diff options
-rw-r--r-- | doc/user/project/clusters/index.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 1edc82ee9ef..6f1c7907464 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -130,6 +130,42 @@ The newer [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) authorization will be supported in a [future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/29398). +### Role-based access control (RBAC) experimental support + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21401) in GitLab 11.3. + +Experimental support for RBAC-enabled clusters is currently hidden behind a feature flag. Once +you have enabled the feature flag, GitLab will now be configured to +create the necessary service accounts and privilleges in order to +install and run [GitLab Managed Applications](#installing-applications). + +You can enable the feature flag from a Rails console: + +```ruby +Feature.enable('rbac_clusters') +``` + +If you are [adding an existing Kubernetes +cluster](#adding-an-existing-kubernetes-cluster), you will be asked if +the cluster you are adding is a RBAC-enabled cluster. Enabling this +setting will create a `tiller` service account in the +`gitlab-managed-apps` namespace when you install Helm Tiller into your cluster. +This service account will be added to the installed Helm Tiller +and will be used by Helm to install and run [GitLab Managed +Applications](#installing-applications). + +The `tiller` service account will have cluster-wide access (`cluster-admin` clusterrole). + +If you are creating a [new GKE cluster via +GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab), GitLab will +automatically create an RBAC-enabled cluster. A `tiller` service account +will be created as well and added to Helm Tiller. + +NOTE: **Note:** +Auto DevOps will not successfully complete in cluster that only has RBAC +authorization enabled. RBAC support for Auto DevOps is planned in a [future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/44597). + + ### Security of GitLab Runners GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode) |