18 KiB
Connecting GitLab with a Kubernetes cluster
Introduced in GitLab 10.1.
Connect your project to Google Kubernetes Engine (GKE) or an existing Kubernetes cluster in a few steps.
Overview
With a Kubernetes cluster associated to your project, you can use Review Apps, deploy your applications, run your pipelines, and much more, in an easy way.
There are two options when adding a new cluster to your project; either associate your account with Google Kubernetes Engine (GKE) so that you can create new clusters from within GitLab, or provide the credentials to an existing Kubernetes cluster.
Adding and creating a new GKE cluster via GitLab
NOTE: Note: You need Master permissions and above to access the Kubernetes page.
Before proceeding, make sure the following requirements are met:
- The Google authentication integration must be enabled in GitLab at the instance level. If that's not the case, ask your GitLab administrator to enable it.
- Your associated Google account must have the right privileges to manage clusters on GKE. That would mean that a billing account must be set up and that you have to have permissions to access it.
- You must have Master permissions in order to be able to access the Kubernetes page.
- You must have Cloud Billing API enabled
- You must have Resource Manager API
If all of the above requirements are met, you can proceed to create and add a new Kubernetes cluster that will be hosted on GKE to your project:
- Navigate to your project's CI/CD > Kubernetes page.
- Click on Add Kubernetes cluster.
- Click on Create with GKE.
- Connect your Google account if you haven't done already by clicking the Sign in with Google button.
- Fill in the requested values:
- Cluster name (required) - The name you wish to give the cluster.
- GCP project ID (required) - The ID of the project you created in your GCP console that will host the Kubernetes cluster. This must not be confused with the project name. Learn more about Google Cloud Platform projects.
- Zone - The zone under which the cluster will be created.
- Number of nodes - The number of nodes you wish the cluster to have.
- Machine type - The machine type of the Virtual Machine instance that the cluster will be based on.
- Environment scope - The associated environment to this cluster.
- Finally, click the Create Kubernetes cluster button.
After a few moments, your cluster should be created. If something goes wrong, you will be notified.
You can now proceed to install some pre-defined applications and then enable the Cluster integration.
Adding an existing Kubernetes cluster
NOTE: Note: You need Master permissions and above to access the Kubernetes page.
To add an existing Kubernetes cluster to your project:
- Navigate to your project's CI/CD > Kubernetes page.
- Click on Add Kubernetes cluster.
- Click on Add an existing Kubernetes cluster and fill in the details:
- Kubernetes cluster name (required) - The name you wish to give the cluster.
- Environment scope (required)- The associated environment to this cluster.
- API URL (required) -
It's the URL that GitLab uses to access the Kubernetes API. Kubernetes
exposes several APIs, we want the "base" URL that is common to all of them,
e.g.,
https://kubernetes.example.com
rather thanhttps://kubernetes.example.com/api/v1
. - CA certificate (optional) -
If the API is using a self-signed TLS certificate, you'll also need to include
the
ca.crt
contents here. - Token -
GitLab authenticates against Kubernetes using service tokens, which are
scoped to a particular
namespace
. If you don't have a service token yet, you can follow the Kubernetes documentation to create one. You can also view or create service tokens in the Kubernetes dashboard (under Config > Secrets). - Project namespace (optional) - The following apply:
- By default you don't have to fill it in; by leaving it blank, GitLab will create one for you.
- Each project should have a unique namespace.
- The project namespace is not necessarily the namespace of the secret, if
you're using a secret with broader permissions, like the secret from
default
. - You should not use
default
as the project namespace. - If you or someone created a secret specifically for the project, usually with limited permissions, the secret's namespace and project namespace may be the same.
- Finally, click the Create Kubernetes cluster button.
After a few moments, your cluster should be created. If something goes wrong, you will be notified.
You can now proceed to install some pre-defined applications and then enable the Kubernetes cluster integration.
Security implications
CAUTION: Important: The whole cluster security is based on a model where developers are trusted, so only trusted users should be allowed to control your clusters.
The default cluster configuration grants access to a wide set of functionalities needed to successfully build and deploy a containerized application. Bare in mind that the same credentials are used for all the applications running on the cluster.
