diff options
Diffstat (limited to 'doc/user/clusters/agent/ci_cd_workflow.md')
| -rw-r--r-- | doc/user/clusters/agent/ci_cd_workflow.md | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/doc/user/clusters/agent/ci_cd_workflow.md b/doc/user/clusters/agent/ci_cd_workflow.md index 454be3c53c7..2a66549f9cb 100644 --- a/doc/user/clusters/agent/ci_cd_workflow.md +++ b/doc/user/clusters/agent/ci_cd_workflow.md @@ -60,6 +60,7 @@ Authorization configuration can take one or two minutes to propagate. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4. > - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/356831) to allow authorizing projects in a user namespace in GitLab 15.7. To authorize the agent to access the GitLab project where you keep Kubernetes manifests: @@ -73,7 +74,7 @@ To authorize the agent to access the GitLab project where you keep Kubernetes ma - id: path/to/project ``` - - Authorized projects must have the same root group as the agent's configuration project. + - Authorized projects must have the same root group or user namespace as the agent's configuration project. - You can install additional agents into the same cluster to accommodate additional hierarchies. - You can authorize up to 100 projects. @@ -286,6 +287,35 @@ The identity can be specified with the following keys: See the [official Kubernetes documentation for details](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation). +## Restrict project and group access to specific environments **(FREE)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/343885) in GitLab 15.7. + +By default, if your agent is [available to a project](#authorize-the-agent), all of the project's CI/CD jobs can use that agent. + +To restrict access to the agent to only jobs with specific environments, add `environments` to `ci_access.projects` or `ci_access.groups`. For example: + + ```yaml + ci_access: + projects: + - id: path/to/project-1 + - id: path/to/project-2 + environments: + - staging + - review/* + groups: + - id: path/to/group-1 + environments: + - production + ``` + +In this example: + +- All CI/CD jobs under `project-1` can access the agent. +- CI/CD jobs under `project-2` with `staging` or `review/*` environments can access the agent. + - `*` is a wildcard, so `review/*` matches all environments under `review`. +- CI/CD jobs for projects under `group-1` with `production` environments can access the agent. + ## Related topics - [Self-paced classroom workshop](https://gitlab-for-eks.awsworkshop.io) (Uses AWS EKS, but you can use for other Kubernetes clusters) |