FreeBSD Manual Pages

home | help

glab(1) glab(1)

NAME
glab-cluster-graph - Query the Kubernetes object graph using the GitLab
Agent for Kubernetes. (EXPERIMENTAL)

SYNOPSIS
glab cluster graph [flags]

DESCRIPTION
This command starts a web server that shows a live view of the Kuber-
netes object graph in a browser. It uses the GitLab Agent for Kuber-
netes running in the cluster. It requires:

• Version 18.1 or later of GitLab and the GitLab Agent.

• At least the Developer role in the agent project.

• This command requires a personal access token or project access token
for authentication. The token must have the read_api and k8s_proxy
scopes.

Leave feedback in issue 7900 <https://gitlab.com/gitlab-org/cli/-/is-
sues/7900>.

Resource filtering
To filter resources, namespaces, and select root objects, use Common
Expression Language (CEL) <https://cel.dev/>.

object_selector_expression: Filters objects. The expression must return
a boolean. These variables are available:

• obj: The Kubernetes object being evaluated.

• group: The group of the object.

• version: The version of the object.

• resource: The resource name of the object, like pods for the Pod
kind.

• namespace: The namespace of the object.

• name: The name of the object.

• labels: The labels of the object.

• annotations: The annotations of the object.

resource_selector_expression: Filters Kubernetes discovery information
to include or exclude resources from the watch request. The expression
must return a boolean. These variables are available:

• group: The group of the object.

• version: The version of the object.

• resource: The resource name of the object, like pods for the Pod
kind.

• namespaced: The scope of group, version, and resource. Can be bool,
true, or false.

To select root objects, use the --root-expression flag. When set, only
objects that are directly or transitively reachable from root objects
are shown. This flag uses the same variables as object_selector_expres-
sion, and must return a boolean. Multiple values are joined with OR
statements. If any match, the object is used as root.

For more information about using label selectors <https://kuber-
netes.io/docs/concepts/overview/working-with-objects/labels/#label-se-
lectors> and field selectors <https://kubernetes.io/docs/con-
cepts/overview/working-with-objects/field-selectors/> to select name-
spaces, see the Kubernetes documentation.

Advanced usage
Apart from high-level ways to construct the query, this command enables
you to construct and send the query using all underlying API features.
To understand what is possible, and how to do it, see the technical de-
sign doc <https://gitlab.com/gitlab-org/cluster-integration/git-
lab-agent/-/blob/master/doc/graph_api.md>

The user should have permission to access the agent project. For more
information, see Grant users Kubernetes access <https://docs.git-
lab.com/user/clusters/agent/user_access/>.

This feature is an experiment and is not ready for production use. It
might be unstable or removed at any time. For more information, see
https://docs.gitlab.com/policy/development_stages_support/.

OPTIONS
-a, --agent=0 The numeric agent ID to connect to.

--apps[=false] Watch deployments, replicasets, daemonsets, and
statefulsets in the apps/v1 group.

--batch[=false] Watch jobs and cronjobs in the batch/v1 group.

--cluster-rbac[=false] Watch clusterroles and clusterrolebindings
in the rbac.authorization.k8s.io/v1 group.

--core[=false] Watch pods, secrets, configmaps, and serviceac-
counts in the core/v1 group.

--crd[=false] Watch customresourcedefinitions in the apiexten-
sions.k8s.io/v1 group.

--ignore-arc-direction[=false] Ignore arc direction when evaluat-
ing root connectivity. Requires GitLab and agent version 18.3 or later.

--listen-addr="localhost:0" Address to listen on.

--listen-net="tcp" Network on which to listen for connections.

--log-watch-request[=false] Log watch request to stdout. Helpful
for debugging.

-n, --namespace=[] Namespaces to watch. If not specified, all
namespaces are watched with label and field selectors filtering.

--ns-expression="" CEL expression to select namespaces. Evaluated
before a namespace is watched and on any updates for the namespace ob-
ject.

--ns-field-selector="" Field selector to select namespaces.

--ns-label-selector="" Label selector to select namespaces.

--rbac[=false] Watch roles and rolebindings in the rbac.authoriza-
tion.k8s.io/v1 group.

-r, --resource=[] Resources to watch. You can see the list of re-
sources your cluster supports by running 'kubectl api-resources'.

--root-expression=[] CEL expression to select root objects. Re-
quires GitLab and agent version 18.3 or later.

--stdin[=false] Read watch request from standard input.

OPTIONS INHERITED FROM PARENT COMMANDS
-h, --help[=false] Show help for this command.

-R, --repo="" Select another repository. You can use either
OWNER/REPO or GROUP/NAMESPACE/REPO. The full URL or Git URL is also ac-
cepted.

EXAMPLE
# Run the default query for agent 123
glab cluster graph -R user/project -a 123

# Show common resources from the core and RBAC groups
glab cluster graph -R user/project -a 123 --core --rbac

# Show certain resources
glab cluster graph -R user/project -a 123 --resource=pods --resource=configmaps

# Same as above, but more compact
glab cluster graph -R user/project -a 123 -r={pods,configmaps}

# Select a certain namespace
glab cluster graph -R user/project -a 123 -n={my-ns,my-stuff}

# Select namespaces with a certain label
glab cluster graph -R user/project -a 123 --ns-label-selector environment=production

# Pass a custom watch request from a file
glab cluster graph -R user/project -a 123 --stdin < query.json

# Show objects reachable from pod roots
glab cluster graph -R user/project -a 123 --root-expression "resource == \"pods\""

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages