debian-mirror-gitlab/doc/user/clusters/agent/index.md

657 lines
28 KiB
Markdown
Raw Normal View History

2020-11-24 15:15:51 +05:30
---
stage: Configure
group: Configure
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-11-24 15:15:51 +05:30
---
2021-04-29 21:17:54 +05:30
# GitLab Kubernetes Agent **(PREMIUM)**
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223061) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.4.
2021-04-17 20:07:23 +05:30
> - [In GitLab 13.10](https://gitlab.com/gitlab-org/gitlab/-/issues/300960), KAS became available on GitLab.com under `wss://kas.gitlab.com` through an Early Adopter Program.
2021-04-29 21:17:54 +05:30
> - Introduced in GitLab 13.11, the GitLab Kubernetes Agent became available to every project on GitLab.com.
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
The [GitLab Kubernetes Agent](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent)
is an active in-cluster component for solving GitLab and Kubernetes integration
tasks in a secure and cloud-native way. It enables:
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
- Integrating GitLab with a Kubernetes cluster behind a firewall or NAT
(network address translation).
- Pull-based GitOps deployments by leveraging the
[GitOps Engine](https://github.com/argoproj/gitops-engine).
2021-03-08 18:12:59 +05:30
- Real-time access to API endpoints in a cluster.
2021-04-17 20:07:23 +05:30
- Alert generation based on [Container network policy](../../application_security/threat_monitoring/index.md#container-network-policy).
2020-11-24 15:15:51 +05:30
2021-03-08 18:12:59 +05:30
Many more features are planned. Please review [our roadmap](https://gitlab.com/groups/gitlab-org/-/epics/3329)
and [our development documentation](../../../development/agent/index.md).
2020-11-24 15:15:51 +05:30
2021-01-29 00:20:46 +05:30
## GitLab Agent GitOps workflow
2020-11-24 15:15:51 +05:30
2021-01-29 00:20:46 +05:30
The GitLab Agent uses multiple GitLab projects to provide a flexible workflow
that can suit various needs. This diagram shows these repositories and the main
actors involved in a deployment:
2020-11-24 15:15:51 +05:30
```mermaid
sequenceDiagram
participant D as Developer
participant A as Application code repository
participant M as Manifest repository
2021-04-17 20:07:23 +05:30
participant K as Kubernetes Agent
2020-11-24 15:15:51 +05:30
participant C as Agent configuration repository
K->C: Grab the configuration
D->>+A: Pushing code changes
A->>M: Updating manifest
loop Regularly
K-->>M: Watching changes
M-->>K: Pulling and applying changes
end
```
There are several components that work in concert for the Agent to accomplish GitOps deployments:
2021-04-17 20:07:23 +05:30
- A properly-configured Kubernetes cluster where the Agent is running.
2021-01-03 14:25:43 +05:30
- A configuration repository that contains a `config.yaml` file, which tells the
2021-04-17 20:07:23 +05:30
Agent which repositories to synchronize with the cluster.
- A manifest repository that contains manifest files. Any changes to manifest files are applied to the cluster.
2020-11-24 15:15:51 +05:30
2021-04-17 20:07:23 +05:30
You can use the same GitLab project or separate projects for configuration and manifest files, as follows:
2021-01-29 00:20:46 +05:30
2021-04-17 20:07:23 +05:30
- Single GitLab project (recommended): when you use a single repository to hold both the manifest and the configuration files, these projects can be either private or public, as you prefer.
2021-06-08 01:23:25 +05:30
- Two GitLab projects: when you opt to use two different GitLab projects, one for manifest files, and another for configuration files, the manifests project must be public, while the configuration project can be either private or public. Our backlog contains issues for adding support for
2021-02-22 17:27:13 +05:30
[private manifest repositories outside of the configuration project](https://gitlab.com/gitlab-org/gitlab/-/issues/220912) and
2021-04-17 20:07:23 +05:30
[group level agents](https://gitlab.com/gitlab-org/gitlab/-/issues/283885) in the future.
2021-02-22 17:27:13 +05:30
2021-01-29 00:20:46 +05:30
For more details, please refer to our [full architecture documentation](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/architecture.md#high-level-architecture) in the Agent project.
## Get started with GitOps and the GitLab Agent
2021-01-03 14:25:43 +05:30
The setup process involves a few steps to enable GitOps deployments:
2020-11-24 15:15:51 +05:30
2021-04-29 21:17:54 +05:30
1. [Set up the Kubernetes Agent Server](#set-up-the-kubernetes-agent-server) for your GitLab instance.
2021-01-29 00:20:46 +05:30
1. [Define a configuration repository](#define-a-configuration-repository).
1. [Create an Agent record in GitLab](#create-an-agent-record-in-gitlab).
1. [Generate and copy a Secret token used to connect to the Agent](#create-the-kubernetes-secret).
1. [Install the Agent into the cluster](#install-the-agent-into-the-cluster).
2021-04-17 20:07:23 +05:30
1. [Create manifest files](#create-manifest-files).
2021-01-29 00:20:46 +05:30
### Upgrades and version compatibility
As the GitLab Kubernetes Agent is a new product, we are constantly adding new features
to it. As a result, while shipped features are production ready, its internal API is
neither stable nor versioned yet. For this reason, GitLab only guarantees compatibility
between corresponding major.minor (X.Y) versions of GitLab and its cluster side
component, `agentk`.
2021-04-29 21:17:54 +05:30
Upgrade your agent installations together with GitLab upgrades. To decide which version of `agentk` to install follow:
2021-01-29 00:20:46 +05:30
2021-04-17 20:07:23 +05:30
1. Open the [`GITLAB_KAS_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_KAS_VERSION) file from the GitLab Repository, which contains the latest `agentk` version associated with the `master` branch.
2021-01-29 00:20:46 +05:30
1. Change the `master` branch and select the Git tag associated with your version. For instance, you could change it to GitLab [v13.5.3-ee release](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.5.3-ee/GITLAB_KAS_VERSION)
2020-11-24 15:15:51 +05:30
2021-02-22 17:27:13 +05:30
The available `agentk` and `kas` versions can be found in
[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/).
2020-11-24 15:15:51 +05:30
2021-04-29 21:17:54 +05:30
### Set up the Kubernetes Agent Server
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3834) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.10, the GitLab Kubernetes Agent Server (KAS) became available on GitLab.com under `wss://kas.gitlab.com`.
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
To use the KAS:
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
- If you are a self-managed user, follow the instructions to [install the Kubernetes Agent Server](../../../administration/clusters/kas.md).
- If you are a GitLab.com user, when you [set up the configuration repository](#define-a-configuration-repository) for your agent, use `wss://kas.gitlab.com` as the `--kas-address`.
2021-04-17 20:07:23 +05:30
2021-01-03 14:25:43 +05:30
### Define a configuration repository
2020-11-24 15:15:51 +05:30
2021-06-08 01:23:25 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the Agent manifest configuration can be added to multiple directories (or subdirectories) of its repository.
To configure an Agent, you need:
1. A GitLab repository to hold the configuration file.
1. Install the Agent in a cluster.
After installed, when you update the configuration file, GitLab transmits the
information to the cluster automatically without downtime.
In your repository, add the Agent configuration file under:
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
```plaintext
.gitlab/agents/<agent-name>/config.yaml
```
2020-11-24 15:15:51 +05:30
2021-06-08 01:23:25 +05:30
Your `config.yaml` file specifies all configurations of the Agent, such as:
- The manifest projects to synchronize.
- The address of the `hubble-relay` for the Network Security policy integrations.
As an example, a minimal Agent configuration that sets up only the manifest
synchronizations is:
2021-01-29 00:20:46 +05:30
```yaml
gitops:
manifest_projects:
2021-06-08 01:23:25 +05:30
- id: "path-to/your-manifest-project-1"
paths:
- glob: '/**/*.{yaml,yml,json}'
2021-01-29 00:20:46 +05:30
```
2021-06-08 01:23:25 +05:30
All the options for the [Kubernetes Agent configuration repository](repository.md) are documented separately.
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
### Create an Agent record in GitLab
2020-11-24 15:15:51 +05:30
2021-04-29 21:17:54 +05:30
Next, create a GitLab Rails Agent record to associate it with
2021-01-03 14:25:43 +05:30
the configuration repository project. Creating this record also creates a Secret needed to configure
2021-04-29 21:17:54 +05:30
the Agent in subsequent steps. You can create an Agent record with GraphQL:
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
```graphql
2020-11-24 15:15:51 +05:30
mutation createAgent {
2021-01-29 00:20:46 +05:30
# agent-name should be the same as specified above in the config.yaml
createClusterAgent(input: { projectPath: "path-to/your-configuration-project", name: "<agent-name>" }) {
2020-11-24 15:15:51 +05:30
clusterAgent {
id
name
}
errors
}
}
mutation createToken {
2021-04-17 20:07:23 +05:30
clusterAgentTokenCreate(
input: {
clusterAgentId: "<cluster-agent-id-taken-from-the-previous-mutation>"
description: "<optional-description-of-token>"
name: "<required-name-given-to-token>"
}
) {
2020-11-24 15:15:51 +05:30
secret # This is the value you need to use on the next step
token {
createdAt
id
}
errors
}
}
2021-01-03 14:25:43 +05:30
```
2020-11-24 15:15:51 +05:30
2021-06-08 01:23:25 +05:30
WARNING:
GraphQL only displays the token and ids **one time** after creating it. Make sure to write down the `secret`, `clusterAgentId`, and `clusterAgentTokenId`; you'll need them later.
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
If you are new to using the GitLab GraphQL API, refer to the
[Getting started with the GraphQL API page](../../../api/graphql/getting_started.md),
or the [GraphQL Explorer](https://gitlab.com/-/graphql-explorer).
2020-11-24 15:15:51 +05:30
2021-04-17 20:07:23 +05:30
### Install the Agent into the cluster
2021-04-29 21:17:54 +05:30
To install the in-cluster component of the Agent, first you need to define a namespace. To create a new namespace,
for example, `gitlab-kubernetes-agent`, run:
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
```shell
kubectl create namespace gitlab-kubernetes-agent
```
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
To perform a one-liner installation, run the command below. Make sure to replace:
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
- `your-agent-token` with the token received from the previous step.
- `gitlab-kubernetes-agent` with the namespace you defined in the previous step.
- `wss://kas.gitlab.example.com` with the configured access of the Kubernetes Agent Server (KAS). For GitLab.com users, the KAS is available under `wss://kas.gitlab.com`.
2021-04-17 20:07:23 +05:30
```shell
2021-04-29 21:17:54 +05:30
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --agent-token=your-agent-token --kas-address=wss://kas.gitlab.example.com --agent-version stable --namespace gitlab-kubernetes-agent | kubectl apply -f -
2021-04-17 20:07:23 +05:30
```
2021-04-29 21:17:54 +05:30
Set `--agent-version` to the latest released patch version matching your
GitLab installation's major and minor versions. For example, if you have
GitLab v13.9.0, set `--agent-version=v13.9.1`.
WARNING:
Version `stable` can be used to refer to the latest stable release at the time when the command runs. It's fine for
testing purposes but for production please make sure to specify a matching version explicitly.
2021-04-17 20:07:23 +05:30
To find out the various options the above Docker container supports, run:
```shell
2021-04-29 21:17:54 +05:30
docker run --pull=always --rm registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/cli:stable generate --help
2021-04-17 20:07:23 +05:30
```
#### Advanced installation
For more advanced configurations, we recommend to use [the `kpt` based installation method](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/tree/master/build/deployment/gitlab-agent).
2021-06-08 01:23:25 +05:30
Otherwise, follow the manual installation steps described below.
2021-04-17 20:07:23 +05:30
##### Create the Kubernetes secret
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
After generating the token, you must apply it to the Kubernetes cluster.
2020-11-24 15:15:51 +05:30
2021-04-29 21:17:54 +05:30
To create your Secret, run:
2021-01-03 14:25:43 +05:30
2021-04-29 21:17:54 +05:30
```shell
2021-06-08 01:23:25 +05:30
kubectl create secret generic -n gitlab-kubernetes-agent gitlab-kubernetes-agent-token --from-literal=token='YOUR_AGENT_TOKEN'
2021-04-29 21:17:54 +05:30
```
2020-11-24 15:15:51 +05:30
2021-04-17 20:07:23 +05:30
The following example file contains the
2021-01-03 14:25:43 +05:30
Kubernetes resources required for the Agent to be installed. You can modify this
example [`resources.yml` file](#example-resourcesyml-file) in the following ways:
2021-06-08 01:23:25 +05:30
- Replace `namespace: gitlab-kubernetes-agent` with `namespace: <YOUR-DESIRED-NAMESPACE>`.
2021-01-29 00:20:46 +05:30
- You can configure `kas-address` (Kubernetes Agent Server) in several ways.
The agent can use the WebSockets or gRPC protocols to connect to the Agent Server.
Select the option appropriate for your cluster configuration and GitLab architecture:
- The `wss` scheme (an encrypted WebSockets connection) is specified by default
2021-02-22 17:27:13 +05:30
after you install the `gitlab-kas` sub-chart, or enable `gitlab-kas` for Omnibus GitLab.
When using the sub-chart, you must set `wss://kas.host.tld:443` as
`kas-address`, where `host.tld` is the domain you've setup for your GitLab installation.
2021-04-17 20:07:23 +05:30
When using Omnibus GitLab, you must set `wss://GitLab.host.tld:443/-/kubernetes-agent/` as
2021-01-29 00:20:46 +05:30
`kas-address`, where `GitLab.host.tld` is your GitLab hostname.
2021-02-22 17:27:13 +05:30
- When using the sub-chart, specify the `ws` scheme (such as `ws://kas.host.tld:80`)
2021-01-29 00:20:46 +05:30
to use an unencrypted WebSockets connection.
2021-04-29 21:17:54 +05:30
When using the Omnibus GitLab, specify the `ws` scheme (such as `ws://GitLab.host.tld:80/-/kubernetes-agent/`).
2021-01-29 00:20:46 +05:30
- Specify the `grpc` scheme if both Agent and Server are installed in one cluster.
In this case, you may specify `kas-address` value as
2021-06-08 01:23:25 +05:30
`grpc://gitlab-kas.<your-namespace>:8150`) to use gRPC directly, where `gitlab-kas`
2021-01-29 00:20:46 +05:30
is the name of the service created by `gitlab-kas` chart, and `your-namespace`
is the namespace where the chart was installed. Encrypted gRPC is not supported yet.
Follow the
2021-01-03 14:25:43 +05:30
[Support TLS for gRPC communication issue](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/7)
for progress updates.
2021-02-22 17:27:13 +05:30
- When deploying KAS through the [GitLab chart](https://docs.gitlab.com/charts/), it's possible to customize the `kas-address` for `wss` and `ws` schemes to whatever you need.
2021-03-08 18:12:59 +05:30
Check the [chart's KAS Ingress documentation](https://docs.gitlab.com/charts/charts/gitlab/kas/#ingress)
2021-02-22 17:27:13 +05:30
to learn more about it.
2021-04-29 21:17:54 +05:30
- In the near future, Omnibus GitLab intends to provision `gitlab-kas` under a sub-domain by default, instead of the `/-/kubernetes-agent/` path. Please follow [this issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784) for details.
2021-06-08 01:23:25 +05:30
- If you defined your own secret name, replace `gitlab-kubernetes-agent-token` with your
2021-01-29 00:20:46 +05:30
secret name in the `secretName:` section.
2021-01-03 14:25:43 +05:30
To apply this file, run the following command:
2020-11-24 15:15:51 +05:30
```shell
2021-06-08 01:23:25 +05:30
kubectl apply -n gitlab-kubernetes-agent -f ./resources.yml
2020-11-24 15:15:51 +05:30
```
2021-01-03 14:25:43 +05:30
To review your configuration, run the following command:
2020-11-24 15:15:51 +05:30
2021-01-03 14:25:43 +05:30
```shell
2021-06-08 01:23:25 +05:30
$ kubectl get pods -n gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
2021-06-08 01:23:25 +05:30
NAMESPACE NAME READY STATUS RESTARTS AGE
gitlab-kubernetes-agent gitlab-kubernetes-agent-77689f7dcb-5skqk 1/1 Running 0 51s
2021-01-03 14:25:43 +05:30
```
2020-11-24 15:15:51 +05:30
2021-04-17 20:07:23 +05:30
##### Example `resources.yml` file
2020-11-24 15:15:51 +05:30
```yaml
2021-06-08 01:23:25 +05:30
---
apiVersion: v1
kind: Namespace
metadata:
name: gitlab-kubernetes-agent
---
2020-11-24 15:15:51 +05:30
apiVersion: v1
kind: ServiceAccount
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
---
apiVersion: apps/v1
kind: Deployment
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
spec:
replicas: 1
selector:
matchLabels:
2021-06-08 01:23:25 +05:30
app: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
template:
metadata:
labels:
2021-06-08 01:23:25 +05:30
app: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
spec:
2021-06-08 01:23:25 +05:30
serviceAccountName: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
containers:
- name: agent
2021-04-29 21:17:54 +05:30
# Make sure to specify a matching version for production
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:stable"
2020-11-24 15:15:51 +05:30
args:
- --token-file=/config/token
- --kas-address
2021-06-08 01:23:25 +05:30
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
2021-04-17 20:07:23 +05:30
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
2021-06-08 01:23:25 +05:30
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
2020-11-24 15:15:51 +05:30
volumeMounts:
- name: token-volume
mountPath: /config
volumes:
- name: token-volume
secret:
2021-06-08 01:23:25 +05:30
secretName: gitlab-kubernetes-agent-token
2020-11-24 15:15:51 +05:30
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-write
2020-11-24 15:15:51 +05:30
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- create
- update
- delete
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-write-binding
2020-11-24 15:15:51 +05:30
roleRef:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-write
2020-11-24 15:15:51 +05:30
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
2021-06-08 01:23:25 +05:30
- name: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
kind: ServiceAccount
2021-06-08 01:23:25 +05:30
namespace: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-read
2020-11-24 15:15:51 +05:30
rules:
- resources:
- '*'
apiGroups:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-read-binding
2020-11-24 15:15:51 +05:30
roleRef:
2021-06-08 01:23:25 +05:30
name: gitlab-kubernetes-agent-read
2020-11-24 15:15:51 +05:30
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
subjects:
2021-06-08 01:23:25 +05:30
- name: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
kind: ServiceAccount
2021-06-08 01:23:25 +05:30
namespace: gitlab-kubernetes-agent
2020-11-24 15:15:51 +05:30
```
2021-04-17 20:07:23 +05:30
### Create manifest files
2021-01-03 14:25:43 +05:30
In a previous step, you configured a `config.yaml` to point to the GitLab projects
2021-04-17 20:07:23 +05:30
the Agent should synchronize. Agent monitors each of those projects for changes to the manifest files it contains. You can auto-generate manifest files with a
2021-02-22 17:27:13 +05:30
templating engine or other means.
The agent is authorized to download manifests for the configuration
project, and public projects. Support for other private projects is
planned in the issue [Agent authorization for private manifest
projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
2021-01-03 14:25:43 +05:30
2021-04-17 20:07:23 +05:30
Each time you push a change to a monitored manifest repository, the Agent logs the change:
2020-11-24 15:15:51 +05:30
```plaintext
2021-01-03 14:25:43 +05:30
2020-09-15_14:09:04.87946 gitlab-k8s-agent : time="2020-09-15T10:09:04-04:00" level=info msg="Config: new commit" agent_id=1 commit_id=e6a3651f1faa2e928fe6120e254c122451be4eea
2020-11-24 15:15:51 +05:30
```
2021-04-17 20:07:23 +05:30
#### Example manifest file
2020-11-24 15:15:51 +05:30
2021-01-29 00:20:46 +05:30
This file creates an NGINX deployment.