When GitLab creates the cluster, it enables and uses the legacy Attribute-based access control (ABAC). The newer RBAC authorization will be supported in a future release.
Security of GitLab Runners
GitLab Runners have the privileged mode enabled by default, which allows them to execute special commands and running Docker in Docker. This functionality is needed to run some of the Auto DevOps jobs. This implies the containers are running in privileged mode and you should, therefore, be aware of some important details.
The privileged flag gives all capabilities to the running container, which in
turn can do almost everything that the host can do. Be aware of the
inherent security risk associated with performing docker run
operations on
arbitrary images as they effectively have root access.
If you don't want to use GitLab Runner in privileged mode, first make sure that you don't have it installed via the applications, and then use the Runner's Helm chart to install it manually.
Installing applications
GitLab provides a one-click install for various applications which will be added directly to your configured cluster. Those applications are needed for Review Apps and deployments.
Application | GitLab version | Description |
---|---|---|
Helm Tiller | 10.2+ | Helm is a package manager for Kubernetes and is required to install all the other applications. It will be automatically installed as a dependency when you try to install a different app. It is installed in its own pod inside the cluster which can run the helm CLI in a safe environment. |
Ingress | 10.2+ | Ingress can provide load balancing, SSL termination, and name-based virtual hosting. It acts as a web proxy for your applications and is useful if you want to use Auto DevOps or deploy your own web apps. |
Prometheus | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications |
GitLab Runner | 10.6+ | GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab that coordinates the jobs. When installing the GitLab Runner via the applications, it will run in privileged mode by default. Make sure you read the security implications before doing so. |
Getting the external IP address
NOTE: Note: You need a load balancer installed in your cluster in order to obtain the external IP address with the following procedure. It can be deployed using the Ingress application.
In order to publish your web application, you first need to find the external IP address associated to your load balancer.
Let GitLab fetch the IP address
Introduced in GitLab 10.6.
If you installed the Ingress via the Applications, you should see the Ingress IP address on this same page within a few minutes. If you don't see this, GitLab might not be able to determine the IP address of your ingress application in which case you should manually determine it.
Manually determining the IP address
If the cluster is on GKE, click on the Google Kubernetes Engine link in the
Advanced settings, or go directly to the
Google Kubernetes Engine dashboard
and select the proper project and cluster. Then click on Connect and execute
the gcloud
command in a local terminal or using the Cloud Shell.
If the cluster is not on GKE, follow the specific instructions for your
Kubernetes provider to configure kubectl
with the right credentials.
If you installed the Ingress via the Applications, run the following command:
kubectl get svc --namespace=gitlab-managed-apps ingress-nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip} '
Otherwise, you can list the IP addresses of all load balancers:
kubectl get svc --all-namespaces -o jsonpath='{range.items[?(@.status.loadBalancer.ingress)]}{.status.loadBalancer.ingress[*].ip} '
The output is the external IP address of your cluster. This information can then be used to set up DNS entries and forwarding rules that allow external access to your deployed applications.
Using a static IP
By default, an ephemeral external IP address is associated to the cluster's load balancer. If you associate the ephemeral IP with your DNS and the IP changes, your apps will not be able to be reached, and you'd have to change the DNS record again. In order to avoid that, you should change it into a static reserved IP.
Read how to promote an ephemeral external IP address in GKE.
Pointing your DNS at the cluster IP
Once you've set up the static IP, you should associate it to a wildcard DNS
record, in order to be able
to reach your apps. This heavily depends on your domain provider, but in case
you aren't sure, just create an A record with a wildcard host like
*.example.com.
.
Setting the environment scope
NOTE: Note: This is only available for GitLab Premium where you can add more than one Kubernetes cluster.
When adding more than one Kubernetes clusters to your project, you need to differentiate them with an environment scope. The environment scope associates clusters and environments in an 1:1 relationship similar to how the environment-specific variables work.
The default environment scope is *
, which means all jobs, regardless of their
environment, will use that cluster. Each scope can only be used by a single
cluster in a project, and a validation error will occur if otherwise.
Also, jobs that don't have an environment keyword set will not be able to access any cluster.
For example, let's say the following Kubernetes clusters exist in a project:
Cluster | Environment scope |
---|---|
Development | * |
Staging | staging/* |
Production | production/* |
And the following environments are set in .gitlab-ci.yml
:
stages:
- test
- deploy
test:
stage: test
script: sh test
deploy to staging:
stage: deploy
script: make deploy
environment:
name: staging/$CI_COMMIT_REF_NAME
url: https://staging.example.com/
deploy to production:
stage: deploy
script: make deploy
environment:
name: production/$CI_COMMIT_REF_NAME
url: https://example.com/
The result will then be:
- The development cluster will be used for the "test" job.
- The staging cluster will be used for the "deploy to staging" job.
- The production cluster will be used for the "deploy to production" job.
Multiple Kubernetes clusters
Introduced in GitLab Premium 10.3.
With GitLab Premium, you can associate more than one Kubernetes clusters to your project. That way you can have different clusters for different environments, like dev, staging, production, etc.
Simply add another cluster, like you did the first time, and make sure to set an environment scope that will differentiate the new cluster with the rest.
Deployment variables
The Kubernetes cluster integration exposes the following deployment variables in the GitLab CI/CD build environment.
Variable | Description |
---|---|
KUBE_URL |
Equal to the API URL. |
KUBE_TOKEN |
The Kubernetes token. |
KUBE_NAMESPACE |
The Kubernetes namespace is auto-generated if not specified. The default value is <project_name>-<project_id> . You can overwrite it to use different one if needed, otherwise the KUBE_NAMESPACE variable will receive the default value. |
KUBE_CA_PEM_FILE |
Only present if a custom CA bundle was specified. Path to a file containing PEM data. |
KUBE_CA_PEM |
(deprecated) Only if a custom CA bundle was specified. Raw PEM data. |
KUBECONFIG |
Path to a file containing kubeconfig for this deployment. CA bundle would be embedded if specified. |
Enabling or disabling the Kubernetes cluster integration
After you have successfully added your cluster information, you can enable the Kubernetes cluster integration:
- Click the "Enabled/Disabled" switch
- Hit Save for the changes to take effect
You can now start using your Kubernetes cluster for your deployments.
To disable the Kubernetes cluster integration, follow the same procedure.
Removing the Kubernetes cluster integration
NOTE: Note: You need Master permissions and above to remove a Kubernetes cluster integration.
NOTE: Note:
When you remove a cluster, you only remove its relation to GitLab, not the
cluster itself. To remove the cluster, you can do so by visiting the GKE
dashboard or using kubectl
.
To remove the Kubernetes cluster integration from your project, simply click on the Remove integration button. You will then be able to follow the procedure and add a Kubernetes cluster again.
What you can get with the Kubernetes integration
Here's what you can do with GitLab if you enable the Kubernetes integration.
Deploy Boards
Available in GitLab Premium.
GitLab's Deploy Boards offer a consolidated view of the current health and status of each CI environment running on Kubernetes, displaying the status of the pods in the deployment. Developers and other teammates can view the progress and status of a rollout, pod by pod, in the workflow they already use without any need to access Kubernetes.
> Read more about Deploy Boards
Canary Deployments
Available in GitLab Premium.
Leverage Kubernetes' Canary deployments and visualize your canary deployments right inside the Deploy Board, without the need to leave GitLab.
> Read more about Canary Deployments
Kubernetes monitoring
Automatically detect and monitor Kubernetes metrics. Automatic monitoring of NGINX ingress is also supported.
> Read more about Kubernetes monitoring
Auto DevOps
Auto DevOps automatically detects, builds, tests, deploys, and monitors your applications.
To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring) you will need the Kubernetes project integration enabled.
Web terminals
NOTE: Note:
Introduced in GitLab 8.15. You must be the project owner or have master
permissions
to use terminals. Support is limited to the first container in the
first pod of your environment.
When enabled, the Kubernetes service adds web terminal
support to your environments. This is based on the exec
functionality found in
Docker and Kubernetes, so you get a new shell session within your existing
containers. To use this integration, you should deploy to Kubernetes using
the deployment variables above, ensuring any pods you create are labelled with
app=$CI_ENVIRONMENT_SLUG
. GitLab will do the rest!