Restrict Gitlab agent to single namespace

Gitlab Apr 8, 2022

Intro

For some time now, I've been really interested in devops, making development itself almost a side-hobby. And since I'm self hosting a Gitlab instance, I have a Kubernetes cluster, many containerized projects, and not enough nerves and time to always manually deploy stuff when I update them (we can go on with the reasons) I decided to look into Gitlab's integrations - more specifically, deploying apps to a k8s cluster.

Last time I did that, when the only way to connect the two was "the certificate way", it turned out to be a mess and the project went belly-up after a few weeks of me pulling my hair out.

Granted - since then I have learned a lot of new stuff which made this transition to using Gitlab agent much, much easier.


The problem

So I've been playing around with this agent thing, deployed one for a private project of mine and it was just great - until I learned that, when using the easy way of installing it on your cluster, the manifests grant the agent cluster-wide administrative permissions! And of course I don't want that because I'm using my cluster - although this approach is an "anti-pattern" - for multiple projects, each restricted to their own namespace.

So I went to read the f*cking manual and learned that there's an alternative, advanced way of doing things. Basically constumizing the manifests to your needs which is all fine and well, but I wanted a simple, fast, environment variable-based solution - so I made gitlab-agent-namespaced.

The solution

Using the gitlab-agent-namespaced project you can create a new namespace for your project, create the necessary role, service account and deploy the Gitlab agent - all restricted to the namespace you want.

Note that the namespace can already exist, and in case you created it imperatively you will get just a warning telling you that it already exists, it doesn't have the last-applied-configuration annotation and that it will be now added automatically.


Usage

So how do we deploy it? It's rather simple: ensure you have envsubst and kubectl installed, kustomize is already built into kubectl.

curl https://gitplac.si/infrastructure/gitlab-agent-namespaced/-/archive/master/gitlab-agent-namespaced-master.zip -o archive.zip
unzip archive.zip
cd gitlab-agent-namespaced-master/
Download the project archive
export GL_NAMESPACE=mycustom-namespace
export GL_TOKEN=abcd-efgh-123-ijklmn
export GL_ENDPOINT=wss://gitplac.si/-/kubernetes-agent/
Define environment variables

You can aquire the agent token when adding a new agent in Gitlab.
Keep in mind that this GL_ENDPOINT value is pointing to my self hosted Gitlab. Change the hostname to your own Gitlab instance when installing. If you are using Gitlab.com you should use wss://kas.gitlab.com.

envsubst < kustomization.tpl.yaml > kustomization.yaml && kubectl kustomize .
Review the generated manifest
envsubst < kustomization.tpl.yaml > kustomization.yaml && kubectl apply -k .
And deploy it to your cluster

Tags

Aljaz S.

I am a student and a web developer

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.