Skip to content

G
gitlab-ce
Commit ee8db2cd authored by GitLab Bot's avatar GitLab Bot
Browse files
Options

Automatic merge of gitlab-org/gitlab-ce master

parents dc836508 3e5d3998
Show whitespace changes
Inline Side-by-side
Showing with 468 additions and 285 deletions
doc/README.md
View file @ ee8db2cd
...@@ -302,7 +302,7 @@ The following documentation relates to the DevOps **Configure** stage: ...@@ -302,7 +302,7 @@ The following documentation relates to the DevOps **Configure** stage:
| Configure Topics | Description | | Configure Topics | Description |
|:-----------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------| |:-----------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------|
| [Auto DevOps](topics/autodevops/index.md) | Automatically employ a complete DevOps lifecycle. | | [Auto DevOps](topics/autodevops/index.md) | Automatically employ a complete DevOps lifecycle. |
| [Easy creation of Kubernetes<br/>clusters on GKE](user/project/clusters/index.md#adding-and-creating-a-new-gke-cluster-via-gitlab) | Use Google Kubernetes Engine and GitLab. | | [Create Kubernetes clusters on GKE](user/project/clusters/index.md#add-new-gke-cluster) | Use Google Kubernetes Engine and GitLab. |
| [Executable Runbooks](user/project/clusters/runbooks/index.md) | Documented procedures that explain how to carry out particular processes. | | [Executable Runbooks](user/project/clusters/runbooks/index.md) | Documented procedures that explain how to carry out particular processes. |
| [GitLab ChatOps](ci/chatops/README.md) | Interact with CI/CD jobs through chat services. | | [GitLab ChatOps](ci/chatops/README.md) | Interact with CI/CD jobs through chat services. |
| [Installing Applications](user/project/clusters/index.md#installing-applications) | Deploy Helm, Ingress, and Prometheus on Kubernetes. | | [Installing Applications](user/project/clusters/index.md#installing-applications) | Deploy Helm, Ingress, and Prometheus on Kubernetes. |
......
doc/api/group_clusters.md
View file @ ee8db2cd
...@@ -210,7 +210,7 @@ Parameters: ...@@ -210,7 +210,7 @@ Parameters:
NOTE: **Note:** NOTE: **Note:**
`name`, `api_url`, `ca_cert` and `token` can only be updated if the cluster was added `name`, `api_url`, `ca_cert` and `token` can only be updated if the cluster was added
through the ["Add an existing Kubernetes Cluster"](../user/project/clusters/index.md#adding-an-existing-kubernetes-cluster) option or through the ["Add existing Kubernetes cluster"](../user/project/clusters/index.md#add-existing-kubernetes-cluster) option or
through the ["Add existing cluster to group"](#add-existing-cluster-to-group) endpoint. through the ["Add existing cluster to group"](#add-existing-cluster-to-group) endpoint.
Example request: Example request:
......
doc/api/project_clusters.md
View file @ ee8db2cd
...@@ -261,7 +261,7 @@ Parameters: ...@@ -261,7 +261,7 @@ Parameters:
NOTE: **Note:** NOTE: **Note:**
`name`, `api_url`, `ca_cert` and `token` can only be updated if the cluster was added `name`, `api_url`, `ca_cert` and `token` can only be updated if the cluster was added
through the ["Add an existing Kubernetes Cluster"](../user/project/clusters/index.md#adding-an-existing-kubernetes-cluster) option or through the ["Add existing Kubernetes cluster"](../user/project/clusters/index.md#add-existing-kubernetes-cluster) option or
through the ["Add existing cluster to project"](#add-existing-cluster-to-project) endpoint. through the ["Add existing cluster to project"](#add-existing-cluster-to-project) endpoint.
Example request: Example request:
......
doc/topics/autodevops/index.md
View file @ ee8db2cd
...@@ -1058,7 +1058,7 @@ planned for a subsequent release. ...@@ -1058,7 +1058,7 @@ planned for a subsequent release.
case, you may need to customize your `.gitlab-ci.yml` with your test commands. case, you may need to customize your `.gitlab-ci.yml` with your test commands.
- Auto Deploy will fail if GitLab can not create a Kubernetes namespace and - Auto Deploy will fail if GitLab can not create a Kubernetes namespace and
service account for your project. For help debugging this issue, see service account for your project. For help debugging this issue, see
[Troubleshooting failed deployment jobs](../../user/project/clusters/index.md#troubleshooting-failed-deployment-jobs). [Troubleshooting failed deployment jobs](../../user/project/clusters/index.md#troubleshooting).
### Disable the banner instance wide ### Disable the banner instance wide
......
doc/university/README.md
View file @ ee8db2cd
...@@ -9,6 +9,10 @@ GitLab University is a great place to start when learning about version control ...@@ -9,6 +9,10 @@ GitLab University is a great place to start when learning about version control
If you're looking for a GitLab subscription for _your university_, see our [Education](https://about.gitlab.com/solutions/education/) page. If you're looking for a GitLab subscription for _your university_, see our [Education](https://about.gitlab.com/solutions/education/) page.
CAUTION: **Caution:**
Some of the content in GitLab University may be out of date and we plan to
[evaluate](https://gitlab.com/gitlab-org/gitlab-ce/issues/41064) it.
The GitLab University curriculum is composed of GitLab videos, screencasts, presentations, projects and external GitLab content hosted on other services and has been organized into the following sections: The GitLab University curriculum is composed of GitLab videos, screencasts, presentations, projects and external GitLab content hosted on other services and has been organized into the following sections:
1. [GitLab Beginner](#1-gitlab-beginner). 1. [GitLab Beginner](#1-gitlab-beginner).
......
doc/user/admin_area/abuse_reports.md
View file @ ee8db2cd
---
type: reference, howto
---
# Abuse reports # Abuse reports
View and resolve abuse reports from GitLab users. View and resolve abuse reports from GitLab users.
...@@ -59,3 +63,15 @@ page: ...@@ -59,3 +63,15 @@ page:
NOTE: **Note:** NOTE: **Note:**
Users can be [blocked](../../api/users.md#block-user) and Users can be [blocked](../../api/users.md#block-user) and
[unblocked](../../api/users.md#unblock-user) using the GitLab API. [unblocked](../../api/users.md#unblock-user) using the GitLab API.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/admin_area/broadcast_messages.md
View file @ ee8db2cd
---
type: reference, howto
---
# Broadcast Messages # Broadcast Messages
GitLab can display messages to all users of a GitLab instance in a banner that appears in the UI. GitLab can display messages to all users of a GitLab instance in a banner that appears in the UI.
...@@ -51,3 +55,15 @@ Once deleted, the broadcast message is removed from the list of broadcast messag ...@@ -51,3 +55,15 @@ Once deleted, the broadcast message is removed from the list of broadcast messag
NOTE: **Note:** NOTE: **Note:**
Broadcast messages can be deleted while active. Broadcast messages can be deleted while active.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/admin_area/custom_project_templates.md
View file @ ee8db2cd
---
type: reference
---
# Custom instance-level project templates **(PREMIUM ONLY)** # Custom instance-level project templates **(PREMIUM ONLY)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6860) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.2. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6860) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.2.
When you create a new [project](../project/index.md), creating it based on custom project templates is GitLab administrators can configure the group where all the custom project
a convenient bootstrap option. templates are sourced.
GitLab administrators can configure a GitLab group that serves as template Every project directly under the group namespace will be
source for an entire GitLab instance under **Admin area > Settings > Custom project templates**. available to the user if they have access to them. For example:
- Public project in the group will be available to every logged in user.
- Private projects will be available only if the user is a member of the project.
Repository and database information that are copied over to each new project are
identical to the data exported with
[GitLab's Project Import/Export](../project/settings/import_export.md).
NOTE: **Note:** NOTE: **Note:**
To set project templates at a group level, To set project templates at a group level,
see [Custom group-level project templates](../group/custom_project_templates.md). see [Custom group-level project templates](../group/custom_project_templates.md).
Within this section, you can configure the group where all the custom project ## Configuring
templates are sourced. Every project directly under the group namespace will be
available to the user if they have access to them. For example, every public
project in the group will be available to every logged in user.
However, private projects will be available only if the user is a member of the project. GitLab administrators can configure a GitLab group that serves as template
source for an entire GitLab instance by:
1. Navigating to **Admin area > Settings > Templates**.
1. Expanding **Custom project templates**.
1. Selecting a group to use.
1. Pressing **Save changes**.
NOTE: **Note:** NOTE: **Note:**
Projects below subgroups of the template group are **not** supported. Projects below subgroups of the template group are **not** supported.
Repository and database information that are copied over to each new project are <!-- ## Troubleshooting
identical to the data exported with [GitLab's Project Import/Export](../project/settings/import_export.md).
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/container_scanning/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# Container Scanning **(ULTIMATE)** # Container Scanning **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3672) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3672)
...@@ -47,7 +51,7 @@ To enable Container Scanning in your pipeline, you need: ...@@ -47,7 +51,7 @@ To enable Container Scanning in your pipeline, you need:
your Docker image to your project's [Container Registry](../../project/container_registry.md). your Docker image to your project's [Container Registry](../../project/container_registry.md).
The name of the Docker image should match the following scheme: The name of the Docker image should match the following scheme:
``` ```text
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
``` ```
...@@ -114,7 +118,7 @@ When the GitLab Runner uses the Docker executor and NFS is used ...@@ -114,7 +118,7 @@ When the GitLab Runner uses the Docker executor and NFS is used
(e.g., `/var/lib/docker` is on an NFS mount), Container Scanning might fail with (e.g., `/var/lib/docker` is on an NFS mount), Container Scanning might fail with
an error like the following: an error like the following:
``` ```text
docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported. docker: Error response from daemon: failed to copy xattrs: failed to set xattr "security.selinux" on /path/to/file: operation not supported.
``` ```
......
doc/user/application_security/dast/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# Dynamic Application Security Testing (DAST) **(ULTIMATE)** # Dynamic Application Security Testing (DAST) **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/4348) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/4348)
...@@ -199,3 +203,15 @@ Once a vulnerability is found, you can interact with it. Read more on how to ...@@ -199,3 +203,15 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database). [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/dependency_scanning/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# Dependency Scanning **(ULTIMATE)** # Dependency Scanning **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/5105) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/5105)
...@@ -150,7 +154,7 @@ using environment variables. ...@@ -150,7 +154,7 @@ using environment variables.
| `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | | `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. |
| `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | | `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. |
| `DS_RUN_ANALYZER_TIMEOUT` | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. | | `DS_RUN_ANALYZER_TIMEOUT` | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h`, or `2h45m`. |
| `PIP_INDEX_URL` | Base URL of Python Package Index (default https://pypi.org/simple). | | `PIP_INDEX_URL` | Base URL of Python Package Index (default `https://pypi.org/simple`). |
| `PIP_EXTRA_INDEX_URL` | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma separated. | | `PIP_EXTRA_INDEX_URL` | Array of [extra URLs](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url) of package indexes to use in addition to `PIP_INDEX_URL`. Comma separated. |
## Reports JSON format ## Reports JSON format
...@@ -342,3 +346,15 @@ Please check the [Release Process documentation](https://gitlab.com/gitlab-org/s ...@@ -342,3 +346,15 @@ Please check the [Release Process documentation](https://gitlab.com/gitlab-org/s
You can search the [gemnasium-db](https://gitlab.com/gitlab-org/security-products/gemnasium-db) project You can search the [gemnasium-db](https://gitlab.com/gitlab-org/security-products/gemnasium-db) project
to find a vulnerability in the Gemnasium database. to find a vulnerability in the Gemnasium database.
You can also [submit new vulnerabilities](https://gitlab.com/gitlab-org/security-products/gemnasium-db/blob/master/CONTRIBUTING.md). You can also [submit new vulnerabilities](https://gitlab.com/gitlab-org/security-products/gemnasium-db/blob/master/CONTRIBUTING.md).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# GitLab Secure **(ULTIMATE)** # GitLab Secure **(ULTIMATE)**
Check your application for security vulnerabilities that may lead to unauthorized access, Check your application for security vulnerabilities that may lead to
data leaks, and denial of services. GitLab will perform static and dynamic tests on the unauthorized access, data leaks, and denial of services.
code of your application, looking for known flaws and report them in the merge request
so you can fix them before merging. Security teams can use dashboards to get a GitLab will perform static and dynamic tests on the code of your application,
high-level view on projects and groups, and start remediation processes when needed. looking for known flaws and report them in the merge request so you can fix
them before merging.
Security teams can use dashboards to get a high-level view on projects and
groups, and start remediation processes when needed.
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
For an overview of application security with GitLab, see
[Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
## Security scanning tools ## Security scanning tools
...@@ -54,7 +66,7 @@ Each security vulnerability in the merge request report or the ...@@ -54,7 +66,7 @@ Each security vulnerability in the merge request report or the
entry, a detailed information will pop up with different possible options: entry, a detailed information will pop up with different possible options:
- [Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability - [Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability
will place a <s>strikethrough</s> styling on it. will place a ~~strikethrough~~ styling on it.
- [Create issue](#creating-an-issue-for-a-vulnerability): The new issue will - [Create issue](#creating-an-issue-for-a-vulnerability): The new issue will
have the title and description pre-populated with the information from the have the title and description pre-populated with the information from the
vulnerability report and will be created as [confidential](../project/issues/confidential_issues.md) by default. vulnerability report and will be created as [confidential](../project/issues/confidential_issues.md) by default.
...@@ -124,7 +136,7 @@ generated by GitLab. To apply the fix: ...@@ -124,7 +136,7 @@ generated by GitLab. To apply the fix:
#### Creating a merge request from a vulnerability #### Creating a merge request from a vulnerability
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9224) in > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9224) in
[GitLab Ultimate](https://about.gitlab.com/pricing) 11.9. > [GitLab Ultimate](https://about.gitlab.com/pricing) 11.9.
In certain cases, GitLab will allow you to create a merge request that will In certain cases, GitLab will allow you to create a merge request that will
automatically remediate the vulnerability. Any vulnerability that has a automatically remediate the vulnerability. Any vulnerability that has a
...@@ -135,3 +147,15 @@ If this action is available there will be a **Create merge request** button in t ...@@ -135,3 +147,15 @@ If this action is available there will be a **Create merge request** button in t
Clicking on this button will create a merge request to apply the solution onto the source branch. Clicking on this button will create a merge request to apply the solution onto the source branch.
![Create merge request from vulnerability](img/create_issue_with_list_hover.png) ![Create merge request from vulnerability](img/create_issue_with_list_hover.png)
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/license_management/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# License Management **(ULTIMATE)** # License Management **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/5483) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/5483)
...@@ -227,3 +231,15 @@ pipeline ID that has a `license_management` job to see the Licenses tab with the ...@@ -227,3 +231,15 @@ pipeline ID that has a `license_management` job to see the Licenses tab with the
licenses (if any). licenses (if any).
![License Management Pipeline Tab](img/license_management_pipeline_tab.png) ![License Management Pipeline Tab](img/license_management_pipeline_tab.png)
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/sast/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# Static Application Security Testing (SAST) **(ULTIMATE)** # Static Application Security Testing (SAST) **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/3775) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/3775)
...@@ -334,3 +338,15 @@ Once a vulnerability is found, you can interact with it. Read more on how to ...@@ -334,3 +338,15 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database). [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/application_security/security_dashboard/index.md
View file @ ee8db2cd
---
type: reference, howto
---
# GitLab Security Dashboard **(ULTIMATE)** # GitLab Security Dashboard **(ULTIMATE)**
The Security Dashboard is a good place to get an overview of all the security The Security Dashboard is a good place to get an overview of all the security
...@@ -16,9 +20,9 @@ To benefit from the Security Dashboard you must first configure one of the ...@@ -16,9 +20,9 @@ To benefit from the Security Dashboard you must first configure one of the
The Security Dashboard supports the following reports: The Security Dashboard supports the following reports:
- [Container Scanning](../container_scanning/index.md) - [Container Scanning](../container_scanning/index.md)
- [DAST](../dast/index.md) - [Dynamic Application Security Testing](../dast/index.md)
- [Dependency Scanning](../dependency_scanning/index.md) - [Dependency Scanning](../dependency_scanning/index.md)
- [SAST](../sast/index.md) - [Static Application Security Testing](../sast/index.md)
## Requirements ## Requirements
...@@ -43,7 +47,7 @@ for your project. Use it to find and fix vulnerabilities affecting the ...@@ -43,7 +47,7 @@ for your project. Use it to find and fix vulnerabilities affecting the
## Group Security Dashboard ## Group Security Dashboard
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6709) in > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6709) in
[GitLab Ultimate](https://about.gitlab.com/pricing) 11.5. > [GitLab Ultimate](https://about.gitlab.com/pricing) 11.5.
The group Security Dashboard gives an overview of the vulnerabilities of all the The group Security Dashboard gives an overview of the vulnerabilities of all the
projects in a group and its subgroups. projects in a group and its subgroups.
...@@ -102,3 +106,15 @@ That way, reports are created even if no code change happens. ...@@ -102,3 +106,15 @@ That way, reports are created even if no code change happens.
When using [Auto DevOps](../../../topics/autodevops/index.md), use When using [Auto DevOps](../../../topics/autodevops/index.md), use
[special environment variables](../../../topics/autodevops/index.md#environment-variables) [special environment variables](../../../topics/autodevops/index.md#environment-variables)
to configure daily security scans. to configure daily security scans.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
doc/user/clusters/applications.md
View file @ ee8db2cd
...@@ -5,11 +5,12 @@ be added directly to your configured cluster. These applications are ...@@ -5,11 +5,12 @@ be added directly to your configured cluster. These applications are
needed for [Review Apps](../../ci/review_apps/index.md) and needed for [Review Apps](../../ci/review_apps/index.md) and
[deployments](../../ci/environments.md) when using [Auto DevOps](../../topics/autodevops/index.md). [deployments](../../ci/environments.md) when using [Auto DevOps](../../topics/autodevops/index.md).
You can install them after you You can install them after you
[create a cluster](../project/clusters/index.md#adding-and-creating-a-new-gke-cluster-via-gitlab). [create a cluster](../project/clusters/index.md#add-new-gke-cluster).
## Installing applications ## Installing applications
Applications managed by GitLab will be installed onto the `gitlab-managed-apps` namespace. Applications managed by GitLab will be installed onto the `gitlab-managed-apps` namespace.
This namespace: This namespace:
- Is different from the namespace used for project deployments. - Is different from the namespace used for project deployments.
......
doc/user/profile/index.md
View file @ ee8db2cd
...@@ -147,39 +147,40 @@ You can also set your current status [using the API](../../api/users.md#user-sta ...@@ -147,39 +147,40 @@ You can also set your current status [using the API](../../api/users.md#user-sta
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21598) in GitLab 11.4. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21598) in GitLab 11.4.
A commit email, is the email that will be displayed in every Git-related action done through the A commit email is an email address displayed in every Git-related action carried out through the GitLab interface.
GitLab interface.
You are able to select from the list of your own verified emails which email you want to use as the commit email. Any of your own verified email addresses can be used as the commit email.
To change it: To change your commit email:
1. Open the user menu in the top-right corner of the navigation bar. 1. Click on your avatar at the top-right corner of the navigation bar.
1. Hit **Commit email** selection box. 1. From the menu that appears, click **Settings**.
1. In the **Main settings** section, locate **Commit email** dropdown.
1. Select any of the verified emails. 1. Select any of the verified emails.
1. Hit **Update profile settings**. 1. Press **Update profile settings**.
### Private commit email ### Private commit email
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22560) in GitLab 11.5. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22560) in GitLab 11.5.
GitLab provides the user with an automatically generated private commit email option, GitLab provides users with an automatically generated private commit email option,
which allows the user to not make their email information public. which allows the user to not make their email information public.
To enable this option: To enable this option:
1. Open the user menu in the top-right corner of the navigation bar. 1. Click on your avatar at the top-right corner of the navigation bar.
1. Hit **Commit email** selection box. 1. From the menu that appears, click **Settings**.
1. Select **Use a private email** option. 1. In the **Main settings** section, locate **Commit email** dropdown.
1. Hit **Update profile settings**. 1. Select the "Use a private email" option.
1. Press **Update profile settings**.
Once this option is enabled, every Git-related action will be performed using the private commit email. Once this option is enabled, every Git-related action will be performed using the private commit email.
In order to stay fully annonymous, you can also copy this private commit email In order to stay fully anonymous, you can also copy this private commit email
and configure it on your local machine using the following command: and configure it on your local machine using the following command:
``` ```sh
git config --global user.email "YOUR_PRIVATE_COMMIT_EMAIL" git config --global user.email <YOUR_PRIVATE_COMMIT_EMAIL>
``` ```
## Troubleshooting ## Troubleshooting
......
doc/user/project/clusters/index.md
View file @ ee8db2cd
# Connecting GitLab with a Kubernetes cluster # Kubernetes clusters
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/35954) in GitLab 10.1. > - [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/35954) for
> projects in GitLab 10.1.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/34758) for
> [groups](../../group/clusters/index.md) in GitLab 11.6.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/39840) for
> [instances](../../instance/clusters/index.md) in GitLab 11.11.
Connect your project to Google Kubernetes Engine (GKE) or an existing Kubernetes GitLab provides many features with a Kubernetes integration. Kubernetes can be
cluster in a few steps. integrated with projects, but also:
- [Groups](../../group/clusters/index.md).
- [Instances](../../instance/clusters/index.md).
NOTE: **Scalable app deployment with GitLab and Google Cloud Platform** NOTE: **Scalable app deployment with GitLab and Google Cloud Platform**
[Watch the webcast](https://about.gitlab.com/webcast/scalable-app-deploy/) and learn how to spin up a Kubernetes cluster managed by Google Cloud Platform (GCP) in a few clicks. [Watch the webcast](https://about.gitlab.com/webcast/scalable-app-deploy/) and learn how to spin up a Kubernetes cluster managed by Google Cloud Platform (GCP) in a few clicks.
## Overview ## Overview
With one or more Kubernetes clusters associated to your project, you can use Using the GitLab project Kubernetes integration, you can:
[Review Apps](../../../ci/review_apps/index.md), deploy your applications, run
your pipelines, use it with [Auto DevOps](../../../topics/autodevops/index.md), - Use [Review Apps](../../../ci/review_apps/index.md).
and much more, all from within GitLab. - Run [pipelines](../../../ci/pipelines.md).
- [Deploy](#deploying-to-a-kubernetes-cluster) your applications.
- Detect and [monitor Kubernetes](#kubernetes-monitoring).
- Use it with [Auto DevOps](#auto-devops).
- Use [Web terminals](#web-terminals).
- Use [Deploy Boards](#deploy-boards-premium). **(PREMIUM)**
- Use [Canary Deployments](#canary-deployments-premium). **(PREMIUM)**
- View [Pod logs](#pod-logs-ultimate). **(ULTIMATE)**
You can also:
- Connect and deploy to an [Amazon EKS cluster](eks_and_gitlab/index.html).
- Run serverless workloads on [Kubernetes with Knative](serverless/index.md).
### Deploy Boards **(PREMIUM)**
GitLab's Deploy Boards offer a consolidated view of the current health and
status of each CI [environment](../../../ci/environments.md) running on Kubernetes,
displaying the status of the pods in the deployment. Developers and other
teammates can view the progress and status of a rollout, pod by pod, in the
workflow they already use without any need to access Kubernetes.
[Read more about Deploy Boards](../deploy_boards.md)
### Canary Deployments **(PREMIUM)**
Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
and visualize your canary deployments right inside the Deploy Board, without
the need to leave GitLab.
[Read more about Canary Deployments](../canary_deployments.md)
### Pod logs **(ULTIMATE)**
GitLab makes it easy to view the logs of running pods in connected Kubernetes clusters. By displaying the logs directly in GitLab, developers can avoid having to manage console tools or jump to a different interface.
[Read more about Kubernetes pod logs](kubernetes_pod_logs.md)
### Kubernetes monitoring
There are two options when adding a new cluster to your project; either associate Automatically detect and monitor Kubernetes metrics. Automatic monitoring of
your account with Google Kubernetes Engine (GKE) so that you can [create new [NGINX ingress](../integrations/prometheus_library/nginx.md) is also supported.
clusters](#adding-and-creating-a-new-gke-cluster-via-gitlab) from within GitLab,
or provide the credentials to an [existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster). [Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md)
### Auto DevOps
Auto DevOps automatically detects, builds, tests, deploys, and monitors your
applications.
To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring)
you will need the Kubernetes project integration enabled.
[Read more about Auto DevOps](../../../topics/autodevops/index.md)
### Web terminals
NOTE: **Note:** NOTE: **Note:**
From [GitLab 11.6](https://gitlab.com/gitlab-org/gitlab-ce/issues/34758) you Introduced in GitLab 8.15. You must be the project owner or have `maintainer` permissions
can also associate a Kubernetes cluster to your groups and from to use terminals. Support is limited to the first container in the
[GitLab 11.11](https://gitlab.com/gitlab-org/gitlab-ce/issues/39840), first pod of your environment.
to the GitLab instance. Learn more about [group-level](../../group/clusters/index.md)
and [instance-level](../../instance/clusters/index.md) Kubernetes clusters. When enabled, the Kubernetes service adds [web terminal](../../../ci/environments.md#web-terminals)
support to your [environments](../../../ci/environments.md). This is based on the `exec` functionality found in
Docker and Kubernetes, so you get a new shell session within your existing
containers. To use this integration, you should deploy to Kubernetes using
the deployment variables above, ensuring any deployments, replica sets, and
pods are annotated with:
## Adding and creating a new GKE cluster via GitLab - `app.gitlab.com/env: $CI_ENVIRONMENT_SLUG`
- `app.gitlab.com/app: $CI_PROJECT_PATH_SLUG`
`$CI_ENVIRONMENT_SLUG` and `$CI_PROJECT_PATH_SLUG` are the values of
the CI variables.
## Adding and removing clusters
There are two options when adding a new cluster to your project:
- Associate your account with Google Kubernetes Engine (GKE) to
[create new clusters](#add-new-gke-cluster) from within GitLab.
- Provide credentials to an
[existing Kubernetes cluster](#add-existing-kubernetes-cluster).
### Add new GKE cluster
TIP: **Tip:** TIP: **Tip:**
Every new Google Cloud Platform (GCP) account receives [$300 in credit upon sign up](https://console.cloud.google.com/freetrial), Every new Google Cloud Platform (GCP) account receives [$300 in credit upon sign up](https://console.cloud.google.com/freetrial),
...@@ -39,7 +117,7 @@ The [Google authentication integration](../../../integration/google.md) must ...@@ -39,7 +117,7 @@ The [Google authentication integration](../../../integration/google.md) must
be enabled in GitLab at the instance level. If that's not the case, ask your be enabled in GitLab at the instance level. If that's not the case, ask your
GitLab administrator to enable it. On GitLab.com, this is enabled. GitLab administrator to enable it. On GitLab.com, this is enabled.
### Requirements #### Requirements
Before creating your first cluster on Google Kubernetes Engine with GitLab's Before creating your first cluster on Google Kubernetes Engine with GitLab's
integration, make sure the following requirements are met: integration, make sure the following requirements are met:
...@@ -49,7 +127,7 @@ integration, make sure the following requirements are met: ...@@ -49,7 +127,7 @@ integration, make sure the following requirements are met:
- The Kubernetes Engine API and related service are enabled. It should work immediately but may take up to 10 minutes after you create a project. For more information see the - The Kubernetes Engine API and related service are enabled. It should work immediately but may take up to 10 minutes after you create a project. For more information see the
["Before you begin" section of the Kubernetes Engine docs](https://cloud.google.com/kubernetes-engine/docs/quickstart#before-you-begin). ["Before you begin" section of the Kubernetes Engine docs](https://cloud.google.com/kubernetes-engine/docs/quickstart#before-you-begin).
### Creating the cluster #### Creating the cluster
If all of the above requirements are met, you can proceed to create and add a If all of the above requirements are met, you can proceed to create and add a
new Kubernetes cluster to your project: new Kubernetes cluster to your project:
...@@ -57,7 +135,7 @@ new Kubernetes cluster to your project: ...@@ -57,7 +135,7 @@ new Kubernetes cluster to your project:
1. Navigate to your project's **Operations > Kubernetes** page. 1. Navigate to your project's **Operations > Kubernetes** page.
NOTE: **Note:** NOTE: **Note:**
You need Maintainer [permissions] and above to access the Kubernetes page. You need Maintainer [permissions](../../permissions.md) and above to access the Kubernetes page.
1. Click **Add Kubernetes cluster**. 1. Click **Add Kubernetes cluster**.
1. Click **Create with Google Kubernetes Engine**. 1. Click **Create with Google Kubernetes Engine**.
...@@ -91,14 +169,14 @@ client certificate is enabled. ...@@ -91,14 +169,14 @@ client certificate is enabled.
NOTE: **Note:** NOTE: **Note:**
Starting from [GitLab 12.1](https://gitlab.com/gitlab-org/gitlab-ce/issues/55902), all GKE clusters created by GitLab are RBAC enabled. Take a look at the [RBAC section](#rbac-cluster-resources) for more information. Starting from [GitLab 12.1](https://gitlab.com/gitlab-org/gitlab-ce/issues/55902), all GKE clusters created by GitLab are RBAC enabled. Take a look at the [RBAC section](#rbac-cluster-resources) for more information.
## Adding an existing Kubernetes cluster ### Add existing Kubernetes cluster
To add an existing Kubernetes cluster to your project: To add an existing Kubernetes cluster to your project:
1. Navigate to your project's **Operations > Kubernetes** page. 1. Navigate to your project's **Operations > Kubernetes** page.
NOTE: **Note:** NOTE: **Note:**
You need Maintainer [permissions] and above to access the Kubernetes page. You need Maintainer [permissions](../../permissions.md) and above to access the Kubernetes page.
1. Click **Add Kubernetes cluster**. 1. Click **Add Kubernetes cluster**.
1. Click **Add an existing Kubernetes cluster** and fill in the details: 1. Click **Add an existing Kubernetes cluster** and fill in the details:
...@@ -216,7 +294,36 @@ To add an existing Kubernetes cluster to your project: ...@@ -216,7 +294,36 @@ To add an existing Kubernetes cluster to your project:
After a couple of minutes, your cluster will be ready to go. You can now proceed After a couple of minutes, your cluster will be ready to go. You can now proceed
to install some [pre-defined applications](#installing-applications). to install some [pre-defined applications](#installing-applications).
## Security implications ### Enabling or disabling integration
After you have successfully added your cluster information, you can enable the
Kubernetes cluster integration:
1. Click the **Enabled/Disabled** switch
1. Hit **Save** for the changes to take effect
To disable the Kubernetes cluster integration, follow the same procedure.
### Removing integration
NOTE: **Note:**
You need Maintainer [permissions](../../permissions.md) and above to remove a Kubernetes cluster integration.
NOTE: **Note:**
When you remove a cluster, you only remove its relation to GitLab, not the
cluster itself. To remove the cluster, you can do so by visiting the GKE
dashboard or using `kubectl`.
To remove the Kubernetes cluster integration from your project, simply click the
**Remove integration** button. You will then be able to follow the procedure
and add a Kubernetes cluster again.
## Cluster configuration
This section covers important considerations for configuring Kubernetes
clusters with GitLab.
### Security implications
CAUTION: **Important:** CAUTION: **Important:**
The whole cluster security is based on a model where [developers](../../permissions.md) The whole cluster security is based on a model where [developers](../../permissions.md)
...@@ -227,7 +334,7 @@ functionalities needed to successfully build and deploy a containerized ...@@ -227,7 +334,7 @@ functionalities needed to successfully build and deploy a containerized
application. Bear in mind that the same credentials are used for all the application. Bear in mind that the same credentials are used for all the
applications running on the cluster. applications running on the cluster.
## GitLab-managed clusters ### GitLab-managed clusters
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22011) in GitLab 11.5.
> Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11. > Became [optional](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/26565) in GitLab 11.11.
...@@ -246,7 +353,7 @@ NOTE: **Note:** ...@@ -246,7 +353,7 @@ NOTE: **Note:**
If you [install applications](#installing-applications) on your cluster, GitLab will create If you [install applications](#installing-applications) on your cluster, GitLab will create
the resources required to run these even if you have chosen to manage your own cluster. the resources required to run these even if you have chosen to manage your own cluster.
## Base domain ### Base domain
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24580) in GitLab 11.8.
...@@ -264,7 +371,7 @@ you can either: ...@@ -264,7 +371,7 @@ you can either:
- Create an `A` record that points to the Ingress IP address with your domain provider. - Create an `A` record that points to the Ingress IP address with your domain provider.
- Enter a wildcard DNS address using a service such as nip.io or xip.io. For example, `192.168.1.1.xip.io`. - Enter a wildcard DNS address using a service such as nip.io or xip.io. For example, `192.168.1.1.xip.io`.
## Access controls ### Access controls
When creating a cluster in GitLab, you will be asked if you would like to create either: When creating a cluster in GitLab, you will be asked if you would like to create either:
...@@ -294,12 +401,12 @@ Helm will also create additional service accounts and other resources for each ...@@ -294,12 +401,12 @@ Helm will also create additional service accounts and other resources for each
installed application. Consult the documentation of the Helm charts for each application installed application. Consult the documentation of the Helm charts for each application
for details. for details.
If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster), If you are [adding an existing Kubernetes cluster](#add-existing-kubernetes-cluster),
ensure the token of the account has administrator privileges for the cluster. ensure the token of the account has administrator privileges for the cluster.
The resources created by GitLab differ depending on the type of cluster. The resources created by GitLab differ depending on the type of cluster.
### ABAC cluster resources #### ABAC cluster resources
GitLab creates the following resources for ABAC clusters. GitLab creates the following resources for ABAC clusters.
...@@ -312,7 +419,7 @@ GitLab creates the following resources for ABAC clusters. ...@@ -312,7 +419,7 @@ GitLab creates the following resources for ABAC clusters.
| Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster | | Project namespace | `ServiceAccount` | Uses namespace of Project | Deploying to a cluster |
| Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster | | Project namespace | `Secret` | Token for project ServiceAccount | Deploying to a cluster |
### RBAC cluster resources #### RBAC cluster resources
GitLab creates the following resources for RBAC clusters. GitLab creates the following resources for RBAC clusters.
...@@ -330,11 +437,12 @@ GitLab creates the following resources for RBAC clusters. ...@@ -330,11 +437,12 @@ GitLab creates the following resources for RBAC clusters.
NOTE: **Note:** NOTE: **Note:**
Project-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters). Project-specific resources are only created if your cluster is [managed by GitLab](#gitlab-managed-clusters).
### Security of GitLab Runners #### Security of GitLab Runners
GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode) GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode)
enabled by default, which allows them to execute special commands and running enabled by default, which allows them to execute special commands and running
Docker in Docker. This functionality is needed to run some of the [Auto DevOps] Docker in Docker. This functionality is needed to run some of the
[Auto DevOps](../../../topics/autodevops/index.md)
jobs. This implies the containers are running in privileged mode and you should, jobs. This implies the containers are running in privileged mode and you should,
therefore, be aware of some important details. therefore, be aware of some important details.
...@@ -353,6 +461,69 @@ If you don't want to use GitLab Runner in privileged mode, either: ...@@ -353,6 +461,69 @@ If you don't want to use GitLab Runner in privileged mode, either:
1. Installing a Runner 1. Installing a Runner
[using `docker+machine`](https://docs.gitlab.com/runner/executors/docker_machine.html). [using `docker+machine`](https://docs.gitlab.com/runner/executors/docker_machine.html).
### Setting the environment scope **(PREMIUM)**
When adding more than one Kubernetes cluster to your project, you need to differentiate
them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments.md) similar to how the
[environment-specific variables](../../../ci/variables/README.md#limiting-environment-scopes-of-environment-variables-premium) work.
The default environment scope is `*`, which means all jobs, regardless of their
environment, will use that cluster. Each scope can only be used by a single
cluster in a project, and a validation error will occur if otherwise.
Also, jobs that don't have an environment keyword set will not be able to access any cluster.
For example, let's say the following Kubernetes clusters exist in a project:
| Cluster | Environment scope |
| ----------- | ----------------- |
| Development | `*` |
| Staging | `staging` |
| Production | `production` |
And the following environments are set in [`.gitlab-ci.yml`](../../../ci/yaml/README.md):
```yaml
stages:
- test
- deploy
test:
stage: test
script: sh test
deploy to staging:
stage: deploy
script: make deploy
environment:
name: staging
url: https://staging.example.com/
deploy to production:
stage: deploy
script: make deploy
environment:
name: production
url: https://example.com/
```
The result will then be:
- The development cluster will be used for the "test" job.
- The staging cluster will be used for the "deploy to staging" job.
- The production cluster will be used for the "deploy to production" job.
### Multiple Kubernetes clusters **(PREMIUM)**
> Introduced in [GitLab Premium](https://about.gitlab.com/pricing/) 10.3.
With GitLab Premium, you can associate more than one Kubernetes cluster to your
project. That way you can have different clusters for different environments,
like dev, staging, production, etc.
Simply add another cluster, like you did the first time, and make sure to
[set an environment scope](#setting-the-environment-scope-premium) that will
differentiate the new cluster with the rest.
## Installing applications ## Installing applications
GitLab can install and manage some applications in your project-level GitLab can install and manage some applications in your project-level
...@@ -360,7 +531,7 @@ cluster. For more information on installing, upgrading, uninstalling, ...@@ -360,7 +531,7 @@ cluster. For more information on installing, upgrading, uninstalling,
and troubleshooting applications for your project cluster, see and troubleshooting applications for your project cluster, see
[Gitlab Managed Apps](../../clusters/applications.md). [Gitlab Managed Apps](../../clusters/applications.md).
