Restrict Gitlab agent to single namespace

Gitlab Apr 8, 2022

Intro

For some time now, I've been really interested in devops, making development itself almost a side-hobby. And since I'm self hosting a Gitlab instance, I have a Kubernetes cluster, many containerized projects, and not enough nerves and time to always manually deploy stuff when I update them (we can go on with the reasons) I decided to look into Gitlab's integrations - more specifically, deploying apps to a k8s cluster.

Last time I did that, when the only way to connect the two was "the certificate way", it turned out to be a mess and the project went belly-up after a few weeks of me pulling my hair out.

Granted - since then I have learned a lot of new stuff which made this transition to using Gitlab agent much, much easier.

The problem

So I've been playing around with this agent thing, deployed one for a private project of mine and it was just great - until I learned that, when using the easy way of installing it on your cluster, the manifests grant the agent cluster-wide administrative permissions! And of course I don't want that because I'm using my cluster - although this approach is an "anti-pattern" - for multiple projects, each restricted to their own namespace.

So I went to read the f*cking manual and learned that there's an alternative, advanced way of doing things. Basically constumizing the manifests to your needs which is all fine and well, but I wanted a simple, fast, environment variable-based solution - so I made gitlab-agent-namespaced.

The solution

Using the gitlab-agent-namespaced project you can create a new namespace for your project, create the necessary role, service account and deploy the Gitlab agent - all restricted to the namespace you want.

Note that the namespace can already exist, and in case you created it imperatively you will get just a warning telling you that it already exists, it doesn't have the last-applied-configuration annotation and that it will be now added automatically.

Usage

So how do we deploy it? It's rather simple: ensure you have envsubst and kubectl installed, kustomize is already built into kubectl.

curl https://gitplac.si/infrastructure/gitlab-agent-namespaced/-/archive/master/gitlab-agent-namespaced-master.zip -o archive.zip
unzip archive.zip
cd gitlab-agent-namespaced-master/

Download the project archive

export GL_NAMESPACE=mycustom-namespace
export GL_TOKEN=abcd-efgh-123-ijklmn
export GL_ENDPOINT=wss://gitplac.si/-/kubernetes-agent/

Define environment variables

You can aquire the agent token when adding a new agent in Gitlab.
Keep in mind that this GL_ENDPOINT value is pointing to my self hosted Gitlab. Change the hostname to your own Gitlab instance when installing. If you are using Gitlab.com you should use wss://kas.gitlab.com.

envsubst < kustomization.tpl.yaml > kustomization.yaml && kubectl kustomize .

Review the generated manifest

envsubst < kustomization.tpl.yaml > kustomization.yaml && kubectl apply -k .

And deploy it to your cluster

Recommended for you

Kubernetes

Setting up my new Kubernetes cluster for CI and deployments @ gitplac.si - the learning stage

2 years ago • 8 min read

ci/cd

How to setup Minio cache for GitLab CI/CD on linux

3 years ago • 3 min read

Gitlab

Close to perfect Gitlab CI runner setup on VMs with KVM/qemu

3 years ago • 8 min read