Kubernetes namespace management for review environments with the agent for Kubernetes
Background
GitLab-managed clusters are currently the easiest way for platform engineers to facilitate arbitrary deployments for the developers/teams they support. While this approach offers a lot of flexibility for developers deploying their projects, it can lead to pain points for platform engineers particularly on multi-tenant clusters:
- requires giving GitLab extensive permissions on the cluster (
cluster-adminrolebinding) - no configurability of the conventions used to create namespaces per project/environment scope
- no way to limit the permissions granted to the service account used in the deployments (
adminrolebinding) - no easy way to manage cluster integrations across multiple groups/projects, requires duplicating configuration
- no way to hide cluster configuration from group/project maintainers
As far as I can tell, roadmap for agentk has primarily focused on the git-ops use case, a very necessary starting point, but has not attempted to facilitate cluster integrations as they already exist today (#220911 (closed)).
Use Case
As a platform engineer, I would like to leverage agentk to provide a consistent platform for developers to deploy on top of. In addition to using git-ops for provisioning baseline resources consistently across the clusters I manage, I need to enable developers to deploy their projects on these multi-tenant clusters in a predictable and compliant way.
Issues with the existing agent-based CI/CD workflow
- How to configure
KUBE_CONTEXTwhen 2-3 projects are created every week and the deployments happen to different environments, clusters based on the job and branch?- They can try using CI variables in the
agent-namepart of theKUBE_CONTEXT?
- They can try using CI variables in the
- How can they use the agent when every new project needs its own Service Account? How can they make Service Account setup automatic in each environment for every new project?
Adding necessary manual work to the processes is not an option.
Requirements
When an agent tunnel is shared at the group level
Given that a deployment happens from a project
Then create and use a namespaces following the pattern given in the agent configurationWhen an agent tunnel is shared at the project level
Given that a deployment happens from the project
Then restrict the deployment to the namespace given in the agent configurationService account requirements are already handled with the impersonation features.
Proposal 1
Introduce a namespace_pattern key that assures the given namespace exists, and sets it for the CI tunnel impersonation to allow for RBAC targeting. The namespace_pattern can use the predefined CI variables for dynamic namespace names.
ci_access:
groups:
- id: path/to/group/subgroup
namespace_pattern: 'team-{CI_PROJECT_NAME}"Proposal 3
Investigate approaches to scriptable agent beha... (gitlab-org/cluster-integration/gitlab-agent#103)
Proposal 4
Use statically created namespaces and service accounts, and use them given their annotations as described in #280563 (comment 483750616)
Proposal 5
Introduce a tool like Kyverno or an admission controller that can generate resources in the cluster based on a specific conditions. A Kyverno example can be seen at https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources/
Proposal 6
Ship an Application controller and a CRD that can be configured to set up an environment in a templated way. We can leverage existing tools, like Crossplane to provide the Application CRD or come up with our own wrapper or implementation.
Open Questions
- should we provide special configuration blocks for how
agentkcreates resources for deployment targets? - do we instead just require things like a namespace and service account be defined in a manifest project statically and do not have
agentkcreate anything at deploy time?- perhaps we could look at annotations on resources in the manifest project to make
agentkaware of which namespace and service account to use for a given project? - edit: see #280563 (comment 483750616) for an example
- perhaps we could look at annotations on resources in the manifest project to make
- depending on the outcome of &4516 (closed), how do we manage environment scope(s) for the target groups/projects?
- how could a target group/project use the git-ops model if configured this way?
- does this conflict with design goals regarding multiple agents per cluster and/or one agent across multiple clusters?
Pricing
- Automatic namespace creation: GitLab Free
- Automatic service account creation: GitLab Premium