify a matching version for production - image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:vX.Y.Z - args: - - --token-file=/config/token - - --kas-address - - wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com. - # - wss://gitlab.host.tld:443/-/kubernetes-agent/ - # - wss://kas.gitlab.com # for GitLab.com users, use this KAS. - # - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker. - volumeMounts: - - name: token-volume - mountPath: /config - volumes: - - name: token-volume - secret: - secretName: gitlab-kubernetes-agent-token - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gitlab-kubernetes-agent-write -rules: -- resources: - - '*' - apiGroups: - - '*' - verbs: - - create - - update - - delete - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gitlab-kubernetes-agent-write-binding -roleRef: - name: gitlab-kubernetes-agent-write - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: -- name: gitlab-kubernetes-agent - kind: ServiceAccount - namespace: gitlab-kubernetes-agent ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gitlab-kubernetes-agent-read -rules: -- resources: - - '*' - apiGroups: - - '*' - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gitlab-kubernetes-agent-read-binding -roleRef: - name: gitlab-kubernetes-agent-read - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: -- name: gitlab-kubernetes-agent - kind: ServiceAccount - namespace: gitlab-kubernetes-agent -``` - -### Create manifest files - -In a previous step, you configured a `config.yaml` to point to the GitLab projects -the Agent should synchronize. Agent monitors each of those projects for changes to the manifest files it contains. You can auto-generate manifest files with a -templating engine or other means. - -The agent is authorized to download manifests for the configuration -project, and public projects. Support for other private projects is -planned in the issue [Agent authorization for private manifest -projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912). - -Each time you push a change to a monitored manifest repository, the Agent logs the change: - -```plaintext -2020-09-15_14:09:04.87946 gitlab-k8s-agent : time="2020-09-15T10:09:04-04:00" level=info msg="Config: new commit" agent_id=1 commit_id=e6a3651f1faa2e928fe6120e254c122451be4eea -``` +For more details, refer to our [architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture) in the Agent project. -#### Example manifest file +## Install the Agent in your cluster -This file creates a minimal `ConfigMap`: +See how to [install the GitLab Kubernetes Agent in your cluster](install/index.md). -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: demo-map - namespace: gitlab-kubernetes-agent # Can be any namespace managed by you that the agent has access to. -data: - key: value -``` +## GitOps deployments **(PREMIUM)** -## Example projects +To perform GitOps deployments with the Agent, you need: -The following example projects can help you get started with the Kubernetes Agent. +- A properly-configured Kubernetes cluster where the Agent is running. +- A [configuration repository](repository.md) that contains a +`config.yaml` file, which tells the Agent the repositories to synchronize +with the cluster. +- A manifest repository that contains manifest files. Any changes to manifest files are applied to the cluster. -- [Configuration repository](https://gitlab.com/gitlab-org/configure/examples/kubernetes-agent) -- This basic GitOps example deploys NGINX: [Manifest repository](https://gitlab.com/gitlab-org/configure/examples/gitops-project) +You can use a single GitLab project or different projects for the Agent +configuration and manifest files, as follows: -### GitLab Runner Deployment with the Agent +- Single GitLab project (recommended): When you use a single repository to hold + both the manifest and the configuration files, these projects can be either + private or public. +- Two GitLab projects: When you use two different GitLab projects (one for + manifest files and another for configuration files), the manifests project must + be public, while the configuration project can be either private or public. -You can use the Kubernetes Agent to -[deploy GitLab Runner in a Kubernetes cluster](https://docs.gitlab.com/runner/install/kubernetes-agent.html). +Support for separated private manifest and configuration repositories is tracked in this [issue](https://gitlab.com/gitlab-org/gitlab/-/issues/220912). -## Kubernetes Network Security Alerts +## Kubernetes Network Security Alerts **(ULTIMATE)** The GitLab Agent also provides an integration with Cilium. This integration provides a simple way to generate network