summaryrefslogtreecommitdiff
path: root/doc/user/project/clusters
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/project/clusters')
-rw-r--r--doc/user/project/clusters/add_remove_clusters.md80
-rw-r--r--doc/user/project/clusters/img/rbac.pngbin15960 -> 0 bytes
-rw-r--r--doc/user/project/clusters/img/rbac_v13_1.pngbin0 -> 10680 bytes
-rw-r--r--doc/user/project/clusters/index.md281
-rw-r--r--doc/user/project/clusters/kubernetes_pod_logs.md4
-rw-r--r--doc/user/project/clusters/runbooks/img/helm-install.pngbin71705 -> 0 bytes
-rw-r--r--doc/user/project/clusters/runbooks/index.md10
-rw-r--r--doc/user/project/clusters/securing.md154
-rw-r--r--doc/user/project/clusters/serverless/aws.md12
-rw-r--r--doc/user/project/clusters/serverless/index.md50
10 files changed, 370 insertions, 221 deletions
diff --git a/doc/user/project/clusters/add_remove_clusters.md b/doc/user/project/clusters/add_remove_clusters.md
index d0cba729e35..65f1c59f4ca 100644
--- a/doc/user/project/clusters/add_remove_clusters.md
+++ b/doc/user/project/clusters/add_remove_clusters.md
@@ -13,6 +13,11 @@ GitLab offers integrated cluster creation for the following Kubernetes providers
GitLab can also integrate with any standard Kubernetes provider, either on-premise or hosted.
+NOTE: **Note:**
+Watch the webcast [Scalable app deployment with GitLab and Google Cloud Platform](https://about.gitlab.com/webcast/scalable-app-deploy/)
+and learn how to spin up a Kubernetes cluster managed by Google Cloud Platform (GCP)
+in a few clicks.
+
TIP: **Tip:**
Every new Google Cloud Platform (GCP) account receives [$300 in credit upon sign up](https://console.cloud.google.com/freetrial),
and in partnership with Google, GitLab is able to offer an additional $200 for new GCP accounts to get started with GitLab's
@@ -23,7 +28,7 @@ Google Kubernetes Engine Integration. All you have to do is [follow this link](h
Before [adding a Kubernetes cluster](#create-new-cluster) using GitLab, you need:
- GitLab itself. Either:
- - A GitLab.com [account](https://about.gitlab.com/pricing/#gitlab-com).
+ - A [GitLab.com account](https://about.gitlab.com/pricing/#gitlab-com).
- A [self-managed installation](https://about.gitlab.com/pricing/#self-managed) with GitLab version
12.5 or later. This will ensure the GitLab UI can be used for cluster creation.
- The following GitLab access:
@@ -52,14 +57,10 @@ to manage the newly created cluster.
NOTE: **Note:**
Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/51716) in GitLab 11.5.
-When you install Helm into your cluster, the `tiller` service account
-is created with `cluster-admin` privileges in the `gitlab-managed-apps`
-namespace.
-
-This service account will be:
-
-- Added to the installed Helm Tiller.
-- Used by Helm to install and run [GitLab managed applications](index.md#installing-applications).
+The first time you install an application into your cluster, the `tiller` service
+account is created with `cluster-admin` privileges in the
+`gitlab-managed-apps` namespace. This service account will be used by Helm to
+install and run [GitLab managed applications](index.md#installing-applications).
Helm will also create additional service accounts and other resources for each
installed application. Consult the documentation of the Helm charts for each application
@@ -88,8 +89,8 @@ GitLab creates the following resources for RBAC clusters.
| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new cluster |
| `gitlab-admin` | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating a new cluster |
| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new cluster |
-| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller |
-| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller |
+| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm charts |
+| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm charts |
| Environment namespace | `Namespace` | Contains all environment-specific resources | Deploying to a cluster |
| Environment namespace | `ServiceAccount` | Uses namespace of environment | Deploying to a cluster |
| Environment namespace | `Secret` | Token for environment ServiceAccount | Deploying to a cluster |
@@ -103,8 +104,8 @@ GitLab creates the following resources for ABAC clusters.
|:----------------------|:---------------------|:-------------------------------------|:---------------------------|
| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new cluster |
| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new cluster |
-| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller |
-| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller |
+| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm charts |
+| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm charts |
| Environment namespace | `Namespace` | Contains all environment-specific resources | Deploying to a cluster |
| Environment namespace | `ServiceAccount` | Uses namespace of environment | Deploying to a cluster |
| Environment namespace | `Secret` | Token for environment ServiceAccount | Deploying to a cluster |
@@ -126,7 +127,7 @@ arbitrary images as they effectively have root access.
If you don't want to use GitLab Runner in privileged mode, either:
- Use shared Runners on GitLab.com. They don't have this security issue.
-- Set up your own Runners using configuration described at
+- Set up your own Runners using the configuration described at
[Shared Runners](../../gitlab_com/index.md#shared-runners). This involves:
1. Making sure that you don't have it installed via
[the applications](index.md#installing-applications).
@@ -135,23 +136,26 @@ If you don't want to use GitLab Runner in privileged mode, either:
## Create new cluster
-New clusters can be created using GitLab for:
+New clusters can be created using GitLab on Google Kubernetes Engine (GKE) or
+Amazon Elastic Kubernetes Service (EKS) at the project, group, or instance level:
-- [Google Kubernetes Engine (GKE)](add_gke_clusters.md).
-- [Amazon Elastic Kubernetes Service (EKS)](add_eks_clusters.md).
+1. Navigate to your:
+ - Project's **{cloud-gear}** **Operations > Kubernetes** page, for a project-level cluster.
+ - Group's **{cloud-gear}** **Kubernetes** page, for a group-level cluster.
+ - **{admin}** **Admin Area >** **{cloud-gear}** **Kubernetes** page, for an instance-level cluster.
+1. Click **Add Kubernetes cluster**.
+1. Click the **Create new cluster** tab.
+1. Click either **Amazon EKS** or **Google GKE**, and follow the instructions for your desired service:
+ - [Amazon EKS](add_eks_clusters.md#new-eks-cluster).
+ - [Google GKE](add_gke_clusters.md#creating-the-cluster-on-gke).
## Add existing cluster
If you have an existing Kubernetes cluster, you can add it to a project, group, or instance.
-For more information, see information for adding an:
-
-- [Existing Kubernetes cluster](#existing-kubernetes-cluster), including GKE clusters.
-- [Existing EKS cluster](add_eks_clusters.md#existing-eks-cluster).
-
NOTE: **Note:**
Kubernetes integration is not supported for arm64 clusters. See the issue
-[Helm Tiller fails to install on arm64 cluster](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/64044) for details.
+[Helm Tiller fails to install on arm64 cluster](https://gitlab.com/gitlab-org/gitlab/-/issues/29838) for details.
### Existing Kubernetes cluster
@@ -214,9 +218,9 @@ To add a Kubernetes cluster to your project, group, or instance:
kind: ClusterRole
name: cluster-admin
subjects:
- - kind: ServiceAccount
- name: gitlab-admin
- namespace: kube-system
+ - kind: ServiceAccount
+ name: gitlab-admin
+ namespace: kube-system
```
1. Apply the service account and cluster role binding to your cluster:
@@ -297,14 +301,15 @@ to install some [pre-defined applications](index.md#installing-applications).
When connecting a cluster via GitLab integration, you may specify whether the
cluster is RBAC-enabled or not. This will affect how GitLab interacts with the
-cluster for certain operations. If you **did not** check the "RBAC-enabled cluster"
+cluster for certain operations. If you did *not* check the **RBAC-enabled cluster**
checkbox at creation time, GitLab will assume RBAC is disabled for your cluster
when interacting with it. If so, you must disable RBAC on your cluster for the
integration to work properly.
-![rbac](img/rbac.png)
+![rbac](img/rbac_v13_1.png)
-NOTE: **Note**: Disabling RBAC means that any application running in the cluster,
+NOTE: **Note:**
+Disabling RBAC means that any application running in the cluster,
or user who can authenticate to the cluster, has full API access. This is a
[security concern](index.md#security-implications), and may not be desirable.
@@ -320,17 +325,20 @@ kubectl create clusterrolebinding permissive-binding \
## Enabling or disabling integration
-After you have successfully added your cluster information, you can enable the
-Kubernetes cluster integration:
-
-1. Click the **Enabled/Disabled** switch
-1. Hit **Save** for the changes to take effect
+The Kubernetes cluster integration enables after you have successfully either created
+a new cluster or added an existing one. To disable Kubernetes cluster integration:
-To disable the Kubernetes cluster integration, follow the same procedure.
+1. Navigate to your:
+ - Project's **{cloud-gear}** **Operations > Kubernetes** page, for a project-level cluster.
+ - Group's **{cloud-gear}** **Kubernetes** page, for a group-level cluster.
+ - **{admin}** **Admin Area >** **{cloud-gear}** **Kubernetes** page, for an instance-level cluster.
+1. Click on the name of the cluster.
+1. Click the **GitLab Integration** toggle.
+1. Click **Save changes**.
## Removing integration
-To remove the Kubernetes cluster integration from your project, either:
+To remove the Kubernetes cluster integration from your project, first navigate to the **Advanced Settings** tab of the cluster details page and either:
- Select **Remove integration**, to remove only the Kubernetes integration.
- [From GitLab 12.6](https://gitlab.com/gitlab-org/gitlab/-/issues/26815), select
diff --git a/doc/user/project/clusters/img/rbac.png b/doc/user/project/clusters/img/rbac.png
deleted file mode 100644
index 517e4f7ca44..00000000000
--- a/doc/user/project/clusters/img/rbac.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/project/clusters/img/rbac_v13_1.png b/doc/user/project/clusters/img/rbac_v13_1.png
new file mode 100644
index 00000000000..2772af9ff89
--- /dev/null
+++ b/doc/user/project/clusters/img/rbac_v13_1.png
Binary files differ
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md
index 961a9fda5ff..ddcfd376d89 100644
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -12,15 +12,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/39840) in
> GitLab 11.11 for [instances](../../instance/clusters/index.md).
-GitLab provides many features with a Kubernetes integration. Kubernetes can be
-integrated with projects, but also:
-
-- [Groups](../../group/clusters/index.md).
-- [Instances](../../instance/clusters/index.md).
-
-NOTE: **Scalable app deployment with GitLab and Google Cloud Platform**
-[Watch the webcast](https://about.gitlab.com/webcast/scalable-app-deploy/) and learn how to spin up a Kubernetes cluster managed by Google Cloud Platform (GCP) in a few clicks.
-
## Overview
Using the GitLab project Kubernetes integration, you can:
@@ -28,17 +19,26 @@ Using the GitLab project Kubernetes integration, you can:
- Use [Review Apps](../../../ci/review_apps/index.md).
- Run [pipelines](../../../ci/pipelines/index.md).
- [Deploy](#deploying-to-a-kubernetes-cluster) your applications.
-- Detect and [monitor Kubernetes](#kubernetes-monitoring).
+- Detect and [monitor Kubernetes](#monitoring-your-kubernetes-cluster).
- Use it with [Auto DevOps](#auto-devops).
- Use [Web terminals](#web-terminals).
- Use [Deploy Boards](#deploy-boards-premium). **(PREMIUM)**
- Use [Canary Deployments](#canary-deployments-premium). **(PREMIUM)**
-- View [Logs](#logs).
+- View [Logs](#viewing-pod-logs).
- Run serverless workloads on [Kubernetes with Knative](serverless/index.md).
+Besides integration at the project level, Kubernetes clusters can also be
+integrated at the [group level](../../group/clusters/index.md) or
+[GitLab instance level](../../instance/clusters/index.md).
+
+## Setting up
+
### Supported cluster versions
-GitLab is committed to support at least two production-ready Kubernetes minor versions at any given time. We regularly review the versions we support, and provide a four-month deprecation period before we remove support of a specific version. The range of supported versions is based on the evaluation of:
+GitLab is committed to support at least two production-ready Kubernetes minor
+versions at any given time. We regularly review the versions we support, and
+provide a four-month deprecation period before we remove support of a specific
+version. The range of supported versions is based on the evaluation of:
- Our own needs.
- The versions supported by major managed Kubernetes providers.
@@ -55,80 +55,83 @@ Currently, GitLab supports the following Kubernetes versions:
NOTE: **Note:**
Some GitLab features may support versions outside the range provided here.
-### Deploy Boards **(PREMIUM)**
-
-GitLab's Deploy Boards offer a consolidated view of the current health and
-status of each CI [environment](../../../ci/environments/index.md) running on Kubernetes,
-displaying the status of the pods in the deployment. Developers and other
-teammates can view the progress and status of a rollout, pod by pod, in the
-workflow they already use without any need to access Kubernetes.
-
-[Read more about Deploy Boards](../deploy_boards.md)
-
-### Canary Deployments **(PREMIUM)**
-
-Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
-and visualize your canary deployments right inside the Deploy Board, without
-the need to leave GitLab.
-
-[Read more about Canary Deployments](../canary_deployments.md)
+### Adding and removing clusters
-### Logs
-
-GitLab makes it easy to view the logs of running pods in connected Kubernetes clusters. By displaying the logs directly in GitLab, developers can avoid having to manage console tools or jump to a different interface.
-
-[Read more about Kubernetes logs](kubernetes_pod_logs.md)
+See [Adding and removing Kubernetes clusters](add_remove_clusters.md) for details on how
+to:
-### Kubernetes monitoring
+- Create a cluster in Google Cloud Platform (GCP) or Amazon Elastic Kubernetes Service
+ (EKS) using GitLab's UI.
+- Add an integration to an existing cluster from any Kubernetes platform.
-Automatically detect and monitor Kubernetes metrics. Automatic monitoring of
-[NGINX Ingress](../integrations/prometheus_library/nginx.md) is also supported.
+### Multiple Kubernetes clusters
-[Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md)
+> - Introduced in [GitLab Premium](https://about.gitlab.com/pricing/) 10.3
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35094) to GitLab core in 13.2.
-### Auto DevOps
+You can associate more than one Kubernetes cluster to your
+project. That way you can have different clusters for different environments,
+like dev, staging, production, and so on.
-Auto DevOps automatically detects, builds, tests, deploys, and monitors your
-applications.
+Simply add another cluster, like you did the first time, and make sure to
+[set an environment scope](#setting-the-environment-scope-premium) that will
+differentiate the new cluster with the rest.
-To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring)
-you will need the Kubernetes project integration enabled.
+#### Setting the environment scope **(PREMIUM)**
-[Read more about Auto DevOps](../../../topics/autodevops/index.md)
+When adding more than one Kubernetes cluster to your project, you need to differentiate
+them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments/index.md) similar to how the
+[environment-specific variables](../../../ci/variables/README.md#limit-the-environment-scopes-of-environment-variables) work.
-NOTE: **Note**
-Kubernetes clusters can be used without Auto DevOps.
+The default environment scope is `*`, which means all jobs, regardless of their
+environment, will use that cluster. Each scope can only be used by a single
+cluster in a project, and a validation error will occur if otherwise.
+Also, jobs that don't have an environment keyword set will not be able to access any cluster.
-### Web terminals
+For example, let's say the following Kubernetes clusters exist in a project:
-> Introduced in GitLab 8.15.
+| Cluster | Environment scope |
+| ----------- | ----------------- |
+| Development | `*` |
+| Production | `production` |
-When enabled, the Kubernetes integration adds [web terminal](../../../ci/environments/index.md#web-terminals)
-support to your [environments](../../../ci/environments/index.md). This is based on the `exec` functionality found in
-Docker and Kubernetes, so you get a new shell session within your existing
-containers. To use this integration, you should deploy to Kubernetes using
-the deployment variables above, ensuring any deployments, replica sets, and
-pods are annotated with:
+And the following environments are set in
+[`.gitlab-ci.yml`](../../../ci/yaml/README.md):
-- `app.gitlab.com/env: $CI_ENVIRONMENT_SLUG`
-- `app.gitlab.com/app: $CI_PROJECT_PATH_SLUG`
+```yaml
+stages:
+ - test
+ - deploy
-`$CI_ENVIRONMENT_SLUG` and `$CI_PROJECT_PATH_SLUG` are the values of
-the CI variables.
+test:
+ stage: test
+ script: sh test
-You must be the project owner or have `maintainer` permissions to use terminals. Support is limited
-to the first container in the first pod of your environment.
+deploy to staging:
+ stage: deploy
+ script: make deploy
+ environment:
+ name: staging
+ url: https://staging.example.com/
-## Adding and removing clusters
+deploy to production:
+ stage: deploy
+ script: make deploy
+ environment:
+ name: production
+ url: https://example.com/
+```
-See [Adding and removing Kubernetes clusters](add_remove_clusters.md) for details on how
-to:
+The result will then be:
-- Create a cluster in Google Cloud Platform (GCP) or Amazon Elastic Kubernetes Service
- (EKS) using GitLab's UI.
-- Add an integration to an existing cluster from any Kubernetes platform.
+- The Development cluster details will be available in the `deploy to staging`
+ job.
+- The production cluster details will be available in the `deploy to production`
+ job.
+- No cluster details will be available in the `test` job because it doesn't
+ define any environment.
-## Cluster configuration
+## Configuring your Kubernetes cluster
After [adding a Kubernetes cluster](add_remove_clusters.md) to GitLab, read this section that covers
important considerations for configuring Kubernetes clusters with GitLab.
@@ -203,72 +206,6 @@ you can either:
- Create an `A` record that points to the Ingress IP address with your domain provider.
- Enter a wildcard DNS address using a service such as nip.io or xip.io. For example, `192.168.1.1.xip.io`.
-### Setting the environment scope **(PREMIUM)**
-
-When adding more than one Kubernetes cluster to your project, you need to differentiate
-them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments/index.md) similar to how the
-[environment-specific variables](../../../ci/variables/README.md#limit-the-environment-scopes-of-environment-variables) work.
-
-The default environment scope is `*`, which means all jobs, regardless of their
-environment, will use that cluster. Each scope can only be used by a single
-cluster in a project, and a validation error will occur if otherwise.
-Also, jobs that don't have an environment keyword set will not be able to access any cluster.
-
-For example, let's say the following Kubernetes clusters exist in a project:
-
-| Cluster | Environment scope |
-| ----------- | ----------------- |
-| Development | `*` |
-| Production | `production` |
-
-And the following environments are set in
-[`.gitlab-ci.yml`](../../../ci/yaml/README.md):
-
-```yaml
-stages:
-- test
-- deploy
-
-test:
- stage: test
- script: sh test
-
-deploy to staging:
- stage: deploy
- script: make deploy
- environment:
- name: staging
- url: https://staging.example.com/
-
-deploy to production:
- stage: deploy
- script: make deploy
- environment:
- name: production
- url: https://example.com/
-```
-
-The result will then be:
-
-- The Development cluster details will be available in the `deploy to staging`
- job.
-- The production cluster details will be available in the `deploy to production`
- job.
-- No cluster details will be available in the `test` job because it doesn't
- define any environment.
-
-### Multiple Kubernetes clusters **(PREMIUM)**
-
-> Introduced in [GitLab Premium](https://about.gitlab.com/pricing/) 10.3.
-
-With GitLab Premium, you can associate more than one Kubernetes cluster to your
-project. That way you can have different clusters for different environments,
-like dev, staging, production, and so on.
-
-Simply add another cluster, like you did the first time, and make sure to
-[set an environment scope](#setting-the-environment-scope-premium) that will
-differentiate the new cluster with the rest.
-
## Installing applications
GitLab can install and manage some applications like Helm, GitLab Runner, Ingress,
@@ -277,6 +214,19 @@ installing, upgrading, uninstalling, and troubleshooting applications for
your project cluster, see
[GitLab Managed Apps](../../clusters/applications.md).
+## Auto DevOps
+
+Auto DevOps automatically detects, builds, tests, deploys, and monitors your
+applications.
+
+To make full use of Auto DevOps (Auto Deploy, Auto Review Apps, and
+Auto Monitoring) you will need the Kubernetes project integration enabled.
+
+[Read more about Auto DevOps](../../../topics/autodevops/index.md)
+
+NOTE: **Note:**
+Kubernetes clusters can be used without Auto DevOps.
+
## Deploying to a Kubernetes cluster
A Kubernetes cluster can be the destination for a deployment job. If
@@ -325,10 +275,59 @@ For **non**-GitLab-managed clusters, the namespace can be customized using
[`environment:kubernetes:namespace`](../../../ci/environments/index.md#configuring-kubernetes-deployments)
in `.gitlab-ci.yml`.
-NOTE: **Note:** When using a [GitLab-managed cluster](#gitlab-managed-clusters), the
+NOTE: **Note:**
+When using a [GitLab-managed cluster](#gitlab-managed-clusters), the
namespaces are created automatically prior to deployment and [can not be
customized](https://gitlab.com/gitlab-org/gitlab/-/issues/38054).
+### Integrations
+
+#### Canary Deployments **(PREMIUM)**
+
+Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
+and visualize your canary deployments right inside the Deploy Board, without
+the need to leave GitLab.
+
+[Read more about Canary Deployments](../canary_deployments.md)
+
+#### Deploy Boards **(PREMIUM)**
+
+GitLab's Deploy Boards offer a consolidated view of the current health and
+status of each CI [environment](../../../ci/environments/index.md) running on Kubernetes,
+displaying the status of the pods in the deployment. Developers and other
+teammates can view the progress and status of a rollout, pod by pod, in the
+workflow they already use without any need to access Kubernetes.
+
+[Read more about Deploy Boards](../deploy_boards.md)
+
+#### Viewing pod logs
+
+GitLab makes it easy to view the logs of running pods in connected Kubernetes
+clusters. By displaying the logs directly in GitLab, developers can avoid having
+to manage console tools or jump to a different interface.
+
+[Read more about Kubernetes logs](kubernetes_pod_logs.md)
+
+#### Web terminals
+
+> Introduced in GitLab 8.15.
+
+When enabled, the Kubernetes integration adds [web terminal](../../../ci/environments/index.md#web-terminals)
+support to your [environments](../../../ci/environments/index.md). This is based
+on the `exec` functionality found in Docker and Kubernetes, so you get a new
+shell session within your existing containers. To use this integration, you
+should deploy to Kubernetes using the deployment variables above, ensuring any
+deployments, replica sets, and pods are annotated with:
+
+- `app.gitlab.com/env: $CI_ENVIRONMENT_SLUG`
+- `app.gitlab.com/app: $CI_PROJECT_PATH_SLUG`
+
+`$CI_ENVIRONMENT_SLUG` and `$CI_PROJECT_PATH_SLUG` are the values of
+the CI variables.
+
+You must be the project owner or have `maintainer` permissions to use terminals.
+Support is limited to the first container in the first pod of your environment.
+
### Troubleshooting
Before the deployment jobs starts, GitLab creates the following specifically for
@@ -353,15 +352,23 @@ Reasons for failure include:
[`environment:name`](../../../ci/environments/index.md#defining-environments). If your job has no
`environment:name` set, it will not be passed the Kubernetes credentials.
-NOTE: **NOTE:**
+NOTE: **Note:**
Project-level clusters upgraded from GitLab 12.0 or older may be configured
in a way that causes this error. Ensure you deselect the
[GitLab-managed cluster](#gitlab-managed-clusters) option if you want to manage
namespaces and service accounts yourself.
-## Monitoring your Kubernetes cluster **(ULTIMATE)**
+## Monitoring your Kubernetes cluster
+
+Automatically detect and monitor Kubernetes metrics. Automatic monitoring of
+[NGINX Ingress](../integrations/prometheus_library/nginx.md) is also supported.
+
+[Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md)
+
+### Visualizing cluster health
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/4701) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/4701) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/208224) to GitLab core in 13.2.
When [Prometheus is deployed](#installing-applications), GitLab will automatically monitor the cluster's health. At the top of the cluster settings page, CPU and Memory utilization is displayed, along with the total amount available. Keeping an eye on cluster resources can be important, if the cluster runs out of memory pods may be shutdown or fail to start.
diff --git a/doc/user/project/clusters/kubernetes_pod_logs.md b/doc/user/project/clusters/kubernetes_pod_logs.md
index 509be4ed0a8..ee642dc18cf 100644
--- a/doc/user/project/clusters/kubernetes_pod_logs.md
+++ b/doc/user/project/clusters/kubernetes_pod_logs.md
@@ -13,9 +13,9 @@ GitLab makes it easy to view the logs of running pods in [connected Kubernetes c
By displaying the logs directly in GitLab in the **Log Explorer**, developers can avoid
managing console tools or jumping to a different interface.
-NOTE: **Kubernetes + GitLab**
+NOTE: **Note:**
+[Learn more about Kubernetes + GitLab](https://about.gitlab.com/solutions/kubernetes/).
Everything you need to build, test, deploy, and run your application at scale.
-[Learn more](https://about.gitlab.com/solutions/kubernetes/).
## Overview
diff --git a/doc/user/project/clusters/runbooks/img/helm-install.png b/doc/user/project/clusters/runbooks/img/helm-install.png
deleted file mode 100644
index e67cf317ec1..00000000000
--- a/doc/user/project/clusters/runbooks/img/helm-install.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/project/clusters/runbooks/index.md b/doc/user/project/clusters/runbooks/index.md
index 92ef35ad93f..a592d59f964 100644
--- a/doc/user/project/clusters/runbooks/index.md
+++ b/doc/user/project/clusters/runbooks/index.md
@@ -42,9 +42,6 @@ To create an executable runbook, you will need:
- **Kubernetes** - A Kubernetes cluster is required to deploy the rest of the
applications. The simplest way to get started is to add a cluster using one
of [GitLab's integrations](../add_remove_clusters.md#create-new-cluster).
-- **Helm Tiller** - Helm is a package manager for Kubernetes and is required to
- install all the other applications. It's installed in its own pod inside the
- cluster which can run the Helm CLI in a safe environment.
- **Ingress** - Ingress can provide load balancing, SSL termination, and name-based
virtual hosting. It acts as a web proxy for your applications.
- **JupyterHub** - [JupyterHub](https://jupyterhub.readthedocs.io/) is a multi-user
@@ -68,13 +65,8 @@ the components outlined above and the pre-loaded demo runbook.
1. Add a Kubernetes cluster to your project by following the steps outlined in
[Create new cluster](../add_remove_clusters.md#create-new-cluster).
-1. After the cluster has been provisioned in GKE, click the **Install** button
- next to the **Helm Tiller** application to install Helm Tiller.
- ![install helm](img/helm-install.png)
-
-1. After Helm Tiller has been installed successfully, click the **Install** button next
- to the **Ingress** application.
+1. Click the **Install** button next to the **Ingress** application to install Ingress.
![install ingress](img/ingress-install.png)
diff --git a/doc/user/project/clusters/securing.md b/doc/user/project/clusters/securing.md
new file mode 100644
index 00000000000..b4c20cb8dbc
--- /dev/null
+++ b/doc/user/project/clusters/securing.md
@@ -0,0 +1,154 @@
+---
+stage: Defend
+group: Container Security
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# Securing your deployed applications
+
+GitLab makes it easy to secure applications deployed in [connected Kubernetes clusters](index.md).
+You can benefit from the protection of a [Web Application Firewall](../../../topics/web_application_firewall/quick_start_guide.md),
+[Network Policies](../../../topics/autodevops/stages.md#network-policy),
+or even [Container Host Security](../../clusters/applications.md#install-falco-using-gitlab-cicd).
+
+This page contains full end-to-end steps and instructions to connect your cluster to GitLab and
+install these features, whether or not your applications are deployed through GitLab CI/CD. If you
+use [Auto DevOps](../../../topics/autodevops/index.md)
+to build and deploy your application with GitLab, see the documentation for the respective
+[GitLab Managed Applications](../../clusters/applications.md)
+above.
+
+## Overview
+
+At a high level, the required steps include the following:
+
+- Connect the cluster to GitLab.
+- Set up one or more runners.
+- Set up a cluster management project.
+- Install a Web Application Firewall, Network Policies, and/or Container Host
+ Security.
+- Install Prometheus to get statistics and metrics in the
+ [threat monitoring](../../application_security/threat_monitoring/)
+ dashboard.
+
+### Requirements
+
+Minimum requirements (depending on the GitLab Manage Application you want to install):
+
+- Your cluster is connected to GitLab (ModSecurity, Cilium, and Falco).
+- At least one GitLab Runner is installed (Cilium and Falco only).
+
+### Understanding how GitLab Managed Apps are installed
+
+You install GitLab Managed Apps from the GitLab web interface with a one-click setup process. GitLab
+uses Sidekiq (a background processing service) to facilitate this.
+
+```mermaid
+ sequenceDiagram
+ autonumber
+ GitLab->>+Sidekiq: Install a GitLab Managed App
+ Sidekiq->>+Kubernetes: Helm install
+ Kubernetes-->>-Sidekiq: Installation complete
+ Sidekiq-->>-GitLab: Refresh UI
+```
+
+NOTE: **Note:**
+This diagram uses the term _Kubernetes_ for simplicity. In practice, Sidekiq connects to a Helm
+Tiller daemon running in a pod in the cluster.
+
+Although this installation method is easier because it's a point-and-click action in the user
+interface, it's inflexible and hard to debug. When something goes wrong, you can't see the
+deployment logs. The Web Application Firewall feature uses this installation method.
+
+However, the next generation of GitLab Managed Apps V2 ([CI/CD-based GitLab Managed Apps](https://gitlab.com/groups/gitlab-org/-/epics/2103))
+don't use Sidekiq to deploy. All the applications are deployed using a GitLab CI/CD pipeline and
+therefore GitLab Runners.
+
+```mermaid
+sequenceDiagram
+ autonumber
+ GitLab->>+GitLab: Trigger pipeline
+ GitLab->>+Runner: Run deployment job
+ Runner->>+Kubernetes: Helm install
+ Kubernetes-->>-Runner: Installation is complete
+ Runner-->>-GitLab: Report job status and update pipeline
+```
+
+Debugging is easier because you have access to the raw logs of these jobs (the Helm Tiller output is
+available as an artifact in case of failure) and the flexibility is much better. Since these
+deployments are only triggered when a pipeline is running (most likely when there's a new commit in
+the cluster management repository), every action has a paper trail and follows the classic merge
+request workflow (approvals, merge, deploy). The Network Policy (Cilium) Managed App and Container
+Host Security (Falco) are deployed with this model.
+
+## Connect the cluster to GitLab
+
+To deploy GitLab Managed Apps to your cluster, you must first
+[add your cluster](add_remove_clusters.md)
+to GitLab. Then [install](../../clusters/applications.md#installing-applications)
+the Web Application Firewall from the project or group Kubernetes page.
+
+Note that your project doesn't have to be hosted or deployed through GitLab. You can manage a
+cluster independent of the applications that use the cluster.
+
+## Set up a GitLab Runner
+
+To install CI/CD-based GitLab Managed Apps, a pipeline using a GitLab Runner must be running in
+GitLab. You can [install a GitLab Runner](../../clusters/applications.md#gitlab-runner)
+in the Kubernetes cluster added in the previous step, or use one of the shared runners provided by
+GitLab if you're using GitLab.com.
+
+With your cluster connected to GitLab and a GitLab Runner in place, you can proceed to the next
+steps and start installing the Cilium and Falco GitLab Managed Apps to secure your applications
+hosted on this cluster.
+
+## Create a Cluster Management Project
+
+A [Cluster Management Project](../../clusters/management_project.md)
+is a GitLab project that contains a `.gitlab-ci.yml` file to deploy GitLab Managed Apps to your
+cluster. This project runs the required charts with the Kubernetes
+[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+privileges.
+
+The creation of this project starts like any other GitLab project. Use an empty
+project and add a `gitlab-ci.yml` file at the root, containing this template:
+
+```yaml
+include:
+ - template: Managed-Cluster-Applications.gitlab-ci.yml
+```
+
+To make this project a Cluster Management Project, follow these
+[instructions](../../clusters/management_project.md#selecting-a-cluster-management-project).
+This project can be designated as such even if your application isn't hosted on GitLab. In this
+case, create a new empty project where you can select your newly created Cluster Management Project.
+
+## Install GitLab Container Network Policy
+
+GitLab Container Network Policy is based on [Cilium](https://cilium.io/). To
+install the Cilium GitLab Managed App, add a
+`.gitlab/managed-apps/config.yaml` file to your Cluster Management project:
+
+```yaml
+# possible values are gke, eks or you can leave it blank
+clusterType: gke
+
+cilium:
+ installed: true
+```
+
+Your application doesn't have to be managed or deployed by GitLab to leverage this feature.
+[Read more](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
+about configuring Container Network Policy.
