index.md 34.8 KB
Newer Older
1
# Connecting GitLab with a Kubernetes cluster
2

3 4
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/35954) in GitLab 10.1.

5 6
Connect your project to Google Kubernetes Engine (GKE) or an existing Kubernetes
cluster in a few steps.
7

8 9
## Overview

10
With one or more Kubernetes clusters associated to your project, you can use
11
[Review Apps](../../../ci/review_apps/index.md), deploy your applications, run
12 13
your pipelines, use it with [Auto DevOps](../../../topics/autodevops/index.md),
and much more, all from within GitLab.
14

15 16 17 18
There are two options when adding a new cluster to your project; either associate
your account with Google Kubernetes Engine (GKE) so that you can [create new
clusters](#adding-and-creating-a-new-gke-cluster-via-gitlab) from within GitLab,
or provide the credentials to an [existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster).
19

20 21 22 23 24
NOTE: **Note:**
From [GitLab 11.6](https://gitlab.com/gitlab-org/gitlab-ce/issues/34758) you
can also associate a Kubernetes cluster to your groups. Learn more about
[group Kubernetes clusters](../../group/clusters/index.md).

25
## Adding and creating a new GKE cluster via GitLab
26

27 28 29 30 31
TIP: **Tip:**
Every new Google Cloud Platform (GCP) account receives [$300 in credit upon sign up](https://console.cloud.google.com/freetrial),
and in partnership with Google, GitLab is able to offer an additional $200 for new GCP accounts to get started with GitLab's
Google Kubernetes Engine Integration. All you have to do is [follow this link](https://goo.gl/AaJzRW) and apply for credit.

32
NOTE: **Note:**
33 34 35 36 37 38 39 40 41 42 43
The [Google authentication integration](../../../integration/google.md) must
be enabled in GitLab at the instance level. If that's not the case, ask your
GitLab administrator to enable it. On GitLab.com, this is enabled.

### Requirements

Before creating your first cluster on Google Kubernetes Engine with GitLab's
integration, make sure the following requirements are met:

- A [billing account](https://cloud.google.com/billing/docs/how-to/manage-billing-account)
  is set up and you have permissions to access it.
44
- The Kubernetes Engine API and related service are enabled. It should work immediately but may take up to 10 minutes after you create a project. For more information see the
45 46 47
  ["Before you begin" section of the Kubernetes Engine docs](https://cloud.google.com/kubernetes-engine/docs/quickstart#before-you-begin).

### Creating the cluster
48

49
If all of the above requirements are met, you can proceed to create and add a
50
new Kubernetes cluster to your project:
51

52
1. Navigate to your project's **Operations > Kubernetes** page.
53 54 55 56

    NOTE: **Note:**
    You need Maintainer [permissions] and above to access the Kubernetes page.

Mike Lewis's avatar
Mike Lewis committed
57 58
1. Click **Add Kubernetes cluster**.
1. Click **Create with Google Kubernetes Engine**.
59 60
1. Connect your Google account if you haven't done already by clicking the
   **Sign in with Google** button.
61
1. From there on, choose your cluster's settings:
62
   - **Kubernetes cluster name** - The name you wish to give the cluster.
63
   - **Environment scope** - The [associated environment](#setting-the-environment-scope-premium) to this cluster.
64 65 66 67 68 69 70 71
   - **Google Cloud Platform project** - Choose the project you created in your GCP
     console that will host the Kubernetes cluster. Learn more about
     [Google Cloud Platform projects](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
   - **Zone** - Choose the [region zone](https://cloud.google.com/compute/docs/regions-zones/)
     under which the cluster will be created.
   - **Number of nodes** - Enter the number of nodes you wish the cluster to have.
   - **Machine type** - The [machine type](https://cloud.google.com/compute/docs/machine-types)
     of the Virtual Machine instance that the cluster will be based on.
72
   - **RBAC-enabled cluster** - Leave this checked if using default GKE creation options, see the [RBAC section](#role-based-access-control-rbac-core-only) for more information.
73
1. Finally, click the **Create Kubernetes cluster** button.
74

75 76
After a couple of minutes, your cluster will be ready to go. You can now proceed
to install some [pre-defined applications](#installing-applications).
77

78 79 80 81 82 83 84 85
NOTE: **Note:**
GitLab requires basic authentication enabled and a client certificate issued for
the cluster in order to setup an [initial service
account](#access-controls). Starting from [GitLab
11.10](https://gitlab.com/gitlab-org/gitlab-ce/issues/58208), the cluster
creation process will explicitly request that basic authentication and
client certificate is enabled.

86 87 88
## Adding an existing Kubernetes cluster

To add an existing Kubernetes cluster to your project:
89

90
1. Navigate to your project's **Operations > Kubernetes** page.
91 92 93 94

    NOTE: **Note:**
    You need Maintainer [permissions] and above to access the Kubernetes page.

Mike Lewis's avatar
Mike Lewis committed
95 96
1. Click **Add Kubernetes cluster**.
1. Click **Add an existing Kubernetes cluster** and fill in the details:
97
    - **Kubernetes cluster name** (required) - The name you wish to give the cluster.
98
    - **Environment scope** (required) - The
99
      [associated environment](#setting-the-environment-scope-premium) to this cluster.
100 101 102 103
    - **API URL** (required) -
      It's the URL that GitLab uses to access the Kubernetes API. Kubernetes
      exposes several APIs, we want the "base" URL that is common to all of them,
      e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`.
Takuya Noguchi's avatar
Takuya Noguchi committed
104
    - **CA certificate** (required) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default.
105 106 107 108 109 110 111
      -  List the secrets with `kubectl get secrets`, and one should named similar to
       `default-token-xxxxx`. Copy that token name for use below.
      -  Get the certificate by running this command:

        ```sh
        kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
        ```
112 113
    - **Token** -
      GitLab authenticates against Kubernetes using service tokens, which are
114 115 116 117 118
      scoped to a particular `namespace`.
      **The token used should belong to a service account with
      [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
      privileges.** To create this service account:

119
      1. Create a file called `gitlab-admin-service-account.yaml` with contents:
120

121 122 123 124
          ```yaml
          apiVersion: v1
          kind: ServiceAccount
          metadata:
125
            name: gitlab-admin
126
            namespace: kube-system
127
          ```
128 129

      2. Apply the service account to your cluster:
130 131

          ```bash
132
          kubectl apply -f gitlab-admin-service-account.yaml
133 134 135 136 137
          ```

          Output:

            ```bash
138
            serviceaccount "gitlab-admin" created
139 140
            ```

141
      3. Create a file called `gitlab-admin-cluster-role-binding.yaml` with contents:
142 143 144

          ```yaml
          apiVersion: rbac.authorization.k8s.io/v1beta1
145 146
          kind: ClusterRoleBinding
          metadata:
147
            name: gitlab-admin
148
          roleRef:
149
            apiGroup: rbac.authorization.k8s.io
150 151
            kind: ClusterRole
            name: cluster-admin
152 153
          subjects:
          - kind: ServiceAccount
154
            name: gitlab-admin
155 156 157 158 159 160
            namespace: kube-system
          ```

      4. Apply the cluster role binding to your cluster:

          ```bash
161
          kubectl apply -f gitlab-admin-cluster-role-binding.yaml
162 163 164 165 166
          ```

          Output:

          ```bash
167
          clusterrolebinding "gitlab-admin" created
168
          ```
169

170
      5. Retrieve the token for the `gitlab-admin` service account:
171 172

          ```bash
173
          kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
174 175 176 177 178
          ```

      Copy the `<authentication_token>` value from the output:

      ```yaml
179
      Name:         gitlab-admin-token-b5zv4
180 181
      Namespace:    kube-system
      Labels:       <none>
182
      Annotations:  kubernetes.io/service-account.name=gitlab-admin
183 184 185 186 187 188 189 190 191 192
                    kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8

      Type:  kubernetes.io/service-account-token

      Data
      ====
      ca.crt:     1025 bytes
      namespace:  11 bytes
      token:      <authentication_token>
      ```
193

194 195 196 197 198 199
      NOTE: **Note:**
      For GKE clusters, you will need the
      `container.clusterRoleBindings.create` permission to create a cluster
      role binding. You can follow the [Google Cloud
      documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access)
      to grant access.
200 201
    - **Project namespace** (optional) - You don't have to fill it in; by leaving
      it blank, GitLab will create one for you. Also:
202 203 204 205 206 207 208 209
       - Each project should have a unique namespace.
       - The project namespace is not necessarily the namespace of the secret, if
         you're using a secret with broader permissions, like the secret from `default`.
       - You should **not** use `default` as the project namespace.
       - If you or someone created a secret specifically for the project, usually
         with limited permissions, the secret's namespace and project namespace may
         be the same.

Pascal Borreli's avatar
Pascal Borreli committed
210
1. Finally, click the **Create Kubernetes cluster** button.
211

212 213
After a couple of minutes, your cluster will be ready to go. You can now proceed
to install some [pre-defined applications](#installing-applications).
214

Jason Colyer's avatar
Jason Colyer committed
215 216
To determine the:

217
- API URL, run `kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'`.
Jason Colyer's avatar
Jason Colyer committed
218
- Token:
219
  1. List the secrets by running: `kubectl get secrets`. Note the name of the secret you need the token for.
220 221
  1. Get the token for the appropriate secret by running: `kubectl get secret <SECRET_NAME> -o jsonpath="{['data']['token']}" | base64 --decode`.
- CA certificate, run `kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode`.
222

223 224 225 226 227 228 229 230
## Security implications

CAUTION: **Important:**
The whole cluster security is based on a model where [developers](../../permissions.md)
are trusted, so **only trusted users should be allowed to control your clusters**.

The default cluster configuration grants access to a wide set of
functionalities needed to successfully build and deploy a containerized
231
application. Bear in mind that the same credentials are used for all the
232 233
applications running on the cluster.

234 235
## Base domain

236
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8.
237

238 239 240 241 242 243 244 245 246 247
NOTE: **Note:**
You do not need to specify a base domain on cluster settings when using GitLab Serverless. The domain in that case
will be specified as part of the Knative installation. See [Installing Applications](#installing-applications).

Specifying a base domain will automatically set `KUBE_INGRESS_BASE_DOMAIN` as an environment variable.
If you are using [Auto DevOps](../../../topics/autodevops/index.md), this domain will be used for the different
stages. For example, Auto Review Apps and Auto Deploy.

The domain should have a wildcard DNS configured to the Ingress IP address. After ingress has been installed (see [Installing Applications](#installing-applications)),
you can either:
248

249 250
- Create an `A` record that points to the Ingress IP address with your domain provider.
- Enter a wildcard DNS address using a service such as nip.io or xip.io. For example, `192.168.1.1.xip.io`.
251

252 253 254 255 256 257
## Access controls

When creating a cluster in GitLab, you will be asked if you would like to create an
[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster, or
a [Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) one.

Evan Read's avatar
Evan Read committed
258 259 260 261 262
NOTE: **Note:**
[RBAC](#role-based-access-control-rbac) is recommended and the GitLab default.

Whether [ABAC](#attribute-based-access-control-abac) or [RBAC](#role-based-access-control-rbac) is enabled,
GitLab will create the necessary service accounts and privileges in order to install and run
263 264
[GitLab managed applications](#installing-applications):

265 266 267
- If GitLab is creating the cluster, a `gitlab` service account with
  `cluster-admin` privileges will be created in the `default` namespace,
  which will be used by GitLab to manage the newly created cluster.
268

269 270 271 272
- A project service account with [`edit`
  privileges](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
  will be created in the project namespace (also created by GitLab), which will
  be used in [deployment jobs](#deployment-variables).
273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312

  NOTE: **Note:**
  Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716) in GitLab 11.5.

- When you install Helm Tiller into your cluster, the `tiller` service account
  will be created with `cluster-admin` privileges in the `gitlab-managed-apps`
  namespace. This service account will be added to the installed Helm Tiller and will
  be used by Helm to install and run [GitLab managed applications](#installing-applications).
  Helm Tiller will also create additional service accounts and other resources for each
  installed application. Consult the documentation of the Helm charts for each application
  for details.

If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster),
ensure the token of the account has administrator privileges for the cluster.

The following sections summarize which resources will be created on ABAC/RBAC clusters.

### Attribute-based access control (ABAC)

| Name              | Kind                 | Details                           | Created when                      |
| ---               | ---                  | ---                               | ---                               |
| `gitlab`          | `ServiceAccount`     | `default` namespace               | Creating a new GKE Cluster        |
| `gitlab-token`    | `Secret`             | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster        |
| `tiller`          | `ServiceAccount`     | `gitlab-managed-apps` namespace   | Installing Helm Tiller            |
| `tiller-admin`    | `ClusterRoleBinding` | `cluster-admin` roleRef           | Installing Helm Tiller            |
| Project namespace | `ServiceAccount`     | Uses namespace of Project         | Creating/Adding a new GKE Cluster |
| Project namespace | `Secret`             | Token for project ServiceAccount  | Creating/Adding a new GKE Cluster |

### Role-based access control (RBAC)

| Name                | Kind                 | Details                           | Created when                      |
| ---                 | ---                  | ---                               | ---                               |
| `gitlab`            | `ServiceAccount`     | `default` namespace               | Creating a new GKE Cluster        |
| `gitlab-admin`      | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef           | Creating a new GKE Cluster |
| `gitlab-token`      | `Secret`             | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster        |
| `tiller`            | `ServiceAccount`     | `gitlab-managed-apps` namespace   | Installing Helm Tiller            |
| `tiller-admin`      | `ClusterRoleBinding` | `cluster-admin` roleRef           | Installing Helm Tiller            |
| Project namespace   | `ServiceAccount`     | Uses namespace of Project         | Creating/Adding a new GKE Cluster |
| Project namespace   | `Secret`             | Token for project ServiceAccount  | Creating/Adding a new GKE Cluster |
| Project namespace   | `RoleBinding`        | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef                  | Creating/Adding a new GKE Cluster |
313

314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331
### Security of GitLab Runners

GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode)
enabled by default, which allows them to execute special commands and running
Docker in Docker. This functionality is needed to run some of the [Auto DevOps]
jobs. This implies the containers are running in privileged mode and you should,
therefore, be aware of some important details.

The privileged flag gives all capabilities to the running container, which in
turn can do almost everything that the host can do. Be aware of the
inherent security risk associated with performing `docker run` operations on
arbitrary images as they effectively have root access.

If you don't want to use GitLab Runner in privileged mode, first make sure that
you don't have it installed via the applications, and then use the
[Runner's Helm chart](../../../install/kubernetes/gitlab_runner_chart.md) to
install it manually.

332 333
## Installing applications

334
NOTE: **Note:**
335 336
Before starting the installation of applications, make sure that time is synchronized
between your GitLab server and your Kubernetes cluster. Otherwise, installation could fail
337
and you may get errors like `Error: remote error: tls: bad certificate`
338
in the `stdout` of pods created by GitLab in your Kubernetes cluster.
339

340 341 342
GitLab provides a one-click install for various applications which can
be added directly to your configured cluster. Those applications are
needed for [Review Apps](../../../ci/review_apps/index.md) and
343 344 345 346 347 348 349 350 351
[deployments](../../../ci/environments.md). You can install them after you
[create a cluster](#adding-and-creating-a-new-gke-cluster-via-gitlab).

To see a list of available applications to install:

1. Navigate to your project's **Operations > Kubernetes**.
1. Select your cluster.

Install Helm Tiller first because it's used to install other applications.
352

353
NOTE: **Note:**
354 355
As of GitLab 11.6, Helm Tiller will be upgraded to the latest version supported
by GitLab before installing any of the applications.
356

357 358 359 360
| Application | GitLab version | Description | Helm Chart |
| ----------- | :------------: | ----------- | --------------- |
| [Helm Tiller](https://docs.helm.sh/) | 10.2+ | Helm is a package manager for Kubernetes and is required to install all the other applications. It is installed in its own pod inside the cluster which can run the `helm` CLI in a safe environment. | n/a |
| [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) | 10.2+ | Ingress can provide load balancing, SSL termination, and name-based virtual hosting. It acts as a web proxy for your applications and is useful if you want to use [Auto DevOps] or deploy your own web apps. | [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) |
Amit Rathi's avatar
Amit Rathi committed
361
| [Cert Manager](http://docs.cert-manager.io/en/latest/) | 11.6+ | Cert Manager is a native Kubernetes certificate management controller that helps with issuing certificates. Installing Cert Manager on your cluster will issue a certificate by [Let's Encrypt](https://letsencrypt.org/) and ensure that certificates are valid and up-to-date. | [stable/cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) |
362 363
| [Prometheus](https://prometheus.io/docs/introduction/overview/) | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications. | [stable/prometheus](https://github.com/helm/charts/tree/master/stable/prometheus) |
| [GitLab Runner](https://docs.gitlab.com/runner/) | 10.6+ | GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with [GitLab CI/CD](https://about.gitlab.com/features/gitlab-ci-cd/), the open-source continuous integration service included with GitLab that coordinates the jobs. When installing the GitLab Runner via the applications, it will run in **privileged mode** by default. Make sure you read the [security implications](#security-implications) before doing so. | [runner/gitlab-runner](https://gitlab.com/charts/gitlab-runner) |
364
| [JupyterHub](http://jupyter.org/) | 11.0+ | [JupyterHub](https://jupyterhub.readthedocs.io/en/stable/) is a multi-user service for managing notebooks across a team. [Jupyter Notebooks](https://jupyter-notebook.readthedocs.io/en/latest/) provide a web-based interactive programming environment used for data analysis, visualization, and machine learning. We use a [custom Jupyter image](https://gitlab.com/gitlab-org/jupyterhub-user-image/blob/master/Dockerfile) that installs additional useful packages on top of the base Jupyter. Authentication will be enabled only for [project members](../members/index.md) with [Developer or higher](../../permissions.md) access to the project. You will also see ready-to-use DevOps Runbooks built with Nurtch's [Rubix library](https://github.com/amit1rrr/rubix). More information on creating executable runbooks can be found in [our Nurtch documentation](runbooks/index.md#nurtch-executable-runbooks). | [jupyter/jupyterhub](https://jupyterhub.github.io/helm-chart/) |
365
| [Knative](https://cloud.google.com/knative) | 11.5+ | Knative provides a platform to create, deploy, and manage serverless workloads from a Kubernetes cluster. It is used in conjunction with, and includes [Istio](https://istio.io) to provide an external IP address for all programs hosted by Knative. You will be prompted to enter a wildcard domain where your applications will be exposed. Configure your DNS server to use the external IP address for that domain. For any application created and installed, they will be accessible as `<program_name>.<kubernetes_namespace>.<domain_name>`. This will require your kubernetes cluster to have [RBAC enabled](#role-based-access-control-rbac). | [knative/knative](https://storage.googleapis.com/triggermesh-charts)
366

367 368 369 370 371 372 373 374
With the exception of Knative, the applications will be installed in a dedicated
namespace called `gitlab-managed-apps`.

CAUTION: **Caution:**
If you have an existing Kubernetes cluster with Tiller already installed,
you should be careful as GitLab cannot detect it. In this case, installing
Tiller via the applications will result in the cluster having it twice, which
can lead to confusion during deployments.
375

376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397
### Upgrading applications

> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24789)
in GitLab 11.8.

Users can perform a one-click upgrade for the GitLab Runner application,
when there is an upgrade available.

To upgrade the GitLab Runner application:

1. Navigate to your project's **Operations > Kubernetes**.
1. Select your cluster.
1. Click the **Upgrade** button for the Runnner application.

The **Upgrade** button will not be shown if there is no upgrade
available.

NOTE: **Note:**
Upgrades will reset values back to the values built into the `runner`
chart plus the values set by
[`values.yaml`](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/vendor/runner/values.yaml)

398
## Getting the external endpoint
399 400

NOTE: **Note:**
401
With the following procedure, a load balancer must be installed in your cluster
402
to obtain the endpoint. You can use either
403 404
[Ingress](#installing-applications), or Knative's own load balancer
([Istio](https://istio.io)) if using [Knative](#installing-applications).
Chris Baumbauer's avatar
Chris Baumbauer committed
405

406 407
In order to publish your web application, you first need to find the endpoint which will be either an IP
address or a hostname associated with your load balancer.
408

409
### Let GitLab fetch the external endpoint
410 411 412

> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17052) in GitLab 10.6.

413
If you [installed Ingress or Knative](#installing-applications),
414 415
you should see the Ingress Endpoint on this same page within a few minutes.
If you don't see this, GitLab might not be able to determine the external endpoint of
416
your ingress application in which case you should manually determine it.
417

418
### Manually determining the external endpoint
419

Mike Lewis's avatar
Mike Lewis committed
420
If the cluster is on GKE, click the **Google Kubernetes Engine** link in the
421 422
**Advanced settings**, or go directly to the
[Google Kubernetes Engine dashboard](https://console.cloud.google.com/kubernetes/)
Mike Lewis's avatar
Mike Lewis committed
423
and select the proper project and cluster. Then click **Connect** and execute
424 425 426 427
the `gcloud` command in a local terminal or using the **Cloud Shell**.

If the cluster is not on GKE, follow the specific instructions for your
Kubernetes provider to configure `kubectl` with the right credentials.
428
The output of the following examples will show the external endpoint of your
429 430
cluster. This information can then be used to set up DNS entries and forwarding
rules that allow external access to your deployed applications.
431

432 433
If you installed the Ingress [via the **Applications**](#installing-applications),
run the following command:
434 435

```bash
436
kubectl get service --namespace=gitlab-managed-apps ingress-nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
437 438
```

439
Some Kubernetes clusters return a hostname instead, like [Amazon EKS](https://aws.amazon.com/eks/). For these platforms, run:
440

Chris Baumbauer's avatar
Chris Baumbauer committed
441
```bash
442
kubectl get service --namespace=gitlab-managed-apps ingress-nginx-ingress-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
Chris Baumbauer's avatar
Chris Baumbauer committed
443 444
```

445
For Istio/Knative, the command will be different:
446 447

```bash
448
kubectl get svc --namespace=istio-system knative-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip} '
449 450
```

451
Otherwise, you can list the IP addresses of all load balancers:
452

453 454 455
```bash
kubectl get svc --all-namespaces -o jsonpath='{range.items[?(@.status.loadBalancer.ingress)]}{.status.loadBalancer.ingress[*].ip} '
```
456

457 458 459 460 461 462 463 464
### Using a static IP

By default, an ephemeral external IP address is associated to the cluster's load
balancer. If you associate the ephemeral IP with your DNS and the IP changes,
your apps will not be able to be reached, and you'd have to change the DNS
record again. In order to avoid that, you should change it into a static
reserved IP.

Mike Lewis's avatar
Mike Lewis committed
465
Read how to [promote an ephemeral external IP address in GKE](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#promote_ephemeral_ip).
466

467
### Pointing your DNS at the external endpoint
468

469 470 471 472
Once you've set up the external endpoint, you should associate it with a [wildcard DNS
record](https://en.wikipedia.org/wiki/Wildcard_DNS_record) such as `*.example.com.`
in order to be able to reach your apps. If your external endpoint is an IP address,
use an A record. If your external endpoint is a hostname, use a CNAME record.
473

474 475 476 477 478 479 480 481 482
## Multiple Kubernetes clusters **[PREMIUM]**

> Introduced in [GitLab Premium][ee] 10.3.

With GitLab Premium, you can associate more than one Kubernetes clusters to your
project. That way you can have different clusters for different environments,
like dev, staging, production, etc.

Simply add another cluster, like you did the first time, and make sure to
483
[set an environment scope](#setting-the-environment-scope-premium) that will
484 485
differentiate the new cluster with the rest.

486
## Setting the environment scope **[PREMIUM]**
487

488 489 490
When adding more than one Kubernetes cluster to your project, you need to differentiate
them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments.md) similar to how the
[environment-specific variables](https://docs.gitlab.com/ee/ci/variables/README.html#limiting-environment-scopes-of-variables-premium) work.
491 492 493 494

The default environment scope is `*`, which means all jobs, regardless of their
environment, will use that cluster. Each scope can only be used by a single
cluster in a project, and a validation error will occur if otherwise.
Shinya Maeda's avatar
Shinya Maeda committed
495
Also, jobs that don't have an environment keyword set will not be able to access any cluster.
496 497 498

---

499
For example, let's say the following Kubernetes clusters exist in a project:
500

501 502 503 504 505
| Cluster     | Environment scope |
| ----------- | ----------------- |
| Development | `*`               |
| Staging     | `staging`         |
| Production  | `production`      |
506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521

And the following environments are set in [`.gitlab-ci.yml`](../../../ci/yaml/README.md):

```yaml
stages:
- test
- deploy

test:
  stage: test
  script: sh test

deploy to staging:
  stage: deploy
  script: make deploy
  environment:
522
    name: staging
523 524 525 526 527 528
    url: https://staging.example.com/

deploy to production:
  stage: deploy
  script: make deploy
  environment:
529
    name: production
530 531 532 533 534 535 536 537 538
    url: https://example.com/
```

The result will then be:

- The development cluster will be used for the "test" job.
- The staging cluster will be used for the "deploy to staging" job.
- The production cluster will be used for the "deploy to production" job.

539 540 541 542
## Deployment variables

The Kubernetes cluster integration exposes the following
[deployment variables](../../../ci/variables/README.md#deployment-variables) in the
543 544 545 546 547
GitLab CI/CD build environment.

| Variable | Description |
| -------- | ----------- |
| `KUBE_URL` | Equal to the API URL. |
548
| `KUBE_TOKEN` | The Kubernetes token of the [project service account](#access-controls). |
549
| `KUBE_NAMESPACE` | The Kubernetes namespace is auto-generated if not specified. The default value is `<project_name>-<project_id>`. You can overwrite it to use different one if needed, otherwise the `KUBE_NAMESPACE` variable will receive the default value. |
550 551
| `KUBE_CA_PEM_FILE` | Path to a file containing PEM data. Only present if a custom CA bundle was specified. |
| `KUBE_CA_PEM` | (**deprecated**) Raw PEM data. Only if a custom CA bundle was specified. |
552
| `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. This config also embeds the same token defined in `KUBE_TOKEN` so you likely will only need this variable. This variable name is also automatically picked up by `kubectl` so you won't actually need to reference it explicitly if using `kubectl`. |
553
| `KUBE_INGRESS_BASE_DOMAIN` | From GitLab 11.8, this variable can be used to set a domain per cluster. See [cluster domains](#base-domain) for more information. |
554

555 556 557 558
NOTE: **NOTE:**
Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main
service account of the cluster integration.

559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580
### Troubleshooting missing `KUBECONFIG` or `KUBE_TOKEN`

GitLab will create a new service account specifically for your CI builds. The
new service account is created when the cluster is added to the project.
Sometimes there may be errors that cause the service account creation to fail.

In such instances, your build will not be passed the `KUBECONFIG` or
`KUBE_TOKEN` variables and, if you are using Auto DevOps, your Auto DevOps
pipelines will no longer trigger a `production` deploy build. You will need to
check the [logs](../../../administration/logs.md) to debug why the service
account creation failed.

A common reason for failure is that the token you gave GitLab did not have
[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
privileges as GitLab expects.

Another common problem for why these variables are not being passed to your
builds is that they must have a matching
[`environment:name`](../../../ci/environments.md#defining-environments). If
your build has no `environment:name` set, it will not be passed the Kubernetes
credentials.

581 582 583 584 585 586 587 588
## Monitoring your Kubernetes cluster **[ULTIMATE]**

> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4701) in [GitLab Ultimate][ee] 10.6.

When [Prometheus is deployed](#installing-applications), GitLab will automatically monitor the cluster's health. At the top of the cluster settings page, CPU and Memory utilization is displayed, along with the total amount available. Keeping an eye on cluster resources can be important, if the cluster runs out of memory pods may be shutdown or fail to start.

![Cluster Monitoring](https://docs.gitlab.com/ee/user/project/clusters/img/k8s_cluster_monitoring.png)

589
## Enabling or disabling the Kubernetes cluster integration
590 591

After you have successfully added your cluster information, you can enable the
592
Kubernetes cluster integration:
593

Mike Lewis's avatar
Mike Lewis committed
594
1. Click the **Enabled/Disabled** switch
595 596 597 598
1. Hit **Save** for the changes to take effect

You can now start using your Kubernetes cluster for your deployments.

599
To disable the Kubernetes cluster integration, follow the same procedure.
600

601
## Removing the Kubernetes cluster integration
602 603

NOTE: **Note:**
Mark Chao's avatar
Mark Chao committed
604
You need Maintainer [permissions] and above to remove a Kubernetes cluster integration.
605 606 607 608 609 610

NOTE: **Note:**
When you remove a cluster, you only remove its relation to GitLab, not the
cluster itself. To remove the cluster, you can do so by visiting the GKE
dashboard or using `kubectl`.

Mike Lewis's avatar
Mike Lewis committed
611
To remove the Kubernetes cluster integration from your project, simply click the
612
**Remove integration** button. You will then be able to follow the procedure
613
and add a Kubernetes cluster again.
614

615 616 617 618 619
## View Kubernetes pod logs from GitLab **[ULTIMATE]**

Learn how to easily
[view the logs of running pods in connected Kubernetes clusters](https://docs.gitlab.com/ee/user/project/clusters/kubernetes_pod_logs.html).

620 621 622 623
## What you can get with the Kubernetes integration

Here's what you can do with GitLab if you enable the Kubernetes integration.

624
### Deploy Boards **[PREMIUM]**
625 626 627 628 629 630 631

GitLab's Deploy Boards offer a consolidated view of the current health and
status of each CI [environment](../../../ci/environments.md) running on Kubernetes,
displaying the status of the pods in the deployment. Developers and other
teammates can view the progress and status of a rollout, pod by pod, in the
workflow they already use without any need to access Kubernetes.

632
[Read more about Deploy Boards](https://docs.gitlab.com/ee/user/project/deploy_boards.html)
633

634
### Canary Deployments **[PREMIUM]**
635 636 637 638 639

Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
and visualize your canary deployments right inside the Deploy Board, without
the need to leave GitLab.

640
[Read more about Canary Deployments](https://docs.gitlab.com/ee/user/project/canary_deployments.html)
641 642 643 644 645 646

### Kubernetes monitoring

Automatically detect and monitor Kubernetes metrics. Automatic monitoring of
[NGINX ingress](../integrations/prometheus_library/nginx.md) is also supported.

647
[Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md)
648 649 650 651 652 653 654 655 656

### Auto DevOps

Auto DevOps automatically detects, builds, tests, deploys, and monitors your
applications.

To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring)
you will need the Kubernetes project integration enabled.

657
[Read more about Auto DevOps](../../../topics/autodevops/index.md)
658 659 660 661

### Web terminals

NOTE: **Note:**
Mark Chao's avatar
doc  
Mark Chao committed
662
Introduced in GitLab 8.15. You must be the project owner or have `maintainer` permissions
663 664 665 666 667 668 669 670 671 672
to use terminals. Support is limited to the first container in the
first pod of your environment.

When enabled, the Kubernetes service adds [web terminal](../../../ci/environments.md#web-terminals)
support to your [environments](../../../ci/environments.md). This is based on the `exec` functionality found in
Docker and Kubernetes, so you get a new shell session within your existing
containers. To use this integration, you should deploy to Kubernetes using
the deployment variables above, ensuring any pods you create are labelled with
`app=$CI_ENVIRONMENT_SLUG`. GitLab will do the rest!

673 674
### Integrating Amazon EKS cluster with GitLab

Mike Lewis's avatar
Mike Lewis committed
675
- Learn how to [connect and deploy to an Amazon EKS cluster](eks_and_gitlab/index.md).
676 677 678 679

### Serverless

- [Run serverless workloads on Kubernetes with Knative.](serverless/index.md)
680

681
[permissions]: ../../permissions.md
682
[ee]: https://about.gitlab.com/pricing/
683
[Auto DevOps]: ../../../topics/autodevops/index.md