diff options
author | Thong Kuah <tkuah@gitlab.com> | 2018-08-30 14:45:37 +1200 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2018-09-14 16:26:50 +1200 |
commit | c8fa9047b17143fbc074b0bb9e0453571722f403 (patch) | |
tree | 9f33c0525800fab98c087b0c78ce803a5c49f0fd | |
parent | bf0179b7f170d06d88a8bbe1fbf37e4c8abe6aad (diff) | |
download | gitlab-ce-c8fa9047b17143fbc074b0bb9e0453571722f403.tar.gz |
Add documentation for RBAC experiment support for GitLab Managed Apps
-rw-r--r-- | doc/user/project/clusters/index.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 1edc82ee9ef..6f1c7907464 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -130,6 +130,42 @@ The newer [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) authorization will be supported in a [future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/29398). +### Role-based access control (RBAC) experimental support + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21401) in GitLab 11.3. + +Experimental support for RBAC-enabled clusters is currently hidden behind a feature flag. Once +you have enabled the feature flag, GitLab will now be configured to +create the necessary service accounts and privilleges in order to +install and run [GitLab Managed Applications](#installing-applications). + +You can enable the feature flag from a Rails console: + +```ruby +Feature.enable('rbac_clusters') +``` + +If you are [adding an existing Kubernetes +cluster](#adding-an-existing-kubernetes-cluster), you will be asked if +the cluster you are adding is a RBAC-enabled cluster. Enabling this +setting will create a `tiller` service account in the +`gitlab-managed-apps` namespace when you install Helm Tiller into your cluster. +This service account will be added to the installed Helm Tiller +and will be used by Helm to install and run [GitLab Managed +Applications](#installing-applications). + +The `tiller` service account will have cluster-wide access (`cluster-admin` clusterrole). + +If you are creating a [new GKE cluster via +GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab), GitLab will +automatically create an RBAC-enabled cluster. A `tiller` service account +will be created as well and added to Helm Tiller. + +NOTE: **Note:** +Auto DevOps will not successfully complete in cluster that only has RBAC +authorization enabled. RBAC support for Auto DevOps is planned in a [future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/44597). + + ### Security of GitLab Runners GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode) |