Orchestrating Kubernetes Deployments via GitLab CI and kubectl apply

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of GitLab CI/CD with Kubernetes represents a fundamental shift in how modern software engineering teams handle the lifecycle of containerized applications. By leveraging the kubectl apply command within a structured pipeline, organizations can transition from manual, error-prone deployment processes to a fully automated, version-controlled delivery mechanism. This architectural synergy allows for the seamless transition of code from a developer's local environment, through a rigorous build and test phase, and finally into a live Kubernetes cluster. The process relies on a sophisticated chain of trust and communication, involving the GitLab Runner, the Kubernetes API server, and a secure container registry, ensuring that every change to the infrastructure is traceable and repeatable.

Infrastructure Prerequisites and Environmental Setup

Before a single line of a .gitlab-ci.yml file can be executed, a foundational layer of infrastructure must be established. The complexity of Kubernetes orchestration requires a precise alignment of tools and access rights to prevent pipeline failures.

The following components are non-negotiable requirements for a functional deployment pipeline:

  • A running Kubernetes cluster: This serves as the target environment where the application will be hosted. The cluster must be reachable by the GitLab Runner.
  • GitLab instance: Either a self-hosted version for maximum control or the GitLab.com SaaS offering for reduced operational overhead.
  • Access to a private Docker registry: This is essential for storing container images securely. Examples include the integrated GitLab Container Registry or external providers like Docker Hub.
  • kubectl configuration: The command-line tool kubectl must be configured to interact with the specific Kubernetes cluster, utilizing the correct context and authentication credentials.
  • Docker installation: Required on the local machine for initial Dockerfile creation and local testing of container images.

The impact of missing any of these prerequisites is a catastrophic failure of the CI/CD loop. For instance, without a configured kubectl context, the pipeline will be unable to authenticate with the Kubernetes API, leading to "Unauthorized" errors during the deployment stage. Contextually, this setup phase is the "anchor" for the entire process; if the connection between the GitLab Runner and the Kubernetes API is not established, the kubectl apply command becomes an inert string of text.

Containerization and the Dockerfile Lifecycle

The transition from source code to a deployable unit begins with the Dockerfile. This file acts as the blueprint for the application's environment, ensuring that the "it works on my machine" phenomenon is eliminated by packaging all dependencies into a portable image.

For a standard Node.js application, the containerization process follows a specific sequence of instructions:

  • Base Image Selection: Using FROM node:14 ensures that the application runs on a consistent version of the Node.js runtime.
  • Working Directory Definition: The command WORKDIR /app creates a dedicated space within the container to avoid polluting the root filesystem.
  • Dependency Management: Copying package*.json and executing RUN npm install ensures that all required libraries are installed before the application code is copied, which optimizes Docker's layer caching.
  • Application Code Integration: The final COPY command moves the remaining source code into the image.

The real-world consequence of this structured approach is significantly faster build times. By separating the installation of dependencies from the copying of source code, GitLab CI can reuse the "dependency layer" across multiple pipeline runs unless the package.json file changes. This creates a dense web of efficiency where the build stage is minimized, allowing the pipeline to reach the kubectl apply stage more rapidly.

GitLab Project Configuration and Registry Integration

A GitLab project serves as the central nervous system for the deployment process. It houses the source code, the .gitlab-ci.yml configuration, and often the integrated container registry.

The use of an integrated container registry simplifies the workflow by removing the need for external authentication tokens for every image push. For a Maven-based Spring Boot application, the image naming convention is critical for successful retrieval by Kubernetes. The image name must follow a specific pattern containing the GitLab owner name and the image name, such as root/sample-spring-boot-on-kubernetes.

In scenarios where a local registry is used, such as one hosted at 172.17.0.2:5000, the network configuration must be explicitly handled. To facilitate this, the GitLab administrator must navigate to the admin section, then "Settings" -> "Network" -> "Outbound requests", and enable the option "Allow requests to the local network from web hooks and services". This allows internal communication between the GitLab CI runner and the Kubernetes API, as well as between the runner and the GitLab master.

Establishing the Kubernetes API Connection

Connecting GitLab to an existing Kubernetes cluster requires the exchange of security credentials and the definition of the API endpoint. This is the critical bridge that allows kubectl commands to reach the cluster.

The process of connecting an existing cluster involves several specific data points:

  • Cluster Name: A unique identifier for the cluster, often matched to the Kubernetes context name for consistency.
  • API URL: The internal address of the Kubernetes API, such as http://kubernetes.default:443.
  • CA Certificate: The cluster's Certificate Authority (CA) certificate must be pasted into GitLab to ensure a secure, encrypted TLS connection.
  • Environment Scope: A definition of which GitLab environments (e.g., production, staging) the cluster is associated with.

Failure to correctly provide the CA certificate results in a security mismatch, where the GitLab Runner cannot verify the identity of the Kubernetes API server, effectively blocking all kubectl apply operations.

Implementing the CI/CD Pipeline for Deployment

The .gitlab-ci.yml file defines the stages of the pipeline. For a complete deployment, the pipeline typically moves through build, test, and deploy phases.

If changes are pushed to a branch other than the master branch, the pipeline is intentionally limited to three stages: building the application, running tests, and building the Docker image. The deployment stage is reserved for the master branch to ensure that only verified, stable code reaches the cluster.

The kubectl apply Mechanism

The kubectl apply command is the primary tool for declarative configuration in Kubernetes. Unlike kubectl create, apply manages the state of the resource, updating existing objects to match the desired state defined in the manifest files.

In a GitLab CI context, the deployment job is configured with specific variables to ensure precision:

Variable Description Example Value
IMAGE_NAME The name of the image to be pushed nginx-example
IMAGE_TAG The version tag of the container latest
MANIFEST_PATH The directory containing K8s manifests ./clusters/applications/nginx
AGENT_KUBECONTEXT The specific agent context for the cluster my-group/my-repo:testing
NAMESPACE The target Kubernetes namespace flux-system

The execution flow within the script block of the .gitlab-ci.yml typically follows this sequence:

  1. Context Selection: The command kubectl config use-context $AGENT_KUBECONTEXT is executed to tell kubectl which cluster and credentials to use.
  2. Resource Application: The kubectl apply -f <manifest_path> command is invoked to synchronize the cluster state with the Git-stored manifests.

Advanced Deployment Strategies with Flux and OCI

For production-grade environments, combining GitLab CI/CD with FluxCD provides a "GitOps" approach. Instead of the pipeline pushing changes to the cluster, FluxCD monitors a repository or an OCI (Open Container Initiative) registry and pulls the changes into the cluster.

Using an OCI repository as a caching layer between the Git repository and FluxCD is considered a best practice. This decouples the build process from the deployment process, allowing for faster rollbacks and more granular control over which image versions are promoted to production.

The GitLab pipeline integration allows for the secure creation of secrets within the cluster to facilitate this. For example, a job might be configured to delete an old registry secret before creating a new one:

yaml nginx-deployment: stage: deploy variables: IMAGE_NAME: nginx-example IMAGE_TAG: latest MANIFEST_PATH: "./clusters/applications/nginx" AGENT_KUBECONTEXT: my-group/optional-subgroup/my-repository:testing FLUX_OCI_REPO_NAME: nginx-example NAMESPACE: flux-system environment: name: applications/nginx kubernetes: agent: $AGENT_KUBECONTEXT dashboard: namespace: default flux_resource_path: kustomize.toolkit.fluxcd.io/v1/namespaces/flux-system/kustomizations/nginx-example image: name: "fluxcd/flux-cli:v2.4.0" entrypoint: [""] before_script: - kubectl config use-context $AGENT_KUBECONTEXT script: - kubectl apply -f $MANIFEST_PATH

Securing Pipeline Access and RBAC

Security is the most critical layer of the kubectl apply workflow. Allowing a CI/CD pipeline unrestricted access to a cluster is a significant security risk. GitLab provides mechanisms to restrict this access based on the user's tier (Premium or Ultimate).

The agent for Kubernetes is configured via the .gitlab/agents/testing/config.yaml file. By default, the agent uses its service account to run commands. However, this can be restricted using the following methods:

  • Static Service Account Identity: Assigning a specific Kubernetes service account to the agent.
  • CI/CD Job Impersonation: Using the CI/CD job itself as the identity in the cluster.

To configure job impersonation, the .gitlab/agents/testing/config.yaml file must be edited to include a ci_access block:

yaml ci_access: projects: - id: my-group/optional-subgroup/my-repository access_as: ci_job: {}

The impact of this configuration is that the CI/CD job no longer has blanket permissions. Instead, it must be granted specific permissions via Kubernetes RBAC (Role-Based Access Control). For instance, if the job needs to create secrets in the flux-system namespace, a Role and RoleBinding must be created within Kubernetes to allow the ci_job identity to perform create and patch operations on Secret objects. Without these RBAC bindings, the kubectl apply command will return a "forbidden" error, preventing unauthorized modifications to the cluster.

Troubleshooting and Pipeline Validation

Validating the health of a deployment after kubectl apply is essential. GitLab integrates the Kubernetes agent with its environment dashboard, allowing users to monitor the health of the applications/nginx environment directly from the GitLab UI.

When a pipeline fails during the kubectl apply stage, the following diagnostic steps are typically employed:

  • Check the Agent Context: Verify that $AGENT_KUBECONTEXT is correctly set and that the agent is active in the cluster.
  • Validate Manifest Syntax: Ensure that the YAML files in the MANIFEST_PATH are syntactically correct using kubectl apply --dry-run=client.
  • Inspect RBAC Logs: Check the Kubernetes API server logs to see if the request was denied due to insufficient permissions.
  • Registry Authentication: Confirm that the gitlab-registry-auth secret exists in the target namespace, as the cluster cannot pull the image from a private registry without it.

Analysis of the GitLab-Kubernetes Ecosystem

The synergy between GitLab CI and kubectl apply transforms the deployment process from a series of manual steps into a codified workflow. The transition toward OCI-based manifests and FluxCD integration indicates a move away from "Push-based" deployments (where the CI tool pushes the state) toward "Pull-based" deployments (where the cluster synchronizes itself with the source of truth).

The use of the GitLab Agent for Kubernetes solves a long-standing problem in DevOps: the need to expose the Kubernetes API to the open internet. By using an agent that resides inside the cluster and establishes an outbound connection to GitLab, the attack surface of the cluster is significantly reduced. This architecture ensures that the kubectl apply command is executed through a secure tunnel rather than a public API endpoint.

Furthermore, the integration of the container registry directly into the CI/CD pipeline creates a tight loop of feedback. A developer can push code, the pipeline builds an image, pushes it to the registry, and applies the manifest—all within a single execution trace. This reduces the cognitive load on the engineer and ensures that the version of the code in Git is exactly what is running in the cluster.

Sources

  1. Deploying Applications on Kubernetes with GitLab CI/CD using Private Docker Repositories
  2. Get started deploying to Kubernetes - GitLab Documentation
  3. GitLab CI/CD on Kubernetes - Piotr Minkowski

Related Posts