GitLab-managed Kubernetes resources
- Tier: Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Use GitLab-managed Kubernetes resources to provision Kubernetes resources with environment templates. An environment template can:
- Create namespaces and service accounts automatically for new environments
- Manage access permissions through role bindings
- Configure other required Kubernetes resources
When developers deploy applications, GitLab creates the resources based on the environment template.
Configure GitLab-managed Kubernetes resources
Prerequisites:
- You must have a configured GitLab agent for Kubernetes.
- You have authorized the agent to access relevant projects or groups.
- (Optional) You have configured agent impersonation to prevent privilege escalations. The default environment template assumes you have configured
ci_job
impersonation.
Turn on Kubernetes resource management
To turn on resource management, modify the agent configuration file to include the required permissions:
ci_access:
projects:
- id: <your_group/your_project>
access_as:
ci_job: {}
resource_management:
enabled: true
groups:
- id: <your_other_group>
access_as:
ci_job: {}
resource_management:
enabled: true
Create environment templates
Environment templates define what Kubernetes resources are created, updated, or removed.
The default environment template creates a Namespace
and configures a RoleBinding
for the CI/CD job.
To overwrite the default template, add a template configuration file called default.yaml
in the agent directory:
.gitlab/agents/<agent-name>/environment_templates/default.yaml
To create an environment template, add a template configuration file in the agent directory at:
.gitlab/agents/<agent-name>/environment_templates/<template-name>.yaml
You can specify which template is included in a CI/CD pipeline. For more information, see Use templates in CI/CD pipelines.
Supported Kubernetes resources
The following Kubernetes resources (kind
) are supported:
Namespace
ServiceAccount
RoleBinding
- FluxCD Source Controller objects:
GitRepository
HelmRepository
HelmChart
Bucket
OCIRepository
- FluxCD Kustomize Controller objects:
Kustomization
- FluxCD Helm Controller objects:
HelmRelease
- FluxCD Notification Controller objects:
Alert
Provider
Receiver
Example environment template
The following example creates a namespace and grants a group administrator access to a cluster.
objects:
- apiVersion: v1
kind: Namespace
metadata:
name: '{{ .environment.slug }}-{{ .project.id }}-{{ .agent.id }}'
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bind-{{ .agent.id }}-{{ .project.id }}-{{ .environment.slug }}
namespace: {{ .project.slug }}-{{ .project.id }}-{{ .environment.slug }}
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: gitlab:project_env:{{ .project.id }}:{{ .environment.slug }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
# Resource lifecycle configuration
apply_resources: on_start # Resources are applied when environment is started/restarted
delete_resources: on_stop # Resources are removed when environment is stopped
Template variables
Environment templates support limited variable substitution. The following variables are available:
Category | Variable | Description |
---|---|---|
Agent | {{ .agent.id }} |
The agent identifier. |
Agent | {{ .agent.name }} |
The agent name. |
Agent | {{ .agent.url }} |
The agent URL. |
Environment | {{ .environment.name }} |
The environment name. |
Environment | {{ .environment.slug }} |
The environment slug. |
Environment | {{ .environment.url }} |
The environment URL. |
Environment | {{ .environment.tier }} |
The environment tier. |
Project | {{ .project.id }} |
The project identifier. |
Project | {{ .project.slug }} |
The project slug. |
Project | {{ .project.path }} |
The project path. |
Project | {{ .project.url }} |
The project URL. |
CI Pipeline | {{ .ci_pipeline.id }} |
The pipeline identifier. |
CI Job | {{ .ci_job.id }} |
The CI/CD job identifier. |
User | {{ .user.id }} |
The user identifier. |
User | {{ .user.username }} |
The username. |
All variables should be referenced using the double curly brace syntax, for example: {{ .project.id }}
.
See text/template
documentation for more information on the templating system used.
Resource lifecycle management
Use the following settings to configure when Kubernetes resources should be applied or removed from an environment:
# Apply resources when environment is started or restarted
apply_resources: on_start
# Never delete resources
delete_resources: never
# Delete resources when environment is stopped
delete_resources: on_stop
Use managed resources in CI/CD pipelines
To use managed Kubernetes resources in your CI/CD pipelines, specify the agent and optionally the template name in your environment configuration:
deploy:
environment:
name: production
kubernetes:
agent: agent-name
template: my-template # Optional, uses default template if not specified
Troubleshooting
Any errors related to managed Kubernetes resources can be found on:
- The environment page in your GitLab project
- The CI/CD job logs when using the feature in pipelines
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support