Expose gitlab-managed-apps in Pod Logs
The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Problem to solve
There is no easy way for a user to view pod logs for a Gitlab Managed App pod that is not part of the default application's namespace. In certain cases it can be useful to view the logs to debug or monitor installed applications, such as all gitlab-managed-apps. These can be exposed with the existing Kubernetes Pod Logs feature.
It was suggested with the work in https://gitlab.com/gitlab-org/gitlab-ce/issues/65192#note_206053988 that exposing the ingress-nginx-controller pod could provide an easy mechanism for for monitoring nginx requests as well as any modsecurity warnings generate in "Detection-only" mode.
There is an existing limitation in that Pod Logs currently only exposes pods within the application's namespace, not the gitlab-managed-apps where ingress lives:
It doesn't sound like there is a technical limitation here though, so we can probably easily expose it. There's a related issue to do so for knative, although I'm not sure that was the exact intent.
To quote @DylanGriffith from slack:
dylan:palm_tree: 19 minutes ago
@theoretick it's an interesting idea. I've never heard this come up before. It seems sensible to me though.
dylan:palm_tree: 18 minutes ago
Tailing nginx logs seems like a really good feature actually. Ideally all these logs would be fed into some log aggregator but a more minimal approach as you suggest could be to show it the same as other pod logs. I like it :thumbsup:Intended users
Currently, gitlab-ce~3207279 but there is consideration in https://gitlab.com/gitlab-org/gitlab-ce/issues/65860
Further details
Proposal
Expose all gitlab-managed apps within Pod Logs OR some subset if not all are considered useful
Permissions and Security
No change to existing Pod Logs permissions
- Only instance admins can see
gitlab-managed-appspod logs for instance clusters - Only group maintainers (and up) can see
gitlab-managed-appspod logs for group clusters - Only project maintainers (and up) can seee
gitlab-managed-appspod logs for project clusters
Documentation
Testing
What does success look like, and how can we measure that?
Users can view nginx requests through GitLab's UI.