+
+## Install GitLab Container Host Security
+
+Similarly, you can install Container Host Security, based on
+[Falco](https://falco.org/), in your `.gitlab/managed-apps/config.yaml`:
+
+```yaml
+falco:
+ installed: true
+```
+
+[Read more] about configuring Container Host Security.
diff --git a/doc/user/project/clusters/serverless/aws.md b/doc/user/project/clusters/serverless/aws.md
index 15f7e14fda9..595d8fb3895 100644
--- a/doc/user/project/clusters/serverless/aws.md
+++ b/doc/user/project/clusters/serverless/aws.md
@@ -392,29 +392,19 @@ want to store your package:
image: python:latest
stages:
-
- deploy
production:
-
stage: deploy
-
before_script:
-
- pip3 install awscli --upgrade
-
- pip3 install aws-sam-cli --upgrade
-
script:
-
- sam build
-
- sam package --output-template-file packaged.yaml --s3-bucket <S3_bucket_name>
-
- sam deploy --template-file packaged.yaml --stack-name gitlabpoc --s3-bucket <S3_bucket_name> --capabilities CAPABILITY_IAM --region us-east-1
-
environment: production
- ```
+```
Let’s examine the configuration file more closely:
diff --git a/doc/user/project/clusters/serverless/index.md b/doc/user/project/clusters/serverless/index.md
index 45fb313d177..6af08b06294 100644
--- a/doc/user/project/clusters/serverless/index.md
+++ b/doc/user/project/clusters/serverless/index.md
@@ -51,8 +51,6 @@ To run Knative on GitLab, you will need:
1. **Kubernetes Cluster:** An RBAC-enabled Kubernetes cluster is required to deploy Knative.
The simplest way to get started is to add a cluster using GitLab's [GKE integration](../add_remove_clusters.md).
The set of minimum recommended cluster specifications to run Knative is 3 nodes, 6 vCPUs, and 22.50 GB memory.
-1. **Helm Tiller:** Helm is a package manager for Kubernetes and is required to install
- Knative.
1. **GitLab Runner:** A runner is required to run the CI jobs that will deploy serverless
applications or functions onto your cluster. You can install the GitLab Runner
onto the existing Kubernetes cluster. See [Installing Applications](../index.md#installing-applications) for more information.
@@ -80,8 +78,8 @@ To run Knative on GitLab, you will need:
NOTE: **Note:**
The minimum recommended cluster size to run Knative is 3-nodes, 6 vCPUs, and 22.50 GB memory. **RBAC must be enabled.**
-1. [Add a Kubernetes cluster](../add_remove_clusters.md) and [install Helm](../index.md#installing-applications).
-1. Once Helm has been successfully installed, scroll down to the Knative app section. Enter the domain to be used with
+1. [Add a Kubernetes cluster](../add_remove_clusters.md).
+1. Select the **Applications** tab and scroll down to the Knative app section. Enter the domain to be used with
your application/functions (e.g. `example.com`) and click **Install**.
![install-knative](img/install-knative.png)
@@ -143,24 +141,24 @@ You must do the following:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- - apiGroups:
- - serving.knative.dev
- resources:
- - configurations
- - configurationgenerations
- - routes
- - revisions
- - revisionuids
- - autoscalers
- - services
- verbs:
- - get
- - list
- - create
- - update
- - delete
- - patch
- - watch
+ - apiGroups:
+ - serving.knative.dev
+ resources:
+ - configurations
+ - configurationgenerations
+ - routes
+ - revisions
+ - revisionuids
+ - autoscalers
+ - services
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - patch
+ - watch
```
Then run the following command:
@@ -570,7 +568,7 @@ The simplest way to accomplish this is to
use [Certbot to manually obtain Let's Encrypt certificates](https://knative.dev/docs/serving/using-a-tls-cert/#using-certbot-to-manually-obtain-let-s-encrypt-certificates). Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
NOTE: **Note:**
-The instructions below relate to installing and running Certbot on a Linux server and may not work on other operating systems.
+The instructions below relate to installing and running Certbot on a Linux server that has Python 3 installed and may not work on other operating systems or with other versions of Python.
1. Install Certbot by running the
[`certbot-auto` wrapper script](https://certbot.eff.org/docs/install.html#certbot-auto).
@@ -580,7 +578,7 @@ The instructions below relate to installing and running Certbot on a Linux serve
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
- chmod 0755 /usr/local/bin/certbot-auto
+ sudo chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help
```
@@ -609,7 +607,7 @@ The instructions below relate to installing and running Certbot on a Linux serve
using DNS challenge during authorization:
```shell
- ./certbot-auto certonly --manual --preferred-challenges dns -d '*.<namespace>.example.com'
+ /usr/local/bin/certbot-auto certonly --manual --preferred-challenges dns -d '*.<namespace>.example.com'
```
Where `<namespace>` is the namespace created by GitLab for your serverless project (composed of `<project_name>-<project_id>-<environment>`) and
@@ -835,7 +833,7 @@ The instructions below relate to installing and running Certbot on a Linux serve
## Using an older version of `gitlabktl`
There may be situations where you want to run an older version of `gitlabktl`. This
-requires setting an older version of the `gitlabktl` image in the `.gitlab-ci.yml file.`
+requires setting an older version of the `gitlabktl` image in the `.gitlab-ci.yml` file.
To set an older version, add `image:` to the `functions:deploy` block. For example: