Skip to content

GitLab-managed Kubernetes resources

  • Tier: Premium, Ultimate
  • Offering:, GitLab Self-Managed, GitLab Dedicated

Version history

Use GitLab-managed Kubernetes resources to provision Kubernetes resources with environment templates. An environment template can:

  • Create namespaces and service accounts automatically for new environments
  • Manage access permissions through role bindings
  • Configure other required Kubernetes resources

When developers deploy applications, GitLab creates the resources based on the environment template.

Configure GitLab-managed Kubernetes resources


Turn on Kubernetes resource management

To turn on resource management, modify the agent configuration file to include the required permissions:

    - id: <your_group/your_project>
        ci_job: {}
        enabled: true
    - id: <your_other_group>
        ci_job: {}
        enabled: true

Create environment templates

Environment templates define what Kubernetes resources are created, updated, or removed.

The default environment template creates a Namespace and configures a RoleBinding for the CI/CD job.

To overwrite the default template, add a template configuration file called default.yaml in the agent directory:


To create an environment template, add a template configuration file in the agent directory at:


You can specify which template is included in a CI/CD pipeline. For more information, see Use templates in CI/CD pipelines.

Supported Kubernetes resources

The following Kubernetes resources (kind) are supported:

  • Namespace
  • ServiceAccount
  • RoleBinding
  • FluxCD Source Controller objects:
    • GitRepository
    • HelmRepository
    • HelmChart
    • Bucket
    • OCIRepository
  • FluxCD Kustomize Controller objects:
    • Kustomization
  • FluxCD Helm Controller objects:
    • HelmRelease
  • FluxCD Notification Controller objects:
    • Alert
    • Provider
    • Receiver

Example environment template

The following example creates a namespace and grants a group administrator access to a cluster.

  - apiVersion: v1
    kind: Namespace
      name: '{{ .environment.slug }}-{{ }}-{{ }}'
  - apiVersion:
    kind: RoleBinding
      name: bind-{{ }}-{{ }}-{{ .environment.slug }}
      namespace: {{ .project.slug }}-{{ }}-{{ .environment.slug }}
      - kind: Group
        name: gitlab:project_env:{{ }}:{{ .environment.slug }}
      kind: ClusterRole
      name: admin

# Resource lifecycle configuration
apply_resources: on_start    # Resources are applied when environment is started/restarted
delete_resources: on_stop    # Resources are removed when environment is stopped

Template variables

Environment templates support limited variable substitution. The following variables are available:

Category Variable Description
Agent {{ }} The agent identifier.
Agent {{ }} The agent name.
Agent {{ .agent.url }} The agent URL.
Environment {{ }} The environment name.
Environment {{ .environment.slug }} The environment slug.
Environment {{ .environment.url }} The environment URL.
Environment {{ .environment.tier }} The environment tier.
Project {{ }} The project identifier.
Project {{ .project.slug }} The project slug.
Project {{ .project.path }} The project path.
Project {{ .project.url }} The project URL.
CI Pipeline {{ }} The pipeline identifier.
CI Job {{ }} The CI/CD job identifier.
User {{ }} The user identifier.
User {{ .user.username }} The username.

All variables should be referenced using the double curly brace syntax, for example: {{ }}. See text/template documentation for more information on the templating system used.

Resource lifecycle management

Use the following settings to configure when Kubernetes resources should be applied or removed from an environment:

# Apply resources when environment is started or restarted
apply_resources: on_start

# Never delete resources
delete_resources: never

# Delete resources when environment is stopped
delete_resources: on_stop

Use managed resources in CI/CD pipelines

To use managed Kubernetes resources in your CI/CD pipelines, specify the agent and optionally the template name in your environment configuration:

    name: production
      agent: agent-name
      template: my-template  # Optional, uses default template if not specified


Any errors related to managed Kubernetes resources can be found on:

  • The environment page in your GitLab project
  • The CI/CD job logs when using the feature in pipelines