## Getting the external endpoint ### Getting the external endpoint
NOTE: **Note:** NOTE: **Note:**
With the following procedure, a load balancer must be installed in your cluster With the following procedure, a load balancer must be installed in your cluster
...@@ -371,7 +542,7 @@ to obtain the endpoint. You can use either ...@@ -371,7 +542,7 @@ to obtain the endpoint. You can use either
In order to publish your web application, you first need to find the endpoint which will be either an IP In order to publish your web application, you first need to find the endpoint which will be either an IP
address or a hostname associated with your load balancer. address or a hostname associated with your load balancer.
### Automatically determining the external endpoint #### Automatically determining the external endpoint
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17052) in GitLab 10.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17052) in GitLab 10.6.
...@@ -386,7 +557,7 @@ and your cluster runs on Google Kubernetes Engine: ...@@ -386,7 +557,7 @@ and your cluster runs on Google Kubernetes Engine:
If GitLab is still unable to determine the endpoint of your Ingress or Knative application, you can If GitLab is still unable to determine the endpoint of your Ingress or Knative application, you can
manually determine it by following the steps below. manually determine it by following the steps below.
### Manually determining the external endpoint #### Manually determining the external endpoint
If the cluster is on GKE, click the **Google Kubernetes Engine** link in the If the cluster is on GKE, click the **Google Kubernetes Engine** link in the
**Advanced settings**, or go directly to the **Advanced settings**, or go directly to the
...@@ -425,7 +596,7 @@ Otherwise, you can list the IP addresses of all load balancers: ...@@ -425,7 +596,7 @@ Otherwise, you can list the IP addresses of all load balancers:
kubectl get svc --all-namespaces -o jsonpath='{range.items[?(@.status.loadBalancer.ingress)]}{.status.loadBalancer.ingress[*].ip} ' kubectl get svc --all-namespaces -o jsonpath='{range.items[?(@.status.loadBalancer.ingress)]}{.status.loadBalancer.ingress[*].ip} '
``` ```
### Using a static IP #### Using a static IP
By default, an ephemeral external IP address is associated to the cluster's load By default, an ephemeral external IP address is associated to the cluster's load
balancer. If you associate the ephemeral IP with your DNS and the IP changes, balancer. If you associate the ephemeral IP with your DNS and the IP changes,
...@@ -435,79 +606,19 @@ reserved IP. ...@@ -435,79 +606,19 @@ reserved IP.
Read how to [promote an ephemeral external IP address in GKE](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#promote_ephemeral_ip). Read how to [promote an ephemeral external IP address in GKE](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#promote_ephemeral_ip).
### Pointing your DNS at the external endpoint #### Pointing your DNS at the external endpoint
Once you've set up the external endpoint, you should associate it with a [wildcard DNS Once you've set up the external endpoint, you should associate it with a [wildcard DNS
record](https://en.wikipedia.org/wiki/Wildcard_DNS_record) such as `*.example.com.` record](https://en.wikipedia.org/wiki/Wildcard_DNS_record) such as `*.example.com.`
in order to be able to reach your apps. If your external endpoint is an IP address, in order to be able to reach your apps. If your external endpoint is an IP address,
use an A record. If your external endpoint is a hostname, use a CNAME record. use an A record. If your external endpoint is a hostname, use a CNAME record.
## Multiple Kubernetes clusters **(PREMIUM)** ## Deploying to a Kubernetes cluster
> Introduced in [GitLab Premium][ee] 10.3. A Kubernetes cluster can be the destination for a deployment job, using
special [deployment variables](#deployment-variables).
With GitLab Premium, you can associate more than one Kubernetes clusters to your ### Deployment variables
project. That way you can have different clusters for different environments,
like dev, staging, production, etc.
Simply add another cluster, like you did the first time, and make sure to
[set an environment scope](#setting-the-environment-scope-premium) that will
differentiate the new cluster with the rest.
## Setting the environment scope **(PREMIUM)**
When adding more than one Kubernetes cluster to your project, you need to differentiate
them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments.md) similar to how the
[environment-specific variables](../../../ci/variables/README.md#limiting-environment-scopes-of-environment-variables-premium) work.
The default environment scope is `*`, which means all jobs, regardless of their
environment, will use that cluster. Each scope can only be used by a single
cluster in a project, and a validation error will occur if otherwise.
Also, jobs that don't have an environment keyword set will not be able to access any cluster.
---
For example, let's say the following Kubernetes clusters exist in a project:
| Cluster | Environment scope |
| ----------- | ----------------- |
| Development | `*` |
| Staging | `staging` |
| Production | `production` |
And the following environments are set in [`.gitlab-ci.yml`](../../../ci/yaml/README.md):
```yaml
stages:
- test
- deploy
test:
stage: test
script: sh test
deploy to staging:
stage: deploy
script: make deploy
environment:
name: staging
url: https://staging.example.com/
deploy to production:
stage: deploy
script: make deploy
environment:
name: production
url: https://example.com/
```
The result will then be:
- The development cluster will be used for the "test" job.
- The staging cluster will be used for the "deploy to staging" job.
- The production cluster will be used for the "deploy to production" job.
## Deployment variables
The Kubernetes cluster integration exposes the following The Kubernetes cluster integration exposes the following
[deployment variables](../../../ci/variables/README.md#deployment-environment-variables) in the [deployment variables](../../../ci/variables/README.md#deployment-environment-variables) in the
...@@ -527,7 +638,7 @@ NOTE: **NOTE:** ...@@ -527,7 +638,7 @@ NOTE: **NOTE:**
Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main
service account of the cluster integration. service account of the cluster integration.
### Troubleshooting failed deployment jobs ### Troubleshooting
Before the deployment jobs starts, GitLab creates the following specifically for Before the deployment jobs starts, GitLab creates the following specifically for
the deployment job: the deployment job:
...@@ -559,105 +670,8 @@ namespaces and service accounts yourself. ...@@ -559,105 +670,8 @@ namespaces and service accounts yourself.
## Monitoring your Kubernetes cluster **(ULTIMATE)** ## Monitoring your Kubernetes cluster **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4701) in [GitLab Ultimate][ee] 10.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4701) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6.
When [Prometheus is deployed](#installing-applications), GitLab will automatically monitor the cluster's health. At the top of the cluster settings page, CPU and Memory utilization is displayed, along with the total amount available. Keeping an eye on cluster resources can be important, if the cluster runs out of memory pods may be shutdown or fail to start. When [Prometheus is deployed](#installing-applications), GitLab will automatically monitor the cluster's health. At the top of the cluster settings page, CPU and Memory utilization is displayed, along with the total amount available. Keeping an eye on cluster resources can be important, if the cluster runs out of memory pods may be shutdown or fail to start.
![Cluster Monitoring](img/k8s_cluster_monitoring.png) ![Cluster Monitoring](img/k8s_cluster_monitoring.png)
## Enabling or disabling the Kubernetes cluster integration
After you have successfully added your cluster information, you can enable the
Kubernetes cluster integration:
1. Click the **Enabled/Disabled** switch
1. Hit **Save** for the changes to take effect
You can now start using your Kubernetes cluster for your deployments.
To disable the Kubernetes cluster integration, follow the same procedure.
## Removing the Kubernetes cluster integration
NOTE: **Note:**
You need Maintainer [permissions] and above to remove a Kubernetes cluster integration.
NOTE: **Note:**
When you remove a cluster, you only remove its relation to GitLab, not the
cluster itself. To remove the cluster, you can do so by visiting the GKE
dashboard or using `kubectl`.
To remove the Kubernetes cluster integration from your project, simply click the
**Remove integration** button. You will then be able to follow the procedure
and add a Kubernetes cluster again.
## What you can get with the Kubernetes integration
Here's what you can do with GitLab if you enable the Kubernetes integration.
### Deploy Boards **(PREMIUM)**
GitLab's Deploy Boards offer a consolidated view of the current health and
status of each CI [environment](../../../ci/environments.md) running on Kubernetes,
displaying the status of the pods in the deployment. Developers and other
teammates can view the progress and status of a rollout, pod by pod, in the
workflow they already use without any need to access Kubernetes.
[Read more about Deploy Boards](../deploy_boards.md)
### Canary Deployments **(PREMIUM)**
Leverage [Kubernetes' Canary deployments](https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments)
and visualize your canary deployments right inside the Deploy Board, without
the need to leave GitLab.
[Read more about Canary Deployments](../canary_deployments.md)
### Pod logs **(ULTIMATE)**
GitLab makes it easy to view the logs of running pods in connected Kubernetes clusters. By displaying the logs directly in GitLab, developers can avoid having to manage console tools or jump to a different interface.
[Read more about Kubernetes pod logs](kubernetes_pod_logs.md)
### Kubernetes monitoring
Automatically detect and monitor Kubernetes metrics. Automatic monitoring of
[NGINX ingress](../integrations/prometheus_library/nginx.md) is also supported.
[Read more about Kubernetes monitoring](../integrations/prometheus_library/kubernetes.md)
### Auto DevOps
Auto DevOps automatically detects, builds, tests, deploys, and monitors your
applications.
To make full use of Auto DevOps(Auto Deploy, Auto Review Apps, and Auto Monitoring)
you will need the Kubernetes project integration enabled.
[Read more about Auto DevOps](../../../topics/autodevops/index.md)
### Web terminals
NOTE: **Note:**
Introduced in GitLab 8.15. You must be the project owner or have `maintainer` permissions
to use terminals. Support is limited to the first container in the
first pod of your environment.
When enabled, the Kubernetes service adds [web terminal](../../../ci/environments.md#web-terminals)
support to your [environments](../../../ci/environments.md). This is based on the `exec` functionality found in
Docker and Kubernetes, so you get a new shell session within your existing
containers. To use this integration, you should deploy to Kubernetes using
the deployment variables above, ensuring any pods you create are labelled with
`app=$CI_ENVIRONMENT_SLUG`. GitLab will do the rest!
### Integrating Amazon EKS cluster with GitLab
- Learn how to [connect and deploy to an Amazon EKS cluster](eks_and_gitlab/index.md).
### Serverless
- [Run serverless workloads on Kubernetes with Knative.](serverless/index.md)
[permissions]: ../../permissions.md
[ee]: https://about.gitlab.com/pricing/
[Auto DevOps]: ../../../topics/autodevops/index.md
doc/user/project/clusters/runbooks/index.md
View file @ ee8db2cd
...@@ -35,7 +35,7 @@ for an overview of how this is accomplished in GitLab!** ...@@ -35,7 +35,7 @@ for an overview of how this is accomplished in GitLab!**
To create an executable runbook, you will need: To create an executable runbook, you will need:
1. **Kubernetes** - A Kubernetes cluster is required to deploy the rest of the applications. 1. **Kubernetes** - A Kubernetes cluster is required to deploy the rest of the applications.
The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#adding-and-creating-a-new-gke-cluster-via-gitlab). The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#add-new-gke-cluster).
1. **Helm Tiller** - Helm is a package manager for Kubernetes and is required to install 1. **Helm Tiller** - Helm is a package manager for Kubernetes and is required to install
all the other applications. It is installed in its own pod inside the cluster which all the other applications. It is installed in its own pod inside the cluster which
can run the helm CLI in a safe environment. can run the helm CLI in a safe environment.
...@@ -60,7 +60,7 @@ the components outlined above and the preloaded demo runbook. ...@@ -60,7 +60,7 @@ the components outlined above and the preloaded demo runbook.
### 1. Add a Kubernetes cluster ### 1. Add a Kubernetes cluster
Follow the steps outlined in [Adding and creating a new GKE cluster via GitLab](../index.md#adding-and-creating-a-new-gke-cluster-via-gitlab) Follow the steps outlined in [Add new GKE cluster](../index.md#add-new-gke-cluster)
to add a Kubernetes cluster to your project. to add a Kubernetes cluster to your project.
### 2. Install Helm Tiller, Ingress, and JupyterHub ### 2. Install Helm Tiller, Ingress, and JupyterHub
......
doc/user/project/clusters/serverless/index.md
View file @ ee8db2cd
...@@ -28,7 +28,7 @@ To run Knative on Gitlab, you will need: ...@@ -28,7 +28,7 @@ To run Knative on Gitlab, you will need:
- If you are planning on deploying a serverless application, clone the sample [Knative Ruby App](https://gitlab.com/knative-examples/knative-ruby-app) to get started. - If you are planning on deploying a serverless application, clone the sample [Knative Ruby App](https://gitlab.com/knative-examples/knative-ruby-app) to get started.
1. **Kubernetes Cluster:** An RBAC-enabled Kubernetes cluster is required to deploy Knative. 1. **Kubernetes Cluster:** An RBAC-enabled Kubernetes cluster is required to deploy Knative.
The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#adding-and-creating-a-new-gke-cluster-via-gitlab). The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#add-new-gke-cluster).
The set of minimum recommended cluster specifications to run Knative is 3 nodes, 6 vCPUs, and 22.50 GB memory. The set of minimum recommended cluster specifications to run Knative is 3 nodes, 6 vCPUs, and 22.50 GB memory.
1. **Helm Tiller:** Helm is a package manager for Kubernetes and is required to install 1. **Helm Tiller:** Helm is a package manager for Kubernetes and is required to install
Knative. Knative.
...@@ -96,7 +96,8 @@ cluster which already has Knative installed. ...@@ -96,7 +96,8 @@ cluster which already has Knative installed.
You must do the following: You must do the following:
1. Follow the steps to 1. Follow the steps to
[add an existing Kubernetes cluster](../index.md#adding-an-existing-kubernetes-cluster). [add an existing Kubernetes
cluster](../index.md#add-existing-kubernetes-cluster).
1. Ensure GitLab can manage Knative: 1. Ensure GitLab can manage Knative:
- For a non-GitLab managed cluster, ensure that the service account for the token - For a non-GitLab managed cluster, ensure that the service account for the token
......
doc/user/project/container_registry.md
View file @ ee8db2cd
# GitLab Container Registry # GitLab Container Registry
> **Notes:**
>
> - [Introduced][ce-4040] in GitLab 8.8. > - [Introduced][ce-4040] in GitLab 8.8.
> - Docker Registry manifest `v1` support was added in GitLab 8.9 to support Docker > - Docker Registry manifest `v1` support was added in GitLab 8.9 to support Docker
> versions earlier than 1.10. > versions earlier than 1.10.
> - This document is about the user guide. To learn how to enable GitLab Container
> Registry across your GitLab instance, visit the
> [administrator documentation](../../administration/container_registry.md).
> - Starting from GitLab 8.12, if you have 2FA enabled in your account, you need > - Starting from GitLab 8.12, if you have 2FA enabled in your account, you need
> to pass a [personal access token][pat] instead of your password in order to > to pass a [personal access token][pat] instead of your password in order to
> login to GitLab's Container Registry. > login to GitLab's Container Registry.
...@@ -16,28 +11,33 @@ ...@@ -16,28 +11,33 @@
With the Docker Container Registry integrated into GitLab, every project can With the Docker Container Registry integrated into GitLab, every project can
have its own space to store its Docker images. have its own space to store its Docker images.
This document is the user guide. To learn how to enable GitLab Container
Registry across your GitLab instance, visit the
[administrator documentation](../../administration/container_registry.md).
You can read more about Docker Registry at <https://docs.docker.com/registry/introduction/>. You can read more about Docker Registry at <https://docs.docker.com/registry/introduction/>.
## Enable the Container Registry for your project ## Enable the Container Registry for your project
NOTE: **Note:** If you cannot find the **Packages > Container Registry** entry under your
If you cannot find the Container Registry entry under your project's settings, project's sidebar, it is not enabled in your GitLab instance. Ask your
that means that it is not enabled in your GitLab instance. Ask your administrator administrator to enable GitLab Container Registry following the
to enable it. [administration documentation](../../administration/container_registry.md).
1. First, ask your system administrator to enable GitLab Container Registry If you are using GitLab.com, this is enabled by default so you can start using
following the [administration documentation](../../administration/container_registry.md). the Registry immediately. Currently there is a soft (10GB) size restriction for
If you are using GitLab.com, this is enabled by default so you can start using registry on GitLab.com, as part of the [repository size limit](repository/index.md).
the Registry immediately. Currently there is a soft (10GB) size restriction for
registry on GitLab.com, as part of the [repository size limit](repository/index.md). Once enabled for your GitLab instance, to enable Container Registry for your
1. Go to your [project's General settings](settings/index.md#sharing-and-permissions) project:
1. Go to your project's **Settings > General** page.
1. Expand the **Visibility, project features, permissions** section
and enable the **Container Registry** feature on your project. For new and enable the **Container Registry** feature on your project. For new
projects this might be enabled by default. For existing projects projects this might be enabled by default. For existing projects
(prior GitLab 8.8), you will have to explicitly enable it. (prior GitLab 8.8), you will have to explicitly enable it.
1. Hit **Save changes** for the changes to take effect. You should now be able 1. Press **Save changes** for the changes to take effect. You should now be able
to see the **Registry** link in the sidebar. to see the **Packages > Container Registry** link in the sidebar.
![Container Registry](img/container_registry.png)
## Build and push images ## Build and push images
...@@ -49,14 +49,14 @@ to enable it. ...@@ -49,14 +49,14 @@ to enable it.
> - To move or rename a repository with a container registry you will have to > - To move or rename a repository with a container registry you will have to
> delete all existing images. > delete all existing images.
If you visit the **Registry** link under your project's menu, you can see the If you visit the **Packages > Container Registry** link under your project's
explicit instructions to login to the Container Registry using your GitLab menu, you can see the explicit instructions to login to the Container Registry
credentials. using your GitLab credentials.
For example if the Registry's URL is `registry.example.com`, then you should be For example if the Registry's URL is `registry.example.com`, then you should be
able to login with: able to login with:
``` ```sh
docker login registry.example.com docker login registry.example.com
``` ```
...@@ -64,14 +64,14 @@ Building and publishing images should be a straightforward process. Just make ...@@ -64,14 +64,14 @@ Building and publishing images should be a straightforward process. Just make
sure that you are using the Registry URL with the namespace and project name sure that you are using the Registry URL with the namespace and project name
that is hosted on GitLab: that is hosted on GitLab:
``` ```sh
docker build -t registry.example.com/group/project/image . docker build -t registry.example.com/group/project/image .
docker push registry.example.com/group/project/image docker push registry.example.com/group/project/image
``` ```
Your image will be named after the following scheme: Your image will be named after the following scheme:
``` ```text
<registry URL>/<namespace>/<project>/<image> <registry URL>/<namespace>/<project>/<image>
``` ```
...@@ -79,7 +79,7 @@ GitLab supports up to three levels of image repository names. ...@@ -79,7 +79,7 @@ GitLab supports up to three levels of image repository names.
Following examples of image tags are valid: Following examples of image tags are valid:
``` ```text
registry.example.com/group/project:some-tag registry.example.com/group/project:some-tag
registry.example.com/group/project/image:latest registry.example.com/group/project/image:latest
registry.example.com/group/project/my/image:rc1 registry.example.com/group/project/my/image:rc1
...@@ -90,7 +90,7 @@ registry.example.com/group/project/my/image:rc1 ...@@ -90,7 +90,7 @@ registry.example.com/group/project/my/image:rc1
To download and run a container from images hosted in GitLab Container Registry, To download and run a container from images hosted in GitLab Container Registry,
use `docker run`: use `docker run`:
``` ```sh
docker run [options] registry.example.com/group/project/image [arguments] docker run [options] registry.example.com/group/project/image [arguments]
``` ```
...@@ -100,7 +100,7 @@ For more information on running Docker containers, visit the ...@@ -100,7 +100,7 @@ For more information on running Docker containers, visit the
## Control Container Registry from within GitLab ## Control Container Registry from within GitLab
GitLab offers a simple Container Registry management panel. Go to your project GitLab offers a simple Container Registry management panel. Go to your project
and click **Registry** in the project menu. and click **Packages > Container Registry** in the project menu.
This view will show you all tags in your project and will easily allow you to This view will show you all tags in your project and will easily allow you to
delete them. delete them.
...@@ -173,9 +173,9 @@ curl localhost:5001/debug/vars ...@@ -173,9 +173,9 @@ curl localhost:5001/debug/vars
A Docker connection error can occur when there are special characters in either the group, A Docker connection error can occur when there are special characters in either the group,
project or branch name. Special characters can include: project or branch name. Special characters can include:
* Leading underscore - Leading underscore
* Trailing hyphen/dash - Trailing hyphen/dash
* Double hyphen/dash - Double hyphen/dash
To get around this, you can [change the group path](../group/index.md#changing-a-groups-path), To get around this, you can [change the group path](../group/index.md#changing-a-groups-path),
[change the project path](../project/settings/index.md#renaming-a-repository) or chanage the branch [change the project path](../project/settings/index.md#renaming-a-repository) or chanage the branch
...@@ -183,7 +183,8 @@ name. ...@@ -183,7 +183,8 @@ name.
### Advanced Troubleshooting ### Advanced Troubleshooting
>**NOTE:** The following section is only recommended for experts. NOTE: **Note:**
The following section is only recommended for experts.
Sometimes it's not obvious what is wrong, and you may need to dive deeper into Sometimes it's not obvious what is wrong, and you may need to dive deeper into
the communication between the Docker client and the Registry to find out the communication between the Docker client and the Registry to find out
...@@ -195,7 +196,7 @@ diagnose a problem with the S3 setup. ...@@ -195,7 +196,7 @@ diagnose a problem with the S3 setup.
A user attempted to enable an S3-backed Registry. The `docker login` step went A user attempted to enable an S3-backed Registry. The `docker login` step went
fine. However, when pushing an image, the output showed: fine. However, when pushing an image, the output showed:
``` ```text
The push refers to a repository [s3-testing.myregistry.com:4567/root/docker-test/docker-image] The push refers to a repository [s3-testing.myregistry.com:4567/root/docker-test/docker-image]
dc5e59c14160: Pushing [==================================================>] 14.85 kB dc5e59c14160: Pushing [==================================================>] 14.85 kB
03c20c1a019a: Pushing [==================================================>] 2.048 kB 03c20c1a019a: Pushing [==================================================>] 2.048 kB
......
scripts/review_apps/review-apps.sh
View file @ ee8db2cd
...@@ -69,7 +69,6 @@ function get_pod() { ...@@ -69,7 +69,6 @@ function get_pod() {
break break
fi fi
printf "."
let "elapsed_seconds+=interval" let "elapsed_seconds+=interval"
sleep ${interval} sleep ${interval}
done done
...@@ -360,7 +359,6 @@ function wait_for_review_app_to_be_accessible() { ...@@ -360,7 +359,6 @@ function wait_for_review_app_to_be_accessible() {
break break
fi fi
printf "."
let "elapsed_seconds+=interval" let "elapsed_seconds+=interval"
sleep ${interval} sleep ${interval}
done done
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7