summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThong Kuah <tkuah@gitlab.com>2018-08-30 14:45:37 +1200
committerThong Kuah <tkuah@gitlab.com>2018-09-14 16:26:50 +1200
commitc8fa9047b17143fbc074b0bb9e0453571722f403 (patch)
tree9f33c0525800fab98c087b0c78ce803a5c49f0fd
parentbf0179b7f170d06d88a8bbe1fbf37e4c8abe6aad (diff)
downloadgitlab-ce-c8fa9047b17143fbc074b0bb9e0453571722f403.tar.gz
Add documentation for RBAC experiment support for GitLab Managed Apps
-rw-r--r--doc/user/project/clusters/index.md36
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md
index 1edc82ee9ef..6f1c7907464 100644
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -130,6 +130,42 @@ The newer [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)
authorization will be supported in a
[future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/29398).
+### Role-based access control (RBAC) experimental support
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21401) in GitLab 11.3.
+
+Experimental support for RBAC-enabled clusters is currently hidden behind a feature flag. Once
+you have enabled the feature flag, GitLab will now be configured to
+create the necessary service accounts and privilleges in order to
+install and run [GitLab Managed Applications](#installing-applications).
+
+You can enable the feature flag from a Rails console:
+
+```ruby
+Feature.enable('rbac_clusters')
+```
+
+If you are [adding an existing Kubernetes
+cluster](#adding-an-existing-kubernetes-cluster), you will be asked if
+the cluster you are adding is a RBAC-enabled cluster. Enabling this
+setting will create a `tiller` service account in the
+`gitlab-managed-apps` namespace when you install Helm Tiller into your cluster.
+This service account will be added to the installed Helm Tiller
+and will be used by Helm to install and run [GitLab Managed
+Applications](#installing-applications).
+
+The `tiller` service account will have cluster-wide access (`cluster-admin` clusterrole).
+
+If you are creating a [new GKE cluster via
+GitLab](#adding-and-creating-a-new-gke-cluster-via-gitlab), GitLab will
+automatically create an RBAC-enabled cluster. A `tiller` service account
+will be created as well and added to Helm Tiller.
+
+NOTE: **Note:**
+Auto DevOps will not successfully complete in cluster that only has RBAC
+authorization enabled. RBAC support for Auto DevOps is planned in a [future release](https://gitlab.com/gitlab-org/gitlab-ce/issues/44597).
+
+
### Security of GitLab Runners
GitLab Runners have the [privileged mode](https://docs.gitlab.com/runner/executors/docker.html#the-privileged-mode)