policy-related alerts and to surface those alerts in GitLab. @@ -426,24 +123,12 @@ There are several components that work in concert for the Agent to generate the - Add the required labels and annotations to existing network policies. - A configuration repository with [Cilium configured in `config.yaml`](repository.md#surface-network-security-alerts-from-cluster-to-gitlab) -The setup process follows the same steps as [GitOps](#get-started-with-gitops-and-the-gitlab-agent), +The setup process follows the same [Agent's installation steps](install/index.md), with the following differences: - When you define a configuration repository, you must do so with [Cilium settings](repository.md#surface-network-security-alerts-from-cluster-to-gitlab). - You do not need to specify the `gitops` configuration section. -## Management interfaces - -Users with at least the [Developer](../../permissions.md) can access the user interface -for the GitLab Kubernetes agent at **Infrastructure > Kubernetes clusters**, under the -**GitLab Agent managed clusters** tab. This page lists all registered agents for -the current project, and the configuration directory for each agent: - - - -Additional management interfaces are planned for the GitLab Kubernetes Agent. -[Provide more feedback in the related epic](https://gitlab.com/groups/gitlab-org/-/epics/4739). - ## Remove the GitLab Kubernetes Agent 1. Remove an Agent record with GraphQL by deleting the `clusterAgent` and the `clusterAgentToken`. @@ -518,7 +203,7 @@ specified the `kas-address` correctly. ``` This error occurs if the `kas-address` doesn't include a trailing slash. To fix it, make sure that the -`wss` or `ws` URL ends with a training slash, such as `wss://GitLab.host.tld:443/-/kubernetes-agent/` +`wss` or `ws` URL ends with a trailing slash, such as `wss://GitLab.host.tld:443/-/kubernetes-agent/` or `ws://GitLab.host.tld:80/-/kubernetes-agent/`. #### ValidationError(Deployment.metadata) diff --git a/doc/user/clusters/agent/install/index.md b/doc/user/clusters/agent/install/index.md new file mode 100644 index 00000000000..fad9d4f08f1 --- /dev/null +++ b/doc/user/clusters/agent/install/index.md @@ -0,0 +1,369 @@ +--- +stage: Configure +group: Configure +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Install the GitLab Kubernetes Agent **(FREE)** + +> [Moved](https://gitlab.com/groups/gitlab-org/-/epics/6290) to GitLab Free in 14.5. + +To get started with the GitLab Kubernetes Agent, install it in your cluster. + +Pre-requisites: + +- An existing Kubernetes cluster. +- An account on GitLab. + +## Installation steps + +To install the [GitLab Kubernetes Agent](../index.md) in your cluster: + +1. [Set up the Kubernetes Agent Server](#set-up-the-kubernetes-agent-server) for your GitLab instance. +1. [Define a configuration repository](#define-a-configuration-repository). +1. [Create an Agent record in GitLab](#create-an-agent-record-in-gitlab). +1. [Install the Agent into the cluster](#install-the-agent-into-the-cluster). +1. [Generate and copy a Secret token used to connect to the Agent](#create-the-kubernetes-secret). +1. [Create manifest files](#create-manifest-files). + +<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> Watch a GitLab 14.2 [walking-through video](https://www.youtube.com/watch?v=XuBpKtsgGkE) with this process. + +### Set up the Kubernetes Agent Server + +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10, the GitLab Kubernetes Agent Server (KAS) became available on GitLab.com under `wss://kas.gitlab.com`. + +To use the KAS: + +- If you are a self-managed user, follow the instructions to [install the Kubernetes Agent Server](../../../../administration/clusters/kas.md). +- If you are a GitLab.com user, when you [set up the configuration repository](#define-a-configuration-repository) for your agent, use `wss://kas.gitlab.com` as the `--kas-address`. + +### Define a configuration repository + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the Agent manifest configuration can be added to multiple directories (or subdirectories) of its repository. +> - Group authorization was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. + +To configure an Agent, you need: + +1. A GitLab repository to hold the configuration file. +1. Install the Agent in a cluster. + +After installed, when you update the configuration file, GitLab transmits the +information to the cluster automatically without downtime. + +In your repository, add the Agent configuration file under: + +```plaintext +.gitlab/agents/<agent-name>/config.yaml +``` + +Make sure that `<agent-name>` conforms to the [Agent's naming format](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/identity_and_auth.md#agent-identity-and-name). + +Your `config.yaml` file specifies all configurations of the Agent, such as: + +- The manifest projects to synchronize. +- The groups that can access this Agent via the [CI/CD Tunnel](../ci_cd_tunnel.md). +- The address of the `hubble-relay` for the Network Security policy integrations. + +As an example, a minimal Agent configuration that sets up only the manifest +synchronizations is: + +```yaml +gitops: + manifest_projects: + # The `id` is the path to the Git repository holding your manifest files + - id: "path/to/your-manifest-project-1" + paths: + - glob: '/**/*.{yaml,yml,json}' +``` + +All the options for the [Kubernetes Agent configuration repository](../repository.md) are documented separately. + +### Create an Agent record in GitLab + +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5786) in GitLab 14.1, you can create a new Agent record directly from the GitLab UI. + +Next, create a GitLab Rails Agent record to associate it with +the configuration repository project. Creating this record also creates a Secret needed to configure +the Agent in subsequent steps. + +In GitLab: + +1. Ensure that [GitLab CI/CD is enabled in your project](../../../../ci/enable_or_disable_ci.md#enable-cicd-in-a-project). +1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**. +1. Select **Actions**. +1. From the **Select an Agent** dropdown, select the Agent you want to connect and select **Register Agent** to access the installation form. +1. The form reveals your registration token. Securely store this secret token as you cannot view it again. +1. Copy the command under **Recommended installation method**. + +In your computer: + +1. Open your local terminal and connect to your cluster. +1. Run the command you copied from the installation form. + +### Install the Agent into the cluster + +To install the in-cluster component of the Agent, first you need to define a namespace. To create a new namespace, +for example, `gitlab-kubernetes-agent`, run: + +```shell +kubectl create namespace gitlab-kubernetes-agent +``` + +To perform a one-liner installation, run the command below. Make sure to replace: + +- `your-agent-token` with the token received from the previous step (identified as `secret` in the JSON output). +- `gitlab-kubernetes-agent` with the namespace you defined in the previous step. +- `wss://kas.gitlab.example.com` with the configured access of the Kubernetes Agent Server (KAS). For GitLab.com users, the KAS is available under `wss://kas.gitlab.com`. +- `--agent-version=vX.Y.Z` with the latest released patch version matching your GitLab installation's major and minor versions. For example, for GitLab v13.9.0, use `--agent-version=v13.9.1`. You can find your GitLab version under the "Help/Help" menu. + +```shell +docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=your-agent-token --kas-address=wss://kas.gitlab.example.com --agent-version=vX.Y.Z --namespace gitlab-kubernetes-agent | kubectl apply -f - +``` + +WARNING: +`--agent-version stable` can be used to refer to the latest stable release at the time when the command runs. It's fine for +testing purposes but for production please make sure to specify a matching version explicitly. + +To find out the various options the above Docker container supports, run: + +```shell +docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --help +``` + +## Advanced installation + +For more advanced configurations, we recommend to use [the `kpt` based installation method](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent). + +Otherwise, follow the manual installation steps described below. + +### Create the Kubernetes secret + +After generating the token, you must apply it to the Kubernetes cluster. + +To create your Secret, run: + +```shell +kubectl create secret generic -n gitlab-kubernetes-agent gitlab-kubernetes-agent-token --from-literal=token='YOUR_AGENT_TOKEN' +``` + +The following example file contains the +Kubernetes resources required for the Agent to be installed. You can modify this +example [`resources.yml` file](#example-resourcesyml-file) in the following ways: + +- Replace `namespace: gitlab-kubernetes-agent` with `namespace: <YOUR-DESIRED-NAMESPACE>`. +- You can configure `kas-address` (Kubernetes Agent Server) in several ways. + The agent can use the WebSockets or gRPC protocols to connect to the Agent Server. + Select the option appropriate for your cluster configuration and GitLab architecture: + - The `wss` scheme (an encrypted WebSockets connection) is specified by default + after you install the `gitlab-kas` sub-chart, or enable `gitlab-kas` for Omnibus GitLab. + When using the sub-chart, you must set `wss://kas.host.tld:443` as + `kas-address`, where `host.tld` is the domain you've setup for your GitLab installation. + When using Omnibus GitLab, you must set `wss://GitLab.host.tld:443/-/kubernetes-agent/` as + `kas-address`, where `GitLab.host.tld` is your GitLab hostname. + - When using the sub-chart, specify the `ws` scheme (such as `ws://kas.host.tld:80`) + to use an unencrypted WebSockets connection. + When using the Omnibus GitLab, specify the `ws` scheme (such as `ws://GitLab.host.tld:80/-/kubernetes-agent/`). + - Specify the `grpc` scheme if both Agent and Server are installed in one cluster. + In this case, you may specify `kas-address` value as + `grpc://gitlab-kas.<your-namespace>:8150`) to use gRPC directly, where `gitlab-kas` + is the name of the service created by `gitlab-kas` chart, and `<your-namespace>` + is the namespace where the chart was installed. + - Specify the `grpcs` scheme to use an encrypted gRPC connection. + - When deploying KAS through the [GitLab chart](https://docs.gitlab.com/charts/), it's possible to customize the + `kas-address` for `wss` and `ws` schemes to whatever you need. + Check the [chart's KAS Ingress documentation](https://docs.gitlab.com/charts/charts/gitlab/kas/#ingress) + to learn more about it. + - In the near future, Omnibus GitLab intends to provision `gitlab-kas` under a sub-domain by default, instead of the `/-/kubernetes-agent/` path. Please follow [this issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784) for details. +- If you defined your own secret name, replace `gitlab-kubernetes-agent-token` with your + secret name in the `secretName:` section. + +To apply this file, run the following command: + +```shell +kubectl apply -n gitlab-kubernetes-agent -f ./resources.yml +``` + +To review your configuration, run the following command: + +```shell +$ kubectl get pods -n gitlab-kubernetes-agent + +NAMESPACE NAME READY STATUS RESTARTS AGE +gitlab-kubernetes-agent gitlab-kubernetes-agent-77689f7dcb-5skqk 1/1 Running 0 51s +``` + +#### Example `resources.yml` file + +```yaml +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gitlab-kubernetes-agent +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitlab-kubernetes-agent +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitlab-kubernetes-agent +spec: + replicas: 1 + selector: + matchLabels: + app: gitlab-kubernetes-agent + template: + metadata: + labels: + app: gitlab-kubernetes-agent + spec: + serviceAccountName: gitlab-kubernetes-agent + containers: + - name: agent + # Make sure to specify a matching version for production + image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:vX.Y.Z" + args: + - --token-file=/config/token + - --kas-address + - wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com. + # - wss://gitlab.host.tld:443/-/kubernetes-agent/ + # - wss://kas.gitlab.com # for GitLab.com users, use this KAS. + # - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker. + volumeMounts: + - name: token-volume + mountPath: /config + volumes: + - name: token-volume + secret: + secretName: gitlab-kubernetes-agent-token + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gitlab-kubernetes-agent-write +rules: +- resources: + - '*' + apiGroups: + - '*' + verbs: + - create + - update + - delete + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitlab-kubernetes-agent-write-binding +roleRef: + name: gitlab-kubernetes-agent-write + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: +- name: gitlab-kubernetes-agent + kind: ServiceAccount + namespace: gitlab-kubernetes-agent +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gitlab-kubernetes-agent-read +rules: +- resources: + - '*' + apiGroups: + - '*' + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gitlab-kubernetes-agent-read-binding +roleRef: + name: gitlab-kubernetes-agent-read + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io +subjects: +- name: gitlab-kubernetes-agent + kind: ServiceAccount + namespace: gitlab-kubernetes-agent +``` + +### Create manifest files + +In a previous step, you configured a `config.yaml` to point to the GitLab projects +the Agent should synchronize. Agent monitors each of those projects for changes to the manifest files it contains. You can auto-generate manifest files with a +templating engine or other means. + +The agent is authorized to download manifests for the configuration +project, and public projects. Support for other private projects is +planned in the issue [Agent authorization for private manifest +projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912). + +Each time you push a change to a monitored manifest repository, the Agent logs the change: + +```plaintext +2020-09-15_14:09:04.87946 gitlab-k8s-agent : time="2020-09-15T10:09:04-04:00" level=info msg="Config: new commit" agent_id=1 commit_id=e6a3651f1faa2e928fe6120e254c122451be4eea +``` + +#### Example manifest file + +This file creates a minimal `ConfigMap`: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: demo-map + namespace: gitlab-kubernetes-agent # Can be any namespace managed by you that the agent has access to. +data: + key: value +``` + +## Example projects + +The following example projects can help you get started with the Kubernetes Agent. + +- [Configuration repository](https://gitlab.com/gitlab-org/configure/examples/kubernetes-agent) +- This basic GitOps example deploys NGINX: [Manifest repository](https://gitlab.com/gitlab-org/configure/examples/gitops-project) + +## View installed Agents + +Users with at least the [Developer](../../../permissions.md) can access the user interface +for the GitLab Kubernetes Agent at **Infrastructure > Kubernetes clusters**, under the +**Agent** tab. This page lists all registered agents for the current project, +and the configuration directory for each agent: + + + +Additional management interfaces are planned for the GitLab Kubernetes Agent. +[Provide more feedback in the related epic](https://gitlab.com/groups/gitlab-org/-/epics/4739). + +## Upgrades and version compatibility + +The GitLab Kubernetes Agent is comprised of two major components: `agentk` and `kas`. +As we provide `kas` installers built into the various GitLab installation methods, the required `kas` version corresponds to the GitLab `major.minor` (X.Y) versions. + +At the same time, `agentk` and `kas` can differ by 1 minor version in either direction. For example, +`agentk` 14.4 supports `kas` 14.3, 14.4, and 14.5 (regardless of the patch). + +A feature introduced in a given GitLab minor version might work with other `agentk` or `kas` versions. +To make sure that it works, use at least the same `agentk` and `kas` minor version. For example, +if your GitLab version is 14.2, use at least `agentk` 14.2 and `kas` 14.2. + +We recommend upgrading your `kas` installations together with GitLab instances' upgrades, and to upgrade the `agentk` installations after upgrading GitLab. + +The available `agentk` and `kas` versions can be found in +[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/). diff --git a/doc/user/clusters/agent/repository.md b/doc/user/clusters/agent/repository.md index cbb27a3f343..6ceb2766cc9 100644 --- a/doc/user/clusters/agent/repository.md +++ b/doc/user/clusters/agent/repository.md @@ -4,12 +4,13 @@ group: Configure info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers --- -# Kubernetes Agent configuration repository **(PREMIUM)** +# Kubernetes Agent configuration repository **(FREE)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.7. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in GitLab 13.11, the Kubernetes Agent became available on GitLab.com. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332227) in GitLab 14.0, the `resource_inclusions` and `resource_exclusions` attributes were removed and `reconcile_timeout`, `dry_run_strategy`, `prune`, `prune_timeout`, `prune_propagation_policy`, and `inventory_policy` attributes were added. > - The `ci_access` attribute was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. +> - The GitLab Kubernetes Agent was [moved](https://gitlab.com/groups/gitlab-org/-/epics/6290) to GitLab Free in 14.5. WARNING: This feature might not be available to you. Check the **version history** note above for details. @@ -22,17 +23,19 @@ The Agent bootstraps with the GitLab installation URL and an authentication toke and you provide the rest of the configuration in your repository, following Infrastructure as Code (IaaC) best practices. -A minimal repository layout looks like this, with `my_agent_1` as the name +A minimal repository layout looks like this, with `my-agent-1` as the name of your Agent: ```plaintext |- .gitlab |- agents - |- my_agent_1 + |- my-agent-1 |- config.yaml ``` -## Synchronize manifest projects +Make sure that `<agent-name>` conforms to the [Agent's naming format](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/identity_and_auth.md#agent-identity-and-name). + +## Synchronize manifest projects **(PREMIUM)** Your `config.yaml` file contains a `gitops` section, which contains a `manifest_projects` section. Each `id` in the `manifest_projects` section is the path to a Git repository @@ -132,7 +135,7 @@ INCORRECT - both globs match `*.yaml` files in the root directory: ```yaml gitops: manifest_projects: - - id: project1 + - id: project1 paths: - glob: '/**/*.yaml' - glob: '/*.yaml' @@ -143,51 +146,140 @@ CORRECT - single globs matches all `*.yaml` files recursively: ```yaml gitops: manifest_projects: - - id: project1 + - id: project1 paths: - glob: '/**/*.yaml' ``` -## Authorize groups to use an Agent +## Authorize projects and groups to use an Agent + +> - Group authorization [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. +> - Project authorization [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4. + +If you use the same cluster across multiple projects, you can set up the [CI/CD Tunnel](ci_cd_tunnel.md) +to grant access to an Agent from one or more projects or groups. This way, all the authorized +projects can access the same Agent, which facilitates you to save resources and have a scalable setup. + +When you authorize a project to use an agent through the [CI/CD Tunnel](ci_cd_tunnel.md), +the selected Kubernetes context is automatically injected into CI/CD jobs, allowing you to +run Kubernetes commands from your authorized projects' scripts. When you authorize a group, +all the projects that belong to that group can access the selected agent. -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. +An Agent can only authorize projects or groups in the same group hierarchy as the Agent's configuration +project. You can authorize up to 100 projects and 100 groups per Agent. -FLAG: -On self-managed GitLab, by default this feature is not available. To make it available, -ask an administrator to [enable the `group_authorized_agents` flag](../../../administration/feature_flags.md). -On GitLab.com, this feature is available. +### Authorize projects to use an Agent -If you use the same cluster across multiple projects, you can set up the CI/CD Tunnel -to grant the Agent access to one or more groups. This way, all the projects that belong -to the authorized groups can access the same Agent. This enables you to save resources and -have a scalable setup. +To grant projects access to the Agent through the [CI/CD Tunnel](ci_cd_tunnel.md): -When you authorize a group, the agent's Kubernetes context is automatically injected -into every project of the authorized group, and users can select the connection as -described in the [CI/CD Tunnel documentation](ci_cd_tunnel.md). -To authorize a group to access the Agent through the [CI/CD Tunnel](ci_cd_tunnel.md), -use the `ci_access` attribute in your `config.yaml` configuration file. +1. Go to your Agent's configuration project. +1. Edit the Agent's configuration file (`config.yaml`). +1. Add the `projects` attribute into `ci_access`. +1. Identify the project through its path: -An Agent can only authorize groups in the same group hierarchy as the Agent's configuration project. At most -100 groups can be authorized per Agent. + ```yaml + ci_access: + projects: + - id: path/to/project + ``` -To authorize a group: +### Authorize groups to use an Agent -1. Edit your `config.yaml` file under the `.gitlab/agents/<agent name>` directory. -1. Add the `ci_access` root attribute. +To grant access to all projects within a group: + +1. Go to your Agent's configuration project. +1. Edit the Agent's configuration file (`config.yaml`). 1. Add the `groups` attribute into `ci_access`. -1. Add the group `id` into `groups`, identifying the authorized group through its path. +1. Identify the group or subgroup through its path: + + ```yaml + ci_access: + groups: + - id: path/to/group/subgroup + ``` + +### Use impersonation to restrict project and group access **(PREMIUM)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345014) in GitLab 14.5. + +By default, the [CI/CD Tunnel](ci_cd_tunnel.md) inherits all the permissions from the service account used to install the +Agent in the cluster. +To restrict access to your cluster, you can use [impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation). + +To specify impersonations, use the `access_as` attribute in your Agent's configuration file and use Kubernetes RBAC rules to manage impersonated account permissions. + +You can impersonate: + +- The Agent itself (default). +- The CI job that accesses the cluster. +- A specific user or system account defined within the cluster. + +#### Impersonate the Agent -For example: +The Agent is impersonated by default. You don't need to do anything to impersonate it. + +#### Impersonate the CI job that accesses the cluster + +To impersonate the CI job that accesses the cluster, add the `ci_job: {}` key-value +under the `access_as` key. + +When the agent makes the request to the actual Kubernetes API, it sets the +impersonation credentials in the following way: + +- `UserName` is set to `gitlab:ci_job:<job id>`. Example: `gitlab:ci_job:1074499489`. +- `Groups` is set to: + - `gitlab:ci_job` to identify all requests coming from CI jobs. + - The list of IDs of groups the project is in. + - The project ID. + - The slug of the environment this job belongs to. + + Example: for a CI job in `group1/group1-1/project1` where: + + - Group `group1` has ID 23. + - Group `group1/group1-1` has ID 25. + - Project `group1/group1-1/project1` has ID 150. + - Job running in a prod environment. + + Group list would be `[gitlab:ci_job, gitlab:group:23, gitlab:group:25, gitlab:project:150, gitlab:project_env:150:prod]`. + +- `Extra` carries extra information about the request. The following properties are set on the impersonated identity: + +| Property | Description | +| -------- | ----------- | +| `agent.gitlab.com/id` | Contains the agent ID. | +| `agent.gitlab.com/config_project_id` | Contains the agent's configuration project ID. | +| `agent.gitlab.com/project_id` | Contains the CI project ID. | +| `agent.gitlab.com/ci_pipeline_id` | Contains the CI pipeline ID. | +| `agent.gitlab.com/ci_job_id` | Contains the CI job ID. | +| `agent.gitlab.com/username` | Contains the username of the user the CI job is running as. | +| `agent.gitlab.com/environment_slug` | Contains the slug of the environment. Only set if running in an environment. | + +Example to restrict access by the CI job's identity: ```yaml ci_access: - # This agent is accessible from CI jobs in projects in these groups - groups: - - id: group/subgroup + projects: + - id: path/to/project + access_as: + ci_job: {} ``` -## Surface network security alerts from cluster to GitLab +#### Impersonate a static identity + +For the given CI/CD Tunnel connection, you can use a static identity for the impersonation. + +Add the `impersonate` key under the `access_as` key to make the request using the provided identity. + +The identity can be specified with the following keys: + +- `username` (required) +- `uid` +- `groups` +- `extra` + +See the [official Kubernetes documentation for more details](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) on the usage of these keys. + +## Surface network security alerts from cluster to GitLab **(ULTIMATE)** The GitLab Agent provides an [integration with Cilium](index.md#kubernetes-network-security-alerts). To integrate, add a top-level `cilium` section to your `config.yml` file. Currently, the @@ -207,6 +299,90 @@ cilium: hubble_relay_address: "hubble-relay.gitlab-managed-apps.svc.cluster.local:80" ``` +## Scan your container images for vulnerabilities + +You can use [cluster image scanning](../../application_security/cluster_image_scanning/index.md) +to scan container images in your cluster for security vulnerabilities. + +To begin scanning all resources in your cluster, add a `starboard` +configuration block to your agent's `config.yaml` with no `filters`: + +```yaml +starboard: + vulnerability_report: + filters: [] +``` + +The namespaces that are able to be scanned depend on the [Starboard Operator install mode](https://aquasecurity.github.io/starboard/latest/operator/configuration/#install-modes). +By default, the Starboard Operator only scans resources in the `default` namespace. To change this +behavior, edit the `STARBOARD_OPERATOR` environment variable in the `starboard-operator` deployment +definition. + +By adding filters, you can limit scans by: + +- Resource name +- Kind +- Container name +- Namespace + +```yaml +starboard: + vulnerability_report: + filters: + - namespaces: + - staging + - production + kinds: + - Deployment + - DaemonSet + containers: + - ruby + - postgres + - nginx + resources: + - my-app-name + - postgres + - ingress-nginx +``` + +A resource is scanned if the resource matches any of the given names and all of the given filter +types (`namespaces`, `kinds`, `containers`, `resources`). If a filter type is omitted, then all +names are scanned. In this example, a resource isn't scanned unless it has a container named `ruby`, +`postgres`, or `nginx`, and it's a `Deployment`: + +```yaml +starboard: + vulnerability_report: + filters: + - kinds: + - Deployment + containers: + - ruby + - postgres + - nginx +``` + +There is also a global `namespaces` field that applies to all filters: + +```yaml +starboard: + vulnerability_report: + namespaces: + - production + filters: + - kinds: + - Deployment + - kinds: + - DaemonSet + resources: + - log-collector +``` + +In this example, the following resources are scanned: + +- All deployments (`Deployment`) in the `production` namespace +- All daemon sets (`DaemonSet`) named `log-collector` in the `production` namespace + ## Debugging To debug the cluster-side component (`agentk`) of the GitLab Kubernetes Agent, set the log |