2020-11-24 15:15:51 +05:30
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
2021-06-08 01:23:25 +05:30
namespace: gitlab-kubernetes-agent # Can be any namespace managed by you that the agent has access to.
2020-11-24 15:15:51 +05:30
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
## Example projects
2021-01-29 00:20:46 +05:30
The following example projects can help you get started with the Kubernetes Agent.
2021-01-03 14:25:43 +05:30
- [Configuration repository](https://gitlab.com/gitlab-org/configure/examples/kubernetes-agent)
2021-03-08 18:12:59 +05:30
- This basic GitOps example deploys NGINX: [Manifest repository](https://gitlab.com/gitlab-org/configure/examples/gitops-project)
2021-01-29 00:20:46 +05:30
### Deploying GitLab Runner with the Agent
2021-03-11 19:13:27 +05:30
You can use the Kubernetes Agent to
2021-04-17 20:07:23 +05:30
[deploy GitLab Runner in a Kubernetes cluster](https://docs.gitlab.com/runner/install/kubernetes-agent.html).
## Kubernetes Network Security Alerts
The GitLab Agent also provides an integration with Cilium. This integration provides a simple way to
generate network policy-related alerts and to surface those alerts in GitLab.
There are several components that work in concert for the Agent to generate the alerts:
- A working Kubernetes cluster.
- Cilium integration through either of these options:
- Installation through [GitLab Managed Apps](../applications.md#install-cilium-using-gitlab-cicd).
- Enablement of [hubble-relay](https://docs.cilium.io/en/v1.8/concepts/overview/#hubble) on an
existing installation.
- One or more network policies through any of these options:
- Use the [Container Network Policy editor](../../application_security/threat_monitoring/index.md#container-network-policy-editor) to create and manage policies.
- Use an [AutoDevOps](../../application_security/threat_monitoring/index.md#container-network-policy-management) configuration.
- Add the required labels and annotations to existing network policies.
- Use a configuration repository to inform the Agent through a `config.yaml` file, which
repositories can synchronize with. This repository might be the same, or a separate GitLab
project.
The setup process follows the same steps as [GitOps](#get-started-with-gitops-and-the-gitlab-agent),
with the following differences:
- When you define a configuration repository, you must do so with [Cilium settings](#define-a-configuration-repository-with-cilium-settings).
- You do not need to create a `manifest.yaml`.
### Define a configuration repository with Cilium settings
You need a GitLab repository to contain your Agent configuration. The minimal repository layout
looks like this:
```plaintext
.gitlab/agents/<agent-name>/config.yaml
```
Your `config.yaml` file must specify the `host` and `port` of your Hubble Relay service. If your
Cilium integration was performed through [GitLab Managed Apps](../applications.md#install-cilium-using-gitlab-cicd),
you can use `hubble-relay.gitlab-managed-apps.svc.cluster.local:80`:
```yaml
cilium:
hubble_relay_address: "<hubble-relay-host>:<hubble-relay-port>"
...
```
2021-01-29 00:20:46 +05:30
2021-03-11 19:13:27 +05:30
## Management interfaces
2021-01-29 00:20:46 +05:30
2021-03-11 19:13:27 +05:30
Users with at least the [Developer](../../permissions.md) can access the user interface
2021-04-29 21:17:54 +05:30
for the GitLab Kubernetes agent at **Operations > Kubernetes** under the
2021-03-11 19:13:27 +05:30
**GitLab Agent managed clusters** tab. This page lists all registered agents for
the current project, and the configuration directory for each agent:
2021-01-29 00:20:46 +05:30
2021-03-11 19:13:27 +05:30
![GitLab Kubernetes Agent list UI](../img/kubernetes-agent-ui-list_v13_8.png)
2021-01-29 00:20:46 +05:30
2021-03-11 19:13:27 +05:30
Additional management interfaces are planned for the GitLab Kubernetes Agent.
[Provide more feedback in the related epic](https://gitlab.com/groups/gitlab-org/-/epics/4739).
2021-01-29 00:20:46 +05:30
## Troubleshooting
If you face any issues while using GitLab Kubernetes Agent, you can read the
2021-04-29 21:17:54 +05:30
service logs with the following command
2021-01-29 00:20:46 +05:30
2021-04-29 21:17:54 +05:30
```shell
2021-06-08 01:23:25 +05:30
kubectl logs -f -l=app=gitlab-kubernetes-agent -n gitlab-kubernetes-agent
2021-01-29 00:20:46 +05:30
```
2021-04-29 21:17:54 +05:30
GitLab administrators can additionally view the [Kubernetes Agent Server logs](../../../administration/clusters/kas.md#troubleshooting).
2021-01-29 00:20:46 +05:30
### Agent logs - Transport: Error while dialing failed to WebSocket dial
2021-04-29 21:17:54 +05:30
```json
2021-01-29 00:20:46 +05:30
{"level":"warn","time":"2020-11-04T10:14:39.368Z","msg":"GetConfiguration failed","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://gitlab-kas:443/-/kubernetes-agent\\\": dial tcp: lookup gitlab-kas on 10.60.0.10:53: no such host\""}
```
This error is shown if there are some connectivity issues between the address
specified as `kas-address`, and your Agent pod. To fix it, make sure that you
specified the `kas-address` correctly.
2021-04-17 20:07:23 +05:30
### Agent logs - ValidationError(Deployment.metadata)
2021-01-29 00:20:46 +05:30
```plaintext
{"level":"info","time":"2020-10-30T08:56:54.329Z","msg":"Synced","project_id":"root/kas-manifest001","resource_key":"apps/Deployment/kas-test001/nginx-deployment","sync_result":"error validating data: [ValidationError(Deployment.metadata): unknown field \"replicas\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"selector\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"template\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta]"}
```
2021-04-17 20:07:23 +05:30
This error is shown if a manifest file is malformed, and Kubernetes can't
create specified objects. Make sure that your manifest files are valid. You
may try using them to create objects in Kubernetes directly for more troubleshooting.
2021-01-29 00:20:46 +05:30
### Agent logs - Error while dialing failed to WebSocket dial: failed to send handshake request
2021-04-29 21:17:54 +05:30
```json
2021-01-29 00:20:46 +05:30
{"level":"warn","time":"2020-10-30T09:50:51.173Z","msg":"GetConfiguration failed","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://GitLabhost.tld:443/-/kubernetes-agent\\\": net/http: HTTP/1.x transport connection broken: malformed HTTP response \\\"\\\\x00\\\\x00\\\\x06\\\\x04\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x05\\\\x00\\\\x00@\\\\x00\\\"\""}
```
This error is shown if you configured `wss` as `kas-address` on the agent side,
but KAS on the server side is not available via `wss`. To fix it, make sure the
same schemes are configured on both sides.
It's not possible to set the `grpc` scheme due to the issue
[It is not possible to configure KAS to work with `grpc` without directly editing GitLab KAS deployment](https://gitlab.com/gitlab-org/gitlab/-/issues/276888). To use `grpc` while the
issue is in progress, directly edit the deployment with the
`kubectl edit deployment gitlab-kas` command, and change `--listen-websocket=true` to `--listen-websocket=false`. After running that command, you should be able to use
2021-06-08 01:23:25 +05:30
`grpc://gitlab-kas.<YOUR-NAMESPACE>:8150`.
2021-01-29 00:20:46 +05:30
2021-02-22 17:27:13 +05:30
### Agent logs - Decompressor is not installed for grpc-encoding
2021-01-29 00:20:46 +05:30
2021-04-29 21:17:54 +05:30
```json
2021-01-29 00:20:46 +05:30
{"level":"warn","time":"2020-11-05T05:25:46.916Z","msg":"GetConfiguration.Recv failed","error":"rpc error: code = Unimplemented desc = grpc: Decompressor is not installed for grpc-encoding \"gzip\""}
```
This error is shown if the version of the agent is newer that the version of KAS.
To fix it, make sure that both `agentk` and KAS use the same versions.
