►
Description
Walk through the latest changes to GitLab Agent for Kubernetes and CI/CD tunnel. Learn how to the various impersonation options can be used from Cesar Saavedra
A
B
A
Welcome
everyone
to
another
skills
exchange
session.
We
have
cesar
here
today
to
talk
through,
maybe
some
hands-on
activities.
If
not,
you
know
we'll
do
some
demos
as
well,
but
cesar
I'll
go
ahead
and
let
you
kick
us
off.
C
Hello,
everyone,
thank
you.
So
much
for
joining.
You
should
be
seeing
a
screen
that
says
cs:
skills,
exchange.
C
Great
so
as
I
was
mentioning
for
those
of
you
watching
the
recording
the
there
was
a
prerequisite
of
creating
an
mr
in
this
project
before
this
moment
and
unfortunately,
no
one
created
dmr.
C
So
let's
get
started
so
I
have
this.
I
just
have
a
couple
of
slides
so
today
we're
going
to
cover
the
gitlab
agent
for
kubernetes
or
g84k,
and
also
the
gitlab
cicd
workflow
for
kubernetes,
also
known
as
the
cicd
tunnel.
That
was
the
old
name
and
we're
going
to
cover
the
generic
impersonation
using
the
tunnel.
C
This
is
me:
if
you
have
any
questions,
please
feel
free
to
reach
out
to
me
via
my
handle
or
slack
or
my
email.
C
If
you
attended
this,
the
sko
lab
the
first
five
minutes
will
be
that
and
then
we're
going
to
do
some
extra
stuff
after
that.
So
this
is
a.
It
has
a
lot
more
content
than
the
sko
lab
that
you
did
also
you're
going
to
learn
how
to
use
the
pool
based
git
ops,
to
create
an
instance
of
nginx
in
the
cluster.
C
C
C
There
we
go.
I
just
shared
the
link
in
chat
to
the
to
these
slides,
I'm
clicking
on
the
wrong
thing
now.
So
in
this
slide,
you
see
there's
a
link
here.
This
technical
video
resource
shows
you
how
to
set
up
the
class.
A
cluster
gke,
specifically
with
the
ga4k
and
deploying
the
gitlab,
manage
application
applications
to
the
cluster
using
the
cluster
management
project.
C
This
is
basically
it
leverages
the
cicd
tunnel
or
the
csd
workflow
for
kubernetes,
and
this
is
where
you
when,
where
you're
accessing
the
cluster
from
your
ci
cd
pipeline-
and
this
is
also
supported
by
the
agent,
the
specifically
talking
about
the
ci
cd
workflow
or
the
tunnel,
if
you
can
see
the
difference
between
the
the
left
picture
here-
and
this
picture
here-
is
that
in
this
case
we
are
just
on
the
right
side.
We're
showing
the
support
is
just
for
kubernetes
yeah.
C
Is
this
setup
process
going
to
change
actually
a
funny
story?
Mirko
yesterday
I
I
I
asked
my
teammate
to
be
my
guinea
pig
to
test
the
readme
file.
I
mean
the
instructions
here
in
preparation
of
today's
webinar
with
you
guys
and
we
noticed
some
changes
in
the
product
already,
so
I
had
to
quickly
update
the
instructions.
C
So
these
instructions
follow
the
the
setup
of
gitlab
ourselves
yesterday
and
what
was
changed
really
we'll
get
to
it
is
that
when
you
install
the
agent
before
we
were
you
needed
docker
and
now
you
don't
need
docker
running
on
your
laptop.
You
just
need
to
have
helm,
because
that
was
the
main.
There
were
some
other
minor
changes
in
the
ui,
but
they
were
minor.
C
So
just
in
case,
please
feel
free
to
ask
any
questions
at
any
point.
Okay
and-
and
if
I
miss
the
chat,
just
speak
up-
and
let
me
know
if
I
can
answer
your
questions
because
I'm
going
to
be
busy
following
these
instructions
all
right,
so,
let's
so
the
prerequisites
for
for
running.
This
is
basically
three
things
you
need
to
have
since
we're
using
gke.
C
Also,
the
prerequisite
was
the
creation
of
nmr
that
is
basically
the
create
that
will
create
a
namespace,
a
personalized
namespace
for
you.
This
was
similar
to
the
lab
that
we
did
in
sko,
and
this
is
the
part
that
I
need
to
do
once
you
create
the
mr
and
I
notice
you
know
I
notice
who's
created
emr
then
I
need
to
add
you
as
a
kubernetes
engine
admin
to
gcp
and
also
give
you
maintainer
access
to
the
project.
C
You
know
you
have
superpowers,
so
please
be
careful,
don't
don't,
kill
my
cluster,
I'm
going
to
leave
it
up
and
running
for
a
week
for
you
to
try
these
these
instructions
out
all
right.
So
let's
continue.
I'm
just
gonna.
Do
the
labs
these
labs
myself
and
you
can
they'll
get
recorded
and
you
can
watch
it
later
and
try
yourself
later
so.
The
first
thing
is,
I
have
an
open
terminal
which
and
I've
already
connected
connected
to
the
cluster.
Now
let
me
share.
C
C
C
And
don't
change
anything
in
this
command,
please
just
paste
it
paste
what
I've
put
in
the
in
the
chat
right
now
just
to
the
way
it
is
all
right.
So
then
you
can
double
check
once
you
paste
that
that
you
have
access
to
the
cluster,
which
I
already
do,
I'm
all
set
up
here.
Okay,
so
I'll
skip
these
steps-
and
here
I
just
put
out
if
you
have
any
kind
of
k9
tools,
you
know
you
can,
you
know,
observe
the
cluster.
You
know
browse
through
it.
C
If
you
want,
I
I
don't
use
any.
I
don't
use
the
k9
as
tools
I
just
you'll
see,
but
just
use
simple
cube.
Ctl
commands
all
right,
so
next
section
is
about
create
a
merge
request
for
configuring,
your
own
agent.
C
C
C
Let's
put
adding
joando
namespace.
C
C
And
in
here
we're
going
to
create
a
new,
a
new,
mr
and
we're
going
to
create
this
config.yml
we're
going
to
use
the
web
ide
so
that
when
you
use
the
web
id,
the
ui
allows
you
to
create.
It
creates
a
branch
for
you
and
a
brand
new,
mr,
so
it
just
makes
it
easier.
So
you
don't
have
to
if
you,
if
you
just
do
an
edit
you'll,
have
to
find
the
branch
and
it's
just
it,
takes
more
steps.
B
C
C
C
C
C
C
C
Wrong
command
there
we
go
all
right
and
now
there's
an
agent
running.
It's
been
running
for
nine
seconds,
so
the
running
those
helm
commands
has
deployed
this
agent
called
john
doe
get
lab
agent.
In
your
case,
you
will
see
the
pot
name.
Have
you
will
have
your
handle
here
in
front
and
you
know
every
one
of
you
will
have
your
own
agent
running
in
the
cluster.
C
So
we're
done
with
the
agent,
so
one
thing
that
we
can
do
now
is
let's-
and
it's
right
here
in
instructions:
let's
go
ahead
and
do
a
tale
of
the
log
file
of
your
agent.
C
Okay,
now
this
is
this
is
gonna.
It's
gonna.
Do
a
watch
right.
It's
you're
gonna
see
us
changes
as
the
agent
reacts
to
changes.
You're
gonna
see
output
here,
so
we'll
leave
that
screen
the
way.
It
is
all
right.
So
now
now
we're
going
to
now
that
the
agent
up
is
up
and
running
and
let's
go
ahead
and
merge
the
namespace.
C
That
needs
to
go
away
there,
so
this
is
basically
saying
the
configuration
of
the
agent
is
saying
that
this
is
the
directory
that
is
going
to
be
observed
for
changes,
and
if
there
is
any
file
in
there
with
an
extension,
yaml,
yml
or
json,
then
the
agent
will
react
to
those
changes.
C
So
we're
going
to
do
is
remember
the
mr
for
the
namespace
is
going
to
drop
basically
a
yaml
file
there.
Let
me
go
back
remember
this
is
gonna
drop
this
new
file
under
manifest
john
doe,
which
is
the
directory
that
the
agent
is
listening
or
is
observing
for
changes
now
before
we
do
that,
let's
make
sure
that.
D
C
A
git
ops
flow,
let's,
let's
exercise
to
get
up
slow,
so
I'll
get
a
flow
is
basically
includes
the
creation
of
the
issue,
the
mr
the
the
commit
and
the
merge,
and
then
we
watch
the
agent
basically
update
the
infrastructure
with
with
that
new
new
merge,
so
to
do
that,
let's
go
ahead
and
create
an
issue
under
ga4k
and
open
another
window.
Here,
let's
move
it
here.
C
C
There
we
go
now.
The
idea
is
in
in
dmr
all
the
collaboration
happens
among
all
the
stakeholders.
Working
on
that
on
resolving
that
issue
in
this
case
is
provisioning,
a
single
instance
of
nginx,
so
from
inside
the
web
id
we're
going
to
navigate
to.
In
this
case,
it's
going
to
be
manifest.
John
doe,
in
your
case
it'll,
be
your
handle,
we're
going
to
create
a
new
file
there,
nginx
yaml.
C
And
we
go
ahead
and
we're
gonna
basically
create
the
merge.
C
Let
me
see,
I
may
not
be
fast
enough
to
show
you
the
before
and
after
yeah
it
was
too
fast,
so
the
engine
x
was
already
created
by
the
agent.
The
agent
saw
that
new
file
and
it
instantiated
a
new
in
a
new
pod.
That
is.
C
Okay,
good
good,
so
please
interrupt
me
if
you
have
any
questions:
okay,
all
right!
So
now,
let's
move
on
to
the
ci
cd
tunnel.
Now
the
cicd
tunnel
leverages
the
g4k
the
the
agent
to
access
to
securely
access,
the
the
kubernetes
cluster
okay.
So
now
we're
gonna
switch
topics
and
we're
going
to
be
doing
what
we
just
did
was
this
right
here.
C
Come
up
yes,
yes,
the
answer
is
yes
the
the
way
that
we've
designed
the
agent,
the
you
probably
want
to
want
to
have
an
agent,
maybe
per
project.
It
just
depends
on
the
needs
of
the
organization
or
the
department
how
they
want
to
split
the
agents
but
yeah
you
want
to
have
you
know.
The
expectation
is
that
you
will
probably
have
multiple
agents
and
the
classification
depends
on
on
the
organization.
It
could
be
by
department
by
project
et
cetera,
but
yes,
all
right.
C
You
know
you
can
act
basically
act
on
the
on
the
cluster
and
do
things
to
it
and
and
get
information
from
it
and
create
things,
and
you
know
kubernetes,
artifacts
and
elements.
So
let's
go
back.
C
Just
open
a
new
window,
what
did
I
do?
C
C
This
has
all
the
information
about
the
agents
and
where
we've
been
dropping,
we've
been
dropping
the
nginx
in
there
and
all
that,
so
we're
going
to
go
ahead
and
create
a
project
at
this
level
and
then
we're
going
to
tell
the
agent
we're
going
to
give
the
agent
is
going
to
give
permissions
to
this
project
to
to
basically
securely
access
the
kubernetes
connection
that
the
agent
is
maintaining
so
new
project.
C
C
C
Now
we
could
append.
We
could
append
all
these
parameters
to
this
file.
If
you
like,
okay,
so
you
can
do,
let's
just
do
an
edit.
In
this
case
we
can
just
merge
it
to
yeah.
Let's
just
do
an
edit
in
this
case
instead
of
web
ide.
C
And
the
instructions
say
just
I'm
sorry,
maybe
I
made
a
mistake.
Actually
we
need
to
append
I
apologize.
We
need
to
append.
I
made
a
mistake,
so
let's
append
this
here
like
that,
so
let's
append
that
and
then
we
just
commit
to
the
main
branch.
C
C
C
If
you
want
to
double
check,
we
can
go
here.
C
C
It's
right
here
right,
yeah
yeah,
it
already
ran
it's
running.
Look
the
agent
already
reacted.
So
let's
go
to
pipelines
for
this
project.
Oh
and
it
passed
okay.
So
let's
go!
C
It
just
ran
a
few
seconds
ago
triggered
30
seconds
seven
seconds
ago.
Let's
go
into
the
only
job
in
there
and
stage
and
remember
the
pipeline
basically
had
to
recheck
the
pipeline.
C
C
And
here
you
can
see
what
we
saw
earlier
from
the
terminal
window
good.
So
now
we
have,
the
default
is
impersonating
the
agent,
and
this
would
you.
This
is
what
you
just
saw
the
the
pipeline
when
it
ran.
It
ran
with
a
default
impersonation,
which
is
the
agent
which
has
access
to
the
cluster,
with
no
restrictions.
C
C
C
C
And
the
reason
is,
when
you
run
when
you
impersonate
the
ci
job,
there
is
a
username
that
is
basically
created
for
you
for
that
single
execution.
In
this
case
the
user
is
called
ci
job
and
then
the
number
of
the
job-
okay.
C
C
So
now,
let's
assume
that
we
want
to
impress
this
could
be
jane.
I
could
you
know
I'm
assuming
that
it's
going
to
be
a
service
account
called
jane,
but
you
could
do
the
same
thing
with
the
ci
job
here:
okay,
so
in
order
to
be
able
to
impersonate
a
service
name
or
a
user,
we
need
to
create
a
service
account
for
that
user.
So
let's
go
ahead
and
create
jane.
C
C
Now
now
this
is
for
jane
right.
So
now
we
also
need
to
give
the
agent
the
permission
to
impersonate
another
service
account
that
doesn't
come
out
of
the
box.
So
to
do
that,
we
need
to
run
this
command
so
that
we're
going
to
create
a
cluster
role
called
impersonator
that
allows
to
imper.
It's
basically
allows
an
account
to
impersonate
another
service
account
and
then
we're
going
to
assign
we're
going
to
bind
that
to
the.
C
C
C
Now
we
all
those
commands
that
you
saw
earlier,
gave
jane
the
ability
to
list
parts
and
also
gave
the
agent
the
ability
to
impersonate
jane.
So,
as
you
can
see,
because
of
these
commands
that
we
executed
here
for
the
right
to
give
the
different
components.
The
right
permissions,
jane,
jane,
has
been
impersonated
here
and
jane
is
able
to
list
the
pods
that
are
running
in
the
cluster.
If
we
hadn't
done
the
created
these
permissions
or
cluster
roles
and
bindings,
the
second
command
would
have
failed,
just
like
in
the
ci
job
case.
E
I
do
actually
okay
go
ahead,
so
can
the
the
configuration
of
the
user
also
depend
on
the
user
which
executes
a
pipeline.
C
When
you
use
impersonate
it'll
depend
on
the
user,
that
is
being
impersonated.
E
C
So
those
are
the
three
that
we
have
so
far.
We
have
the
default,
which
is
basically
you're
impersonating
the
agent
pretty
much
gives
you
full
access
and
then
you
have
the
ci
job,
and
then
you
have
impersonating
service,
name
or
username.
I
believe,
let's
see
gitlab.
This
is
ci
cd
time
all
right
gitlab
they
changed
the
name.
C
Here,
authorized
environment
certificate,
impersonation,
restrict
project
and
group
access.
C
So
in
this
case
I
chose
group
with
the
idea
that
any
projects
that
I
create
under
a
group
will,
you
know,
will
have
access
to
the
agents.
But
you
could,
you
know,
do
select
a
specific
project
if
you
want
for
the
impersonation
step.
C
So
that's
the
agent,
the
cicd
job
that
accesses
the
cluster,
and
this
tells
you
what
the
names
you
know
the
usernames
will
look
like.
Remember.
We
saw
that
lexia
job
and
then
a
number
like
this
one
and
then
the
third
one
is
a
static
identity.
In
this
case
we
use
jane,
and
those
are
the
three
options
that
you
have
we
have
so
we
provide
so
far.
E
Okay,
so
this
basically
means
if
I
forget,
to
configure
access
s
and
just
have
the
project
configured
everybody
who
has
access
to
that
project.
Has
agent
access
right
right.
E
D
Just
a
follow-up
question
on
what
was
asked
before
you
mentioned
that
the
agent
is
intended
to
have
organizations
using
multiple
agents
in
a
same.
B
D
But
effort
after
you
show
us,
the
impersonation
sounds
a
little
bit
redundant
to
me.
We
could
use
just
one
agent
and
use
impersonation
and
we
would
have
different
service
accounts,
deploying
different
research
in
the
kubernetes
cluster,
and
this
would
facilitate
audit
and
tracking
of
this
operation.
So
how
do
you
see
this?
If
you
are
using
impersonate,
you
still
feel
that
is
necessary
to
have
multiple
agents
in
the
same
cluster.
C
So
from
from
customer
interviews,
what
I've
read
is
that
they
like
the
customers,
would
like
to
split
the
access.
C
For
example,
it
could
be
by
department
so
that
there's
a
need
to
do
that,
but
other
customers
also
want
to
either
even
have
a
more
granular
restriction
than
that
than
you
know,
having
everyone,
an
agent
per
department,
for
example,
and
having
everyone
in
a
department
access
a
cluster
through
that
single
agent
and
in
those
cases
you
may
want
to
restrict
access
to
a
single,
a
single
specific
service
service
name.
C
It's
just
a
matter
of
you
know
I
want
to
say.
I
know
this
sounds
a
little.
I
guess
it's
not
a
direct
answer
to
your
question,
but
it
depends
on
what
the
customer
needs
right
and,
and
the
good
thing
is
that
we
provide
both.
You
know
they
can
use
agent
with
an
agent
per
team
or
per
department
and
then
leave
everyone
in
that
department
just
access
to
that
cluster
with
the
default
agent
impersonation
user
default.
C
D
Yeah,
I
can
see
what
you're
saying,
maybe
one
agent
by
department
and
then
using
person
eight,
maybe
to
impersonate
a
specific
developer
from
the
part
the
department
yeah.
So.
C
C
C
Whole
set
of
exercises
that
I've
been
trying
to
keep
up
to
date.
This
one
here.
C
So
this
is
there's
a
bunch
of
cd
labs,
you
know
for
rollbacks,
feature
flags
etc,
and
this
one
get
ups
with
gitlab,
the
very
bottom.
C
So
the
first
part
of
this
lab
covers
the
a
lot
of
the
integration
that
we
have
with
terraform
and
then,
which
is
what
we
call
the
push
based
and
terraform
is
you
know
you
can
use
terraform
from
non-kubernetes
infrastructure
targets
right
and,
and
then
the
second
part
covers
the,
which
is
this
is
very
long.
Actually.
C
The
second
part
includes
some
of
the
content
that
you've
seen
today,
which
I
really
have
to
update,
because
I
just
discovered
yesterday
that
some
of
the
some
of
the
ui
has
changed
so
as
soon
as
we're
done
here.
I'm
going
to
update
these
these
instructions.
C
The
second
part
of
this
one
is
using
the
agent,
basically
okay,
which
is
similar
to
what
you
saw
today,
but
with
screenshots,
which,
unfortunately,
unfortunately,
they
the
ui
changes
a
lot
with
gitlab.
So
I
try
to
keep
up
with
the
screenshots,
but
I'm
thinking
that
I
mean
have
to
do
without
this
update
actually
do
without
any
screenshots,
because
the
ui
just
changes
so
much
that
you
know
it
just
requires
a
lot
of
time
to
update
a
screenshot,
because
I
have
so
many,
but
this
is
another
resource
that
you
have
at
your
disposal.
C
C
So
that's
that's
right
here!
C
C
So
any
other
questions.
A
Wonderful,
thank
you
so
much
for
your
time.
Yeah,
I
don't
see
anything
additional
in
the
dock,
but
if
you
have
any
questions
feel
free
to
add
them
on
there.
This
recording
will
be
ready
by
the
probably
by
the
end
of
the
day
and
I'll
post
it
on
customer
success,
just
as
I
always
do,
but
thank
you
so
much
for
your
time
today.
Cesar.
Thank
you
for
the
great
demo
and
thank
you
for
the
great
questions.