- Create an agent configuration file
- Register the agent with GitLab
- Install the agent in the cluster
- Configure your agent
- Install multiple agents in your cluster
- Example projects
- Updates and version compatibility
- Uninstall the agent
To connect a Kubernetes cluster to GitLab, you must install an agent in your cluster.
Before you can install the agent in your cluster, you need:
- An existing Kubernetes cluster. If you don’t have a cluster, you can create one on a cloud provider, like:
- On self-managed GitLab instances, a GitLab administrator must set up the
Then it is available by default at
wss://gitlab.example.com/-/kubernetes-agent/. On GitLab.com, the agent server is available at
To install the agent in your cluster:
- Create an agent configuration file.
- Register the agent with GitLab.
- Install the agent in your cluster.
Watch a GitLab 14.2 walk-through of this process.
For configuration settings, the agent uses a YAML file in the GitLab project. You must create this file if:
- You use a GitOps workflow.
- You use a GitLab CI/CD workflow and want to authorize a different project to use the agent.
- You allow specific project or group members to access Kubernetes.
To create an agent configuration file:
Choose a name for your agent. The agent name follows the DNS label standard from RFC 1123. The name must:
- Be unique in the project.
- Contain at most 63 characters.
- Contain only lowercase alphanumeric characters or
- Start with an alphanumeric character.
- End with an alphanumeric character.
In the repository, in the default branch, create an agent configuration file at the root:
You can leave the file blank for now, and configure it later.
You must register an agent before you can install the agent in your cluster. To register an agent:
- On the left sidebar, select Search or go to and find your project. If you have an agent configuration file, it must be in this project. Your cluster manifest files should also be in this project.
- Select Operate > Kubernetes clusters.
- Select Connect a cluster (agent).
- If you want to create a configuration with CI/CD defaults, type a name.
- If you already have an agent configuration file, select it from the list.
- Select Register an agent.
GitLab generates an access token for the agent. You need this token to install the agent in your cluster.Securely store the agent access token. A bad actor can use this token to access source code in the agent’s configuration project, access source code in any public project on the GitLab instance, or even, under very specific conditions, obtain a Kubernetes manifest.
- Copy the command under Recommended installation method. You need it when you use the one-liner installation method to install the agent in your cluster.
Introduced in GitLab 14.10, GitLab recommends using Helm to install the agent.
To connect your cluster to GitLab, install the registered agent in your cluster. You can either:
If you do not know which one to choose, we recommend starting with Helm.
cluster-adminrights. You should not use this on production systems. To deploy to a production system, follow the instructions in Customize the Helm installation to create a service account with the minimum permissions required for your deployment and specify that during installation.
To install the agent on your cluster using Helm:
- Install Helm.
- In your computer, open a terminal and connect to your cluster.
- Run the command you copied when you registered your agent with GitLab.
- Optional. Customize the Helm installation. If you install the agent on a production system, you should customize the Helm installation to restrict the permissions of the service account. See How to deploy the GitLab Agent for Kubernetes with limited permissions.
By default, the Helm installation command generated by GitLab:
- Creates a namespace
gitlab-agentfor the deployment (
--namespace gitlab-agent). You can skip creating the namespace by omitting the
- Sets up a service account for the agent and assigns it the
cluster-adminrole. You can:
- Skip creating the service account by adding
--set serviceAccount.create=falseto the
helm installcommand. In this case, you must set
serviceAccount.nameto a pre-existing service account.
- Customise the role assigned to the service account by adding
--set rbac.useExistingRole <your role name>to the
helm installcommand. In this case, you should have a pre-created role with restricted permissions that can be used by the service account.
- Skip role assignment altogether by adding
--set rbac.create=falseto your
helm installcommand. In this case, you must create
- Skip creating the service account by adding
- Creates a
Secretresource for the agent’s access token. To instead bring your own secret with a token, omit the token (
--set token=...) and instead use
--set config.secretName=<your secret name>.
- Creates a
Deploymentresource for the
To see the full list of customizations available, see the Helm chart’s default values file.
When KAS is behind a self-signed certificate,
you can set the value of
config.caCert to the certificate. For example:
helm upgrade --install gitlab-agent gitlab/gitlab-agent \ --set-file config.caCert=my-custom-ca.pem
In this example,
my-custom-ca.pem is the path to a local file that contains
the CA certificate used by KAS. The certificate is automatically stored in a
config map and mounted in the
If KAS is installed with the GitLab chart, and the chart is configured to provide
an auto-generated self-signed wildcard certificate, you can extract the CA certificate from the
Introduced in GitLab 15.0, the GitLab agent Helm chart supports setting environment variables.
To configure an HTTP proxy when using the Helm chart, you can use the environment variables
NO_PROXY. Upper and lowercase are both acceptable.
You can set these variables by using the
extraEnv value, as a list of objects with keys
For example, to set only the environment variable
HTTPS_PROXY to the value
https://example.com/proxy, you can run:
helm upgrade --install gitlab-agent gitlab/gitlab-agent \ --set extraEnv.name=HTTPS_PROXY \ --set extraEnv.value=https://example.com/proxy \ ...
HTTPS_PROXYenvironment variable is set, and the domain DNS can’t be resolved.
GitLab also provides a KPT package for the agent. This method provides greater flexibility, but is only recommended for advanced users.
To configure your agent, add content to the
- For a GitOps workflow, view the configuration reference.
- For a GitLab CI/CD workflow, authorize the agent to access your projects. Then
kubectlcommands to your
To install a second agent in your cluster, you can follow the previous steps a second time. To avoid resource name collisions within the cluster, you must either:
Use a different release name for the agent, for example,
helm upgrade --install second-gitlab-agent gitlab/gitlab-agent ...
Or, install the agent in a different namespace, for example,
helm upgrade --install gitlab-agent gitlab/gitlab-agent \ --namespace different-namespace \ ...
The following example projects can help you get started with the agent.
- Configuration repository with minimal manifests
- Distinct application and manifest repository example
- Auto DevOps setup that uses the CI/CD workflow
- Cluster management project template example that uses the CI/CD workflow
Introduced in GitLab 14.8, GitLab warns you on the agent’s list page to update the agent version installed on your cluster.
For the best experience, the version of the agent installed in your cluster should match the GitLab major and minor version. The previous and next minor versions are also supported. For example, if your GitLab version is v14.9.4 (major version 14, minor version 9), then versions v14.9.0 and v14.9.1 of the agent are ideal, but any v14.8.x or v14.10.x version of the agent is also supported. See the release page of the GitLab agent.
To update the agent to the latest version, you can run:
helm repo update helm upgrade --install gitlab-agent gitlab/gitlab-agent \ --namespace gitlab-agent \ --reuse-values
To set a specific version, you can override the
image.tag value. For example, to install version
helm upgrade gitlab-agent gitlab/gitlab-agent \ --namespace gitlab-agent \ --reuse-values \ --set image.tag=v14.9.1
The Helm chart is updated separately from the agent for Kubernetes, and might occasionally lag behind the latest version of the agent. If you run
helm repo update and don’t specify an image tag, your agent runs the version specified in the chart.
To use the latest release of the agent for Kubernetes, set the image tag to match the most recent agent image.
If you installed the agent with Helm, then you can also uninstall with Helm. For example, if the release and namespace are both called
gitlab-agent, then you can uninstall the agent using the following command:
helm uninstall gitlab-agent \ --namespace gitlab-agent