2021-04-17 20:07:23 +05:30
### Agent logs - Certificate signed by unknown authority
2021-04-29 21:17:54 +05:30
```json
2021-04-17 20:07:23 +05:30
{"level":"error","time":"2021-02-25T07:22:37.158Z","msg":"Reverse tunnel","mod_name":"reverse_tunnel","error":"Connect(): rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://GitLabhost.tld:443/-/kubernetes-agent/\\\": x509: certificate signed by unknown authority\""}
```
This error is shown if your GitLab instance is using a certificate signed by an internal CA that
is unknown to the agent. One approach to fixing it is to present the CA certificate file to the agent
via a Kubernetes `configmap` and mount the file in the agent `/etc/ssl/certs` directory from where it
will be picked up automatically.
2021-06-08 01:23:25 +05:30
For example, if your internal CA certificate is `myCA.pem`:
2021-04-17 20:07:23 +05:30
```plaintext
2021-06-08 01:23:25 +05:30
kubectl -n gitlab-kubernetes-agent create configmap ca-pemstore --from-file=myCA.pem
2021-04-17 20:07:23 +05:30
```
Then in `resources.yml`:
2021-04-29 21:17:54 +05:30
```yaml
2021-04-17 20:07:23 +05:30
spec:
2021-06-08 01:23:25 +05:30
serviceAccountName: gitlab-kubernetes-agent
2021-04-17 20:07:23 +05:30
containers:
- name: agent
2021-04-29 21:17:54 +05:30
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:<version>"
2021-04-17 20:07:23 +05:30
args:
- --token-file=/config/token
- --kas-address
2021-06-08 01:23:25 +05:30
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
2021-04-29 21:17:54 +05:30
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
2021-06-08 01:23:25 +05:30
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
2021-04-17 20:07:23 +05:30
volumeMounts:
- name: token-volume
mountPath: /config
- name: ca-pemstore-volume
mountPath: /etc/ssl/certs/myCA.pem
subPath: myCA.pem
volumes:
- name: token-volume
secret:
2021-06-08 01:23:25 +05:30
secretName: gitlab-kubernetes-agent-token
2021-04-17 20:07:23 +05:30
- name: ca-pemstore-volume
configMap:
name: ca-pemstore
items:
- key: myCA.pem
path: myCA.pem
```
Alternatively, you can mount the certificate file at a different location and include it using the
`--ca-cert-file` agent parameter:
2021-04-29 21:17:54 +05:30
```yaml
2021-04-17 20:07:23 +05:30
containers:
- name: agent
2021-04-29 21:17:54 +05:30
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:<version>"
2021-04-17 20:07:23 +05:30
args:
- --ca-cert-file=/tmp/myCA.pem
- --token-file=/config/token
- --kas-address
2021-06-08 01:23:25 +05:30
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
2021-04-29 21:17:54 +05:30
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
2021-06-08 01:23:25 +05:30
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
2021-04-17 20:07:23 +05:30
volumeMounts:
- name: token-volume
mountPath: /config
- name: ca-pemstore-volume
mountPath: /tmp/myCA.pem
subPath: myCA.pem
```
2021-06-08 01:23:25 +05:30
## Remove the GitLab Kubernetes Agent
1. Remove an Agent record with GraphQL by deleting the `clusterAgent` and the `clusterAgentToken`.
```graphql
mutation deleteAgent {
clusterAgentDelete(input: { id: "<cluster-agent-id>" } ) {
errors
}
}
mutation deleteToken {
clusterAgentTokenDelete(input: { id: "<cluster-agent-token-id>" }) {
errors
}
}
```
1. Verify whether the removal occurred successfully. If the output in the Pod logs includes `unauthenticated`, it means that the agent was successfully removed:
```json
{"level":"warn","time":"2021-04-29T23:44:07.598Z","msg":"GetConfiguration.Recv failed","error":"rpc error:
code = Unauthenticated desc = unauthenticated"}
```
1. Delete the GitLab Kubernetes Agent in your cluster:
```shell
kubectl delete -n gitlab-kubernetes-agent -f ./resources.yml
```