From 4f05d0086a24ad15ce3df8b63e56d8e6c0e69d7a Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Mon, 5 Nov 2018 14:19:51 +0100 Subject: [PATCH 1/5] Adds documentation for AutoDevOps & RBAC support --- doc/user/project/clusters/index.md | 95 ++++++++++++++++-------------- 1 file changed, 50 insertions(+), 45 deletions(-) diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 94744cf85002..472496697f5b 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -132,59 +132,64 @@ functionalities needed to successfully build and deploy a containerized application. Bare in mind that the same credentials are used for all the applications running on the cluster. -When GitLab creates the cluster, it enables and uses the legacy -[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/). -The newer [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) -authorization is [experimental](#role-based-access-control-rbac). +## Access controls -### Role-based access control (RBAC) **[CORE ONLY]** +When creating a cluster in GitLab, you will be asked if you would like to create an +[Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster, or +[Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) cluster. -> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21401) in GitLab 11.4. +Whether ABAC or RBAC is enabled for a cluster, and whether you're [new GKE cluster via +GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab) or [adding an existing +Kubernetes cluster](#adding-an-existing-kubernetes-cluster), GitLab will create the necessary +service accounts and privileges in order to install and run [GitLab managed applications](#installing-applications): -CAUTION: **Warning:** -The RBAC authorization is experimental. +- A `gitlab` service account with `cluster-admin` privileges will be created in the +`default` namespace, which will be used by GitLab to manage the newly created cluster. -Once RBAC is enabled for a cluster, GitLab will create the necessary service accounts -and privileges in order to install and run [GitLab managed applications](#installing-applications). - -If you are creating a [new GKE cluster via -GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab), you will be -asked if you would like to create an RBAC-enabled cluster. Enabling this -setting will create a `gitlab` service account which will be used by -GitLab to manage the newly created cluster. To enable this, this service -account will have the `cluster-admin` privilege. - -If you are [adding an existing Kubernetes -cluster](#adding-an-existing-kubernetes-cluster), you will be asked if -the cluster you are adding is a RBAC-enabled cluster. Ensure the -token of the account has administrator privileges for the cluster. - -In both cases above, when you install Helm Tiller into your cluster, an -RBAC-enabled cluster will create a `tiller` service account, with `cluster-admin` -privileges in the `gitlab-managed-apps` namespace. This service account will be -added to the installed Helm Tiller and will be used by Helm to install and run -[GitLab managed applications](#installing-applications). - -The table below summarizes which resources will be created in a -RBAC-enabled cluster : - -| Name | Kind | Details | Created when | -| --- | --- | --- | --- | -| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | -| `gitlab-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Creating a new GKE Cluster | -| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | -| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | -| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | +- A project service account with `edit` privileges will be created in the +project namespace (also created by GitLab), which will be used to ensure compatibility +between [Auto DevOps](../../../topics/autodevops/index.md) and RBAC. +NOTE: **Note:** +Auto DevOps support for RBAC was introduced on [11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716) -Helm Tiller will also create additional service accounts and other RBAC -resources for each installed application. Consult the documentation for the -Helm charts for each application for details. +- When you install Helm Tiller into your cluster, a cluster will create a +`tiller` service account, with `cluster-admin` privileges in the `gitlab-managed-apps` +namespace. This service account will be added to the installed Helm Tiller and will +be used by Helm to install and run [GitLab managed applications](#installing-applications). +Helm Tiller will also create additional service accounts and other resources for each +installed application. Consult the documentation for the Helm charts for each application +for details. NOTE: **Note:** -Auto DevOps will not successfully complete in a cluster that only has RBAC -authorization enabled. RBAC support for Auto DevOps is planned in a -[future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/44597). +If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster), +ensure the token of the account has administrator privileges for the cluster. + +Following sections summarizes which resources will be created on ABAC/RBAC clusters. + +### Attribute-based access control (ABAC) + +| Name | Kind | Details | Created when | +| --- | --- | --- | --- | +| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | +| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | +| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | +| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | + +### Role-based access control (RBAC) + +| Name | Kind | Details | Created when | +| --- | --- | --- | --- | +| `gitlab` | `ServiceAccount` | `default` namespace | Creating a new GKE Cluster | +| `gitlab-admin` | `ClusterRoleBinding` | [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating a new GKE Cluster | +| `gitlab-token` | `Secret` | Token for `gitlab` ServiceAccount | Creating a new GKE Cluster | +| `tiller` | `ServiceAccount` | `gitlab-managed-apps` namespace | Installing Helm Tiller | +| `tiller-admin` | `ClusterRoleBinding` | `cluster-admin` roleRef | Installing Helm Tiller | +| Project namespace | `ServiceAccount` | Uses namespace of Project | Creating/Adding a new GKE Cluster | +| Project namespace | `Secret` | Token for project ServiceAccount | Creating/Adding a new GKE Cluster | +| Project namespace | `RoleBinding` | [`edit`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) roleRef | Creating/Adding a new GKE Cluster | ### Security of GitLab Runners -- GitLab From 1482de7d22c4cd7405fd85816c18cbdfb4044316 Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Wed, 7 Nov 2018 16:08:07 +0100 Subject: [PATCH 2/5] Clean up Access controls section of k8s cluster docs --- doc/user/project/clusters/index.md | 36 ++++++++++++++---------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 472496697f5b..8eee3b1b4174 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -136,36 +136,34 @@ applications running on the cluster. When creating a cluster in GitLab, you will be asked if you would like to create an [Attribute-based access control (ABAC)](https://kubernetes.io/docs/admin/authorization/abac/) cluster, or -[Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) cluster. +a [Role-based access control (RBAC)](https://kubernetes.io/docs/admin/authorization/rbac/) one. -Whether ABAC or RBAC is enabled for a cluster, and whether you're [new GKE cluster via -GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab) or [adding an existing -Kubernetes cluster](#adding-an-existing-kubernetes-cluster), GitLab will create the necessary -service accounts and privileges in order to install and run [GitLab managed applications](#installing-applications): +Whether ABAC or RBAC is enabled, GitLab will create the necessary +service accounts and privileges in order to install and run +[GitLab managed applications](#installing-applications): - A `gitlab` service account with `cluster-admin` privileges will be created in the -`default` namespace, which will be used by GitLab to manage the newly created cluster. + `default` namespace, which will be used by GitLab to manage the newly created cluster. - A project service account with `edit` privileges will be created in the -project namespace (also created by GitLab), which will be used to ensure compatibility -between [Auto DevOps](../../../topics/autodevops/index.md) and RBAC. + project namespace (also created by GitLab), which will be used to ensure compatibility + between [Auto DevOps](../../../topics/autodevops/index.md) and RBAC. -NOTE: **Note:** -Auto DevOps support for RBAC was introduced on [11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716) + NOTE: **Note:** + Auto DevOps support for RBAC was [introduced in 11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716). -- When you install Helm Tiller into your cluster, a cluster will create a -`tiller` service account, with `cluster-admin` privileges in the `gitlab-managed-apps` -namespace. This service account will be added to the installed Helm Tiller and will -be used by Helm to install and run [GitLab managed applications](#installing-applications). -Helm Tiller will also create additional service accounts and other resources for each -installed application. Consult the documentation for the Helm charts for each application -for details. +- When you install Helm Tiller into your cluster, the `tiller` service account + will be created with `cluster-admin` privileges in the `gitlab-managed-apps` + namespace. This service account will be added to the installed Helm Tiller and will + be used by Helm to install and run [GitLab managed applications](#installing-applications). + Helm Tiller will also create additional service accounts and other resources for each + installed application. Consult the documentation of the Helm charts for each application + for details. -NOTE: **Note:** If you are [adding an existing Kubernetes cluster](#adding-an-existing-kubernetes-cluster), ensure the token of the account has administrator privileges for the cluster. -Following sections summarizes which resources will be created on ABAC/RBAC clusters. +The following sections summarize which resources will be created on ABAC/RBAC clusters. ### Attribute-based access control (ABAC) -- GitLab From 60b543d557c51e82cbbc4b542653eb9915f20433 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Thu, 8 Nov 2018 11:03:08 +1300 Subject: [PATCH 3/5] Clarify restricted project service account We introdued restricted service account so that we only pass the less privelleged token as `KUBE_TOKEN`. Document what KUBE_TOKEN value will be in 11.5+. --- doc/user/project/clusters/index.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 8eee3b1b4174..a8dc20741429 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -145,12 +145,12 @@ service accounts and privileges in order to install and run - A `gitlab` service account with `cluster-admin` privileges will be created in the `default` namespace, which will be used by GitLab to manage the newly created cluster. -- A project service account with `edit` privileges will be created in the - project namespace (also created by GitLab), which will be used to ensure compatibility - between [Auto DevOps](../../../topics/autodevops/index.md) and RBAC. +- A project service account with `edit` privileges will be created in + the project namespace (also created by GitLab), which will be used in + [deployment jobs](#deployment-variables) NOTE: **Note:** - Auto DevOps support for RBAC was [introduced in 11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716). + Restricted service account for deployment was [introduced in 11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716). - When you install Helm Tiller into your cluster, the `tiller` service account will be created with `cluster-admin` privileges in the `gitlab-managed-apps` @@ -390,12 +390,16 @@ GitLab CI/CD build environment. | Variable | Description | | -------- | ----------- | | `KUBE_URL` | Equal to the API URL. | -| `KUBE_TOKEN` | The Kubernetes token. | +| `KUBE_TOKEN` | The Kubernetes token of the [project service account](#access-controls). | | `KUBE_NAMESPACE` | The Kubernetes namespace is auto-generated if not specified. The default value is `-`. You can overwrite it to use different one if needed, otherwise the `KUBE_NAMESPACE` variable will receive the default value. | | `KUBE_CA_PEM_FILE` | Only present if a custom CA bundle was specified. Path to a file containing PEM data. | | `KUBE_CA_PEM` | (**deprecated**) Only if a custom CA bundle was specified. Raw PEM data. | | `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. | +NOTE: **NOTE:** +Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main +service account of the cluster integration. + ## Enabling or disabling the Kubernetes cluster integration After you have successfully added your cluster information, you can enable the -- GitLab From cf5fb97232b3c89e990f69db2e78c45cd978ad9e Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Thu, 8 Nov 2018 14:59:36 +1300 Subject: [PATCH 4/5] Minor edits for style and sentences --- doc/user/project/clusters/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index a8dc20741429..7a7bde1acd3a 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -147,10 +147,10 @@ service accounts and privileges in order to install and run - A project service account with `edit` privileges will be created in the project namespace (also created by GitLab), which will be used in - [deployment jobs](#deployment-variables) + [deployment jobs](#deployment-variables). NOTE: **Note:** - Restricted service account for deployment was [introduced in 11.5](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716). + Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716).in GitLab 11.5. - When you install Helm Tiller into your cluster, the `tiller` service account will be created with `cluster-admin` privileges in the `gitlab-managed-apps` @@ -392,8 +392,8 @@ GitLab CI/CD build environment. | `KUBE_URL` | Equal to the API URL. | | `KUBE_TOKEN` | The Kubernetes token of the [project service account](#access-controls). | | `KUBE_NAMESPACE` | The Kubernetes namespace is auto-generated if not specified. The default value is `-`. You can overwrite it to use different one if needed, otherwise the `KUBE_NAMESPACE` variable will receive the default value. | -| `KUBE_CA_PEM_FILE` | Only present if a custom CA bundle was specified. Path to a file containing PEM data. | -| `KUBE_CA_PEM` | (**deprecated**) Only if a custom CA bundle was specified. Raw PEM data. | +| `KUBE_CA_PEM_FILE` | Path to a file containing PEM data. Only present if a custom CA bundle was specified. | +| `KUBE_CA_PEM` | (**deprecated**) Raw PEM data. Only if a custom CA bundle was specified. | | `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. | NOTE: **NOTE:** -- GitLab From 2fc36efc8dae393c4e65bc043827294c75cf3694 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Thu, 8 Nov 2018 03:20:39 +0000 Subject: [PATCH 5/5] Fix typo --- doc/user/project/clusters/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 7a7bde1acd3a..233ed2057901 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -150,7 +150,7 @@ service accounts and privileges in order to install and run [deployment jobs](#deployment-variables). NOTE: **Note:** - Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716).in GitLab 11.5. + Restricted service account for deployment was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/51716) in GitLab 11.5. - When you install Helm Tiller into your cluster, the `tiller` service account will be created with `cluster-admin` privileges in the `gitlab-managed-apps` -- GitLab