Adding and removing Kubernetes clusters

GitLab can integrate with the following Kubernetes providers:

  • Google Kubernetes Engine (GKE).
  • Amazon Elastic Kubernetes Service (EKS).

GitLab is more deeply integrated with GKE, but deeper integration with EKS is planned.

Tip: Every new Google Cloud Platform (GCP) account receives $300 in credit upon sign up, and in partnership with Google, GitLab is able to offer an additional $200 for new GCP accounts to get started with GitLab’s Google Kubernetes Engine Integration. All you have to do is follow this link and apply for credit.

Access controls

When creating a cluster in GitLab, you will be asked if you would like to create either:

Note: RBAC is recommended and the GitLab default.

GitLab creates the necessary service accounts and privileges to install and run GitLab managed applications. When GitLab creates the cluster, a gitlab service account with cluster-admin privileges is created in the default namespace to manage the newly created cluster.

Note: Restricted service account for deployment was introduced in GitLab 11.5.

When you install Helm into your cluster, the tiller service account is created with cluster-admin privileges in the gitlab-managed-apps namespace.

This service account will be:

Helm will also create additional service accounts and other resources for each installed application. Consult the documentation of the Helm charts for each application for details.

If you are adding an existing Kubernetes cluster, ensure the token of the account has administrator privileges for the cluster.

The resources created by GitLab differ depending on the type of cluster.

Important notes

Note the following about access controls:

  • Environment-specific resources are only created if your cluster is managed by GitLab.
  • If your cluster was created before GitLab 12.2, it will use a single namespace for all project environments.

RBAC cluster resources

GitLab creates the following resources for RBAC clusters.

Name Type Details Created when
gitlab ServiceAccount default namespace Creating a new GKE Cluster
gitlab-admin ClusterRoleBinding cluster-admin roleRef Creating a new GKE Cluster
gitlab-token Secret Token for gitlab ServiceAccount Creating a new GKE Cluster
tiller ServiceAccount gitlab-managed-apps namespace Installing Helm Tiller
tiller-admin ClusterRoleBinding cluster-admin roleRef Installing Helm Tiller
Environment namespace Namespace Contains all environment-specific resources Deploying to a cluster
Environment namespace ServiceAccount Uses namespace of environment Deploying to a cluster
Environment namespace Secret Token for environment ServiceAccount Deploying to a cluster
Environment namespace RoleBinding edit roleRef Deploying to a cluster

ABAC cluster resources

GitLab creates the following resources for ABAC clusters.

Name Type Details Created when
gitlab ServiceAccount default namespace Creating a new GKE Cluster
gitlab-token Secret Token for gitlab ServiceAccount Creating a new GKE Cluster
tiller ServiceAccount gitlab-managed-apps namespace Installing Helm Tiller
tiller-admin ClusterRoleBinding cluster-admin roleRef Installing Helm Tiller
Environment namespace Namespace Contains all environment-specific resources Deploying to a cluster
Environment namespace ServiceAccount Uses namespace of environment Deploying to a cluster
Environment namespace Secret Token for environment ServiceAccount Deploying to a cluster

Security of GitLab Runners

GitLab Runners have the privileged mode enabled by default, which allows them to execute special commands and running Docker in Docker. This functionality is needed to run some of the Auto DevOps jobs. This implies the containers are running in privileged mode and you should, therefore, be aware of some important details.

The privileged flag gives all capabilities to the running container, which in turn can do almost everything that the host can do. Be aware of the inherent security risk associated with performing docker run operations on arbitrary images as they effectively have root access.

If you don’t want to use GitLab Runner in privileged mode, either:

  • Use shared Runners on GitLab.com. They don’t have this security issue.
  • Set up your own Runners using configuration described at Shared Runners. This involves:
    1. Making sure that you don’t have it installed via the applications.
    2. Installing a Runner using docker+machine.

Add new GKE cluster

GitLab supports:

Starting from GitLab 12.4, all the GKE clusters provisioned by GitLab are VPC-native.

Note: The Google authentication integration must be enabled in GitLab at the instance level. If that’s not the case, ask your GitLab administrator to enable it. On GitLab.com, this is enabled.

Requirements

Before creating your first cluster on Google Kubernetes Engine with GitLab’s integration, make sure the following requirements are met:

Also note the following:

  • Starting from GitLab 12.1, all GKE clusters created by GitLab are RBAC-enabled. Take a look at the RBAC section for more information.
  • Starting from GitLab 12.5, the cluster’s pod address IP range will be set to /16 instead of the regular /14. /16 is a CIDR notation.
Note: GitLab requires basic authentication enabled and a client certificate issued for the cluster in order to setup an initial service account. Starting from GitLab 11.10, the cluster creation process will explicitly request that basic authentication and client certificate is enabled.

Creating the cluster

If all of the above requirements are met, you can proceed to create and add a new Kubernetes cluster to your project:

  1. Navigate to your project’s Operations > Kubernetes page.

    Note: You need Maintainer permissions and above to access the Kubernetes page.
  2. Click Add Kubernetes cluster.
  3. Click Create with Google Kubernetes Engine.
  4. Connect your Google account if you haven’t done already by clicking the Sign in with Google button.
  5. Choose your cluster’s settings:
    • Kubernetes cluster name - The name you wish to give the cluster.
    • Environment scope - The associated environment to this cluster.
    • Google Cloud Platform project - Choose the project you created in your GCP console that will host the Kubernetes cluster. Learn more about Google Cloud Platform projects.
    • Zone - Choose the region zone under which the cluster will be created.
    • Number of nodes - Enter the number of nodes you wish the cluster to have.
    • Machine type - The machine type of the Virtual Machine instance that the cluster will be based on.
    • Enable Cloud Run on GKE (beta) - Check this if you want to use Cloud Run on GKE for this cluster. See the Cloud Run on GKE section for more information.
    • GitLab-managed cluster - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the Managed clusters section for more information.
  6. Finally, click the Create Kubernetes cluster button.

After a couple of minutes, your cluster will be ready to go. You can now proceed to install some pre-defined applications.

Cloud Run on GKE

Introduced in GitLab 12.4.

You can choose to use Cloud Run on GKE in place of installing Knative and Istio separately after the cluster has been created. This means that Cloud Run (Knative), Istio, and HTTP Load Balancing will be enabled on the cluster at create time and cannot be installed or uninstalled separately.

Add existing cluster

If you have either of the following types of clusters already, you can add them to a project:

Note: Kubernetes integration is not supported for arm64 clusters. See the issue Helm Tiller fails to install on arm64 cluster for details.

Add existing GKE cluster

To add an existing Kubernetes cluster to your project:

  1. Navigate to your project’s Operations > Kubernetes page.

    Note: You need Maintainer permissions and above to access the Kubernetes page.
  2. Click Add Kubernetes cluster.
  3. Click Add an existing Kubernetes cluster and fill in the details:
    • Kubernetes cluster name (required) - The name you wish to give the cluster.
    • Environment scope (required) - The associated environment to this cluster.
    • API URL (required) - It’s the URL that GitLab uses to access the Kubernetes API. Kubernetes exposes several APIs, we want the “base” URL that is common to all of them, e.g., https://kubernetes.example.com rather than https://kubernetes.example.com/api/v1.

      Get the API URL by running this command:

      kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
      
    • CA certificate (required) - A valid Kubernetes certificate is needed to authenticate to the cluster. We will use the certificate created by default.
      • List the secrets with kubectl get secrets, and one should named similar to default-token-xxxxx. Copy that token name for use below.
      • Get the certificate by running this command:

        
        kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
        
        
        Note: If the command returns the entire certificate chain, you need copy the root ca certificate at the bottom of the chain.
    • Token - GitLab authenticates against Kubernetes using service tokens, which are scoped to a particular namespace. The token used should belong to a service account with cluster-admin privileges. To create this service account:

      1. Create a file called gitlab-admin-service-account.yaml with contents:

        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: gitlab-admin
          namespace: kube-system
        ---
        apiVersion: rbac.authorization.k8s.io/v1beta1
        kind: ClusterRoleBinding
        metadata:
          name: gitlab-admin
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-admin
        subjects:
        - kind: ServiceAccount
          name: gitlab-admin
          namespace: kube-system
        
      2. Apply the service account and cluster role binding to your cluster:

        kubectl apply -f gitlab-admin-service-account.yaml
        

        You will need the container.clusterRoleBindings.create permission to create cluster-level roles. If you do not have this permission, you can alternatively enable Basic Authentication and then run the kubectl apply command as an admin:

        kubectl apply -f gitlab-admin-service-account.yaml --username=admin --password=<password>
        
        Note: Basic Authentication can be turned on and the password credentials can be obtained using the Google Cloud Console.

        Output:

        serviceaccount "gitlab-admin" created
        clusterrolebinding "gitlab-admin" created
        
      3. Retrieve the token for the gitlab-admin service account:

        kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
        

        Copy the <authentication_token> value from the output:

        Name:         gitlab-admin-token-b5zv4
        Namespace:    kube-system
        Labels:       <none>
        Annotations:  kubernetes.io/service-account.name=gitlab-admin
                      kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
        
        Type:  kubernetes.io/service-account-token
        
        Data
        ====
        ca.crt:     1025 bytes
        namespace:  11 bytes
        token:      <authentication_token>
        
      Note: For GKE clusters, you will need the container.clusterRoleBindings.create permission to create a cluster role binding. You can follow the Google Cloud documentation to grant access.
    • GitLab-managed cluster - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the Managed clusters section for more information.

    • Project namespace (optional) - You don’t have to fill it in; by leaving it blank, GitLab will create one for you. Also:
      • Each project should have a unique namespace.
      • The project namespace is not necessarily the namespace of the secret, if you’re using a secret with broader permissions, like the secret from default.
      • You should not use default as the project namespace.
      • If you or someone created a secret specifically for the project, usually with limited permissions, the secret’s namespace and project namespace may be the same.
  4. Finally, click the Create Kubernetes cluster button.

After a couple of minutes, your cluster will be ready to go. You can now proceed to install some pre-defined applications.

Add existing EKS cluster

In this section, we will show how to integrate an Amazon EKS cluster with GitLab and begin deploying applications.

Requirements

To integrate with with EKS, you will need:

If you don’t have an Amazon EKS cluster, one can be created by following the EKS getting started guide.

Configuring and connecting the EKS cluster

From the left side bar, hover over Operations > Kubernetes > Add Kubernetes cluster, then click Add an existing Kubernetes cluster.

A few details from the EKS cluster will be required to connect it to GitLab:

  1. Retrieve the certificate: A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default. Open a shell and use kubectl to retrieve it:

    • List the secrets with kubectl get secrets, and one should named similar to default-token-xxxxx. Copy that token name for use below.
    • Get the certificate with:

      kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
      
  2. Create admin token: A cluster-admin token is required to install and manage Helm Tiller. GitLab establishes mutual SSL auth with Helm Tiller and creates limited service accounts for each application. To create the token we will create an admin service account as follows:

    1. Create a file called eks-admin-service-account.yaml with contents:

      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: eks-admin
        namespace: kube-system
      
    2. Apply the service account to your cluster:

      kubectl apply -f eks-admin-service-account.yaml
      

      Output:

      serviceaccount "eks-admin" created
      
    3. Create a file called eks-admin-cluster-role-binding.yaml with contents:

      apiVersion: rbac.authorization.k8s.io/v1beta1
      kind: ClusterRoleBinding
      metadata:
        name: eks-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: eks-admin
        namespace: kube-system
      
    4. Apply the cluster role binding to your cluster:

      kubectl apply -f eks-admin-cluster-role-binding.yaml
      

      Output:

      clusterrolebinding "eks-admin" created
      
    5. Retrieve the token for the eks-admin service account:

      kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
      

      Copy the <authentication_token> value from the output:

      Name:         eks-admin-token-b5zv4
      Namespace:    kube-system
      Labels:       <none>
      Annotations:  kubernetes.io/service-account.name=eks-admin
                    kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
      
      Type:  kubernetes.io/service-account-token
      
      Data
      ====
      ca.crt:     1025 bytes
      namespace:  11 bytes
      token:      <authentication_token>
      
  3. The API server endpoint is also required, so GitLab can connect to the cluster. This is displayed on the AWS EKS console, when viewing the EKS cluster details.

You now have all the information needed to connect the EKS cluster:

  • Kubernetes cluster name: Provide a name for the cluster to identify it within GitLab.
  • Environment scope: Leave this as * for now, since we are only connecting a single cluster.
  • API URL: Paste in the API server endpoint retrieved above.
  • CA Certificate: Paste the certificate data from the earlier step, as-is.
  • Paste the admin token value.
  • Project namespace: This can be left blank to accept the default namespace, based on the project name.

Add Cluster

Click on Add Kubernetes cluster, the cluster is now connected to GitLab. At this point, Kubernetes deployment variables will automatically be available during CI/CD jobs, making it easy to interact with the cluster.

If you would like to utilize your own CI/CD scripts to deploy to the cluster, you can stop here.

Disable Role-Based Access Control (RBAC) (optional)

When connecting a cluster via GitLab integration, you may specify whether the cluster is RBAC-enabled or not. This will affect how GitLab interacts with the cluster for certain operations. If you did not check the “RBAC-enabled cluster” checkbox at creation time, GitLab will assume RBAC is disabled for your cluster when interacting with it. If so, you must disable RBAC on your cluster for the integration to work properly.

rbac

Note: Disabling RBAC means that any application running in the cluster, or user who can authenticate to the cluster, has full API access. This is a security concern, and may not be desirable.

To effectively disable RBAC, global permissions can be applied granting full access:

kubectl create clusterrolebinding permissive-binding \
  --clusterrole=cluster-admin \
  --user=admin \
  --user=kubelet \
  --group=system:serviceaccounts

Create a default Storage Class

Amazon EKS doesn’t have a default Storage Class out of the box, which means requests for persistent volumes will not be automatically fulfilled. As part of Auto DevOps, the deployed Postgres instance requests persistent storage, and without a default storage class it will fail to start.

If a default Storage Class doesn’t already exist and is desired, follow Amazon’s guide on storage classes to create one.

Alternatively, disable Postgres by setting the project variable POSTGRES_ENABLED to false.

Deploy the app to EKS

With RBAC disabled and services deployed, Auto DevOps can now be leveraged to build, test, and deploy the app.

Enable Auto DevOps if not already enabled. If a wildcard DNS entry was created resolving to the Load Balancer, enter it in the domain field under the Auto DevOps settings. Otherwise, the deployed app will not be externally available outside of the cluster.

Deploy Pipeline

A new pipeline will automatically be created, which will begin to build, test, and deploy the app.

After the pipeline has finished, your app will be running in EKS and available to users. Click on CI/CD > Environments.

Deployed Environment

You will see a list of the environments and their deploy status, as well as options to browse to the app, view monitoring metrics, and even access a shell on the running pod.

Enabling or disabling integration

After you have successfully added your cluster information, you can enable the Kubernetes cluster integration:

  1. Click the Enabled/Disabled switch
  2. Hit Save for the changes to take effect

To disable the Kubernetes cluster integration, follow the same procedure.

Removing integration

To remove the Kubernetes cluster integration from your project, simply click the Remove integration button. You will then be able to follow the procedure and add a Kubernetes cluster again.

When removing the cluster integration, note:

  • You need Maintainer permissions and above to remove a Kubernetes cluster integration.
  • When you remove a cluster, you only remove its relationship to GitLab, not the cluster itself. To remove the cluster, you can do so by visiting the GKE dashboard or using kubectl.

Learn more

To learn more on automatically deploying your applications, read about Auto DevOps.