Commit 9a24efb0 authored by Tiger's avatar Tiger

Document authorizing projects for an Agent

parent 86b91c04
...@@ -38,11 +38,11 @@ there isn't any context selected. ...@@ -38,11 +38,11 @@ there isn't any context selected.
Contexts are named in the following format: `<agent-configuration-project-path>:<agent-name>`. Contexts are named in the following format: `<agent-configuration-project-path>:<agent-name>`.
To get the list of available contexts, run `kubectl config get-contexts`. To get the list of available contexts, run `kubectl config get-contexts`.
## Share the CI/CD Tunnel provided by an Agent with other projects and group ## Share the CI/CD Tunnel provided by an Agent with other projects and groups
The Agent can be configured to enable access to the CI/CD Tunnel to other projects or all the projects under a given group. This way you can have a single agent serving all the requests for several projects saving on resources and maintenance. The Agent can be configured to enable access to the CI/CD Tunnel to other projects or all the projects under a given group. This way you can have a single agent serving all the requests for several projects saving on resources and maintenance.
You can read more on how to [authorize access to groups in the Agent configuration reference](repository.md#authorize-groups-to-use-an-agent). You can read more on how to [authorize access in the Agent configuration reference](repository.md#authorize-projects-and-groups-to-use-an-agent).
## Example for a `kubectl` command using the CI/CD Tunnel ## Example for a `kubectl` command using the CI/CD Tunnel
......
...@@ -149,39 +149,52 @@ gitops: ...@@ -149,39 +149,52 @@ gitops:
- glob: '/**/*.yaml' - glob: '/**/*.yaml'
``` ```
## Authorize groups to use an Agent ## Authorize projects and groups to use an Agent
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. > - Group authorization [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3.
> - Project authorization [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4.
If you use the same cluster across multiple projects, you can set up the CI/CD Tunnel If you use the same cluster across multiple projects, you can set up the [CI/CD Tunnel](ci_cd_tunnel.md)
to grant the Agent access to one or more groups. This way, all the projects that belong to grant access to an Agent from one or more projects or groups. This way, all the authorized
to the authorized groups can access the same Agent. This enables you to save resources and projects can access the same Agent, which facilitates you to save resources and have a scalable setup.
have a scalable setup.
When you authorize a group, the agent's Kubernetes context is automatically injected When you authorize a project to use an agent through the [CI/CD Tunnel](ci_cd_tunnel.md),
into every project of the authorized group, and users can select the connection as the selected Kubernetes context is automatically injected into CI/CD jobs, allowing you to
described in the [CI/CD Tunnel documentation](ci_cd_tunnel.md). run Kubernetes commands from your authorized projects' scripts. When you authorize a group,
To authorize a group to access the Agent through the [CI/CD Tunnel](ci_cd_tunnel.md), all the projects that belong to that group can access the selected agent.
use the `ci_access` attribute in your `config.yaml` configuration file.
An Agent can only authorize groups in the same group hierarchy as the Agent's configuration project. At most An Agent can only authorize projects or groups in the same group hierarchy as the Agent's configuration
100 groups can be authorized per Agent. project. You can authorize up to 100 projects and 100 groups per Agent.
To authorize a group: ### Authorize projects to use an Agent
1. Edit your `config.yaml` file under the `.gitlab/agents/<agent name>` directory. To grant projects access to the Agent through the [CI/CD Tunnel](ci_cd_tunnel.md):
1. Add the `ci_access` root attribute.
1. Add the `groups` attribute into `ci_access`.
1. Add the group `id` into `groups`, identifying the authorized group through its path.
For example: 1. Go to your Agent's configuration project.
1. Edit the Agent's configuration file (`config.yaml`).
1. Add the `projects` attribute into `ci_access`.
1. Identify the new project through its path:
```yaml ```yaml
ci_access: ci_access:
# This agent is accessible from CI jobs in projects in these groups projects:
groups: - id: path/to/project
- id: group/subgroup ```
```
### Authorize groups to use an Agent
To grant access to all projects within a group:
1. Go to your Agent's configuration project.
1. Edit the Agent's configuration file (`config.yaml`).
1. Add the `groups` attribute into `ci_access`.
1. Identify the group or subgroup through its path:
```yaml
ci_access:
groups:
- id: path/to/group/subgroup
```
## Surface network security alerts from cluster to GitLab **(ULTIMATE)** ## Surface network security alerts from cluster to GitLab **(ULTIMATE)**
......
...@@ -68,7 +68,6 @@ The concept of [project-level](../../project/clusters/index.md), ...@@ -68,7 +68,6 @@ The concept of [project-level](../../project/clusters/index.md),
[instance-level](../../instance/clusters/index.md) clusters becomes [instance-level](../../instance/clusters/index.md) clusters becomes
extinct in the new model, although the functionality remains to some extent. extinct in the new model, although the functionality remains to some extent.
The Agent is always configured in a GitLab project, but you can: The Agent is always configured in a single GitLab project, but you can use the CI/CD Tunnel to
[authorize other projects and groups to use the same Agent](../../clusters/agent/repository.md#authorize-projects-and-groups-to-use-an-agent).
- [Grant your cluster's access to GitLab groups through the Agent](../../clusters/agent/repository.md#authorize-groups-to-use-an-agent). By doing so, you are granting these projects and groups access to the same cluster, which is similar to group-level clusters' use case.
- [Share access to the Agent with other projects and groups through the CI/CD Tunnel](../../clusters/agent/ci_cd_tunnel.md#share-the-cicd-tunnel-provided-by-an-agent-with-other-projects-and-group).
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment