►
Description
Walk through the latest changes to GitLab Agent for Kubernetes and CI/CD tunnel. Learn how to the various impersonation options can be used from Cesar Saavedra
A
B
A
C
C
So
let's
get
started
so
I
have
this.
I
just
have
a
couple
of
slides
so
today
we're
going
to
cover
the
gitlab
agent
for
kubernetes
or
g84k,
and
also
the
gitlab
cicd
workflow
for
kubernetes,
also
known
as
the
cicd
tunnel.
That
was
the
old
name
and
we're
going
to
cover
the
generic
impersonation
using
the
tunnel.
C
If
you
attended
this,
the
sko
lab
the
first
five
minutes
will
be
that
and
then
we're
going
to
do
some
extra
stuff
after
that.
So
this
is
a.
It
has
a
lot
more
content
than
the
sko
lab
that
you
did
also
you're
going
to
learn
how
to
use
the
pool
based
git
ops,
to
create
an
instance
of
nginx
in
the
cluster.
C
C
C
There
we
go.
I
just
shared
the
link
in
chat
to
the
to
these
slides,
I'm
clicking
on
the
wrong
thing
now.
So
in
this
slide,
you
see
there's
a
link
here.
This
technical
video
resource
shows
you
how
to
set
up
the
class.
A
cluster
gke,
specifically
with
the
ga4k
and
deploying
the
gitlab,
manage
application
applications
to
the
cluster
using
the
cluster
management
project.
C
This
is
basically
it
leverages
the
cicd
tunnel
or
the
csd
workflow
for
kubernetes,
and
this
is
where
you
when,
where
you're
accessing
the
cluster
from
your
ci
cd
pipeline-
and
this
is
also
supported
by
the
agent,
the
specifically
talking
about
the
ci
cd
workflow
or
the
tunnel,
if
you
can
see
the
difference
between
the
the
left
picture
here-
and
this
picture
here-
is
that
in
this
case
we
are
just
on
the
right
side.
We're
showing
the
support
is
just
for
kubernetes
yeah.
C
Is
this
setup
process
going
to
change
actually
a
funny
story?
Mirko
yesterday
I
I
I
asked
my
teammate
to
be
my
guinea
pig
to
test
the
readme
file.
I
mean
the
instructions
here
in
preparation
of
today's
webinar
with
you
guys
and
we
noticed
some
changes
in
the
product
already,
so
I
had
to
quickly
update
the
instructions.
C
So
these
instructions
follow
the
the
setup
of
gitlab
ourselves
yesterday
and
what
was
changed
really
we'll
get
to
it
is
that
when
you
install
the
agent
before
we
were
you
needed
docker
and
now
you
don't
need
docker
running
on
your
laptop.
You
just
need
to
have
helm,
because
that
was
the
main.
There
were
some
other
minor
changes
in
the
ui,
but
they
were
minor.
C
So
just
in
case,
please
feel
free
to
ask
any
questions
at
any
point.
Okay
and-
and
if
I
miss
the
chat,
just
speak
up-
and
let
me
know
if
I
can
answer
your
questions
because
I'm
going
to
be
busy
following
these
instructions
all
right,
so,
let's
so
the
prerequisites
for
for
running.
This
is
basically
three
things
you
need
to
have
since
we're
using
gke.
C
Also,
the
prerequisite
was
the
creation
of
nmr
that
is
basically
the
create
that
will
create
a
namespace,
a
personalized
namespace
for
you.
This
was
similar
to
the
lab
that
we
did
in
sko,
and
this
is
the
part
that
I
need
to
do
once
you
create
the
mr
and
I
notice
you
know
I
notice
who's
created
emr
then
I
need
to
add
you
as
a
kubernetes
engine
admin
to
gcp
and
also
give
you
maintainer
access
to
the
project.
C
You
know
you
have
superpowers,
so
please
be
careful,
don't
don't,
kill
my
cluster,
I'm
going
to
leave
it
up
and
running
for
a
week
for
you
to
try
these
these
instructions
out
all
right.
So
let's
continue.
I'm
just
gonna.
Do
the
labs
these
labs
myself
and
you
can
they'll
get
recorded
and
you
can
watch
it
later
and
try
yourself
later
so.
The
first
thing
is,
I
have
an
open
terminal
which
and
I've
already
connected
connected
to
the
cluster.
Now
let
me
share.
C
C
C
And
don't
change
anything
in
this
command,
please
just
paste
it
paste
what
I've
put
in
the
in
the
chat
right
now
just
to
the
way
it
is
all
right.
So
then
you
can
double
check
once
you
paste
that
that
you
have
access
to
the
cluster,
which
I
already
do,
I'm
all
set
up
here.
Okay,
so
I'll
skip
these
steps-
and
here
I
just
put
out
if
you
have
any
kind
of
k9
tools,
you
know
you
can,
you
know,
observe
the
cluster.
You
know
browse
through
it.
C
C
C
C
C
And
in
here
we're
going
to
create
a
new,
a
new,
mr
and
we're
going
to
create
this
config.yml
we're
going
to
use
the
web
ide
so
that
when
you
use
the
web
id,
the
ui
allows
you
to
create.
It
creates
a
branch
for
you
and
a
brand
new,
mr,
so
it
just
makes
it
easier.
So
you
don't
have
to
if
you,
if
you
just
do
an
edit
you'll,
have
to
find
the
branch
and
it's
just
it,
takes
more
steps.
B
C
C
C
C
C
C
C
Wrong
command
there
we
go
all
right
and
now
there's
an
agent
running.
It's
been
running
for
nine
seconds,
so
the
running
those
helm
commands
has
deployed
this
agent
called
john
doe
get
lab
agent.
In
your
case,
you
will
see
the
pot
name.
Have
you
will
have
your
handle
here
in
front
and
you
know
every
one
of
you
will
have
your
own
agent
running
in
the
cluster.
C
Okay,
now
this
is
this
is
gonna.
It's
gonna.
Do
a
watch
right.
It's
you're
gonna
see
us
changes
as
the
agent
reacts
to
changes.
You're
gonna
see
output
here,
so
we'll
leave
that
screen
the
way.
It
is
all
right.
So
now
now
we're
going
to
now
that
the
agent
up
is
up
and
running
and
let's
go
ahead
and
merge
the
namespace.
C
So
we're
going
to
do
is
remember
the
mr
for
the
namespace
is
going
to
drop
basically
a
yaml
file
there.
Let
me
go
back
remember
this
is
gonna
drop
this
new
file
under
manifest
john
doe,
which
is
the
directory
that
the
agent
is
listening
or
is
observing
for
changes
now
before
we
do
that,
let's
make
sure
that.
D
C
A
git
ops
flow,
let's,
let's
exercise
to
get
up
slow,
so
I'll
get
a
flow
is
basically
includes
the
creation
of
the
issue,
the
mr
the
the
commit
and
the
merge,
and
then
we
watch
the
agent
basically
update
the
infrastructure
with
with
that
new
new
merge,
so
to
do
that,
let's
go
ahead
and
create
an
issue
under
ga4k
and
open
another
window.
Here,
let's
move
it
here.
C
C
There
we
go
now.
The
idea
is
in
in
dmr
all
the
collaboration
happens
among
all
the
stakeholders.
Working
on
that
on
resolving
that
issue
in
this
case
is
provisioning,
a
single
instance
of
nginx,
so
from
inside
the
web
id
we're
going
to
navigate
to.
In
this
case,
it's
going
to
be
manifest.
John
doe,
in
your
case
it'll,
be
your
handle,
we're
going
to
create
a
new
file
there,
nginx
yaml.
C
C
Okay,
good
good,
so
please
interrupt
me
if
you
have
any
questions:
okay,
all
right!
So
now,
let's
move
on
to
the
ci
cd
tunnel.
Now
the
cicd
tunnel
leverages
the
g4k
the
the
agent
to
access
to
securely
access,
the
the
kubernetes
cluster
okay.
So
now
we're
gonna
switch
topics
and
we're
going
to
be
doing
what
we
just
did
was
this
right
here.
C
Come
up
yes,
yes,
the
answer
is
yes
the
the
way
that
we've
designed
the
agent,
the
you
probably
want
to
want
to
have
an
agent,
maybe
per
project.
It
just
depends
on
the
needs
of
the
organization
or
the
department
how
they
want
to
split
the
agents
but
yeah
you
want
to
have
you
know.
The
expectation
is
that
you
will
probably
have
multiple
agents
and
the
classification
depends
on
on
the
organization.
It
could
be
by
department
by
project
et
cetera,
but
yes,
all
right.
C
C
C
C
C
C
C
C
C
C
C
And
here
you
can
see
what
we
saw
earlier
from
the
terminal
window
good.
So
now
we
have,
the
default
is
impersonating
the
agent,
and
this
would
you.
This
is
what
you
just
saw
the
the
pipeline
when
it
ran.
It
ran
with
a
default
impersonation,
which
is
the
agent
which
has
access
to
the
cluster,
with
no
restrictions.
C
C
C
C
C
C
So
now,
let's
assume
that
we
want
to
impress
this
could
be
jane.
I
could
you
know
I'm
assuming
that
it's
going
to
be
a
service
account
called
jane,
but
you
could
do
the
same
thing
with
the
ci
job
here:
okay,
so
in
order
to
be
able
to
impersonate
a
service
name
or
a
user,
we
need
to
create
a
service
account
for
that
user.
So
let's
go
ahead
and
create
jane.
C
C
Now
now
this
is
for
jane
right.
So
now
we
also
need
to
give
the
agent
the
permission
to
impersonate
another
service
account
that
doesn't
come
out
of
the
box.
So
to
do
that,
we
need
to
run
this
command
so
that
we're
going
to
create
a
cluster
role
called
impersonator
that
allows
to
imper.
It's
basically
allows
an
account
to
impersonate
another
service
account
and
then
we're
going
to
assign
we're
going
to
bind
that
to
the.
C
C
C
Now
we
all
those
commands
that
you
saw
earlier,
gave
jane
the
ability
to
list
parts
and
also
gave
the
agent
the
ability
to
impersonate
jane.
So,
as
you
can
see,
because
of
these
commands
that
we
executed
here
for
the
right
to
give
the
different
components.
The
right
permissions,
jane,
jane,
has
been
impersonated
here
and
jane
is
able
to
list
the
pods
that
are
running
in
the
cluster.
If
we
hadn't
done
the
created
these
permissions
or
cluster
roles
and
bindings,
the
second
command
would
have
failed,
just
like
in
the
ci
job
case.
E
C
So
those
are
the
three
that
we
have
so
far.
We
have
the
default,
which
is
basically
you're
impersonating
the
agent
pretty
much
gives
you
full
access
and
then
you
have
the
ci
job,
and
then
you
have
impersonating
service,
name
or
username.
I
believe,
let's
see
gitlab.
This
is
ci
cd
time
all
right
gitlab
they
changed
the
name.
C
C
So
that's
the
agent,
the
cicd
job
that
accesses
the
cluster,
and
this
tells
you
what
the
names
you
know
the
usernames
will
look
like.
Remember.
We
saw
that
lexia
job
and
then
a
number
like
this
one
and
then
the
third
one
is
a
static
identity.
In
this
case
we
use
jane,
and
those
are
the
three
options
that
you
have
we
have
so
we
provide
so
far.
E
E
B
D
But
effort
after
you
show
us,
the
impersonation
sounds
a
little
bit
redundant
to
me.
We
could
use
just
one
agent
and
use
impersonation
and
we
would
have
different
service
accounts,
deploying
different
research
in
the
kubernetes
cluster,
and
this
would
facilitate
audit
and
tracking
of
this
operation.
So
how
do
you
see
this?
If
you
are
using
impersonate,
you
still
feel
that
is
necessary
to
have
multiple
agents
in
the
same
cluster.
C
It's
just
a
matter
of
you
know
I
want
to
say.
I
know
this
sounds
a
little.
I
guess
it's
not
a
direct
answer
to
your
question,
but
it
depends
on
what
the
customer
needs
right
and,
and
the
good
thing
is
that
we
provide
both.
You
know
they
can
use
agent
with
an
agent
per
team
or
per
department
and
then
leave
everyone
in
that
department
just
access
to
that
cluster
with
the
default
agent
impersonation
user
default.
C
D
C
C
C
So
the
first
part
of
this
lab
covers
the
a
lot
of
the
integration
that
we
have
with
terraform
and
then,
which
is
what
we
call
the
push
based
and
terraform
is
you
know
you
can
use
terraform
from
non-kubernetes
infrastructure
targets
right
and,
and
then
the
second
part
covers
the,
which
is
this
is
very
long.
Actually.
C
C
The
second
part
of
this
one
is
using
the
agent,
basically
okay,
which
is
similar
to
what
you
saw
today,
but
with
screenshots,
which,
unfortunately,
unfortunately,
they
the
ui
changes
a
lot
with
gitlab.
So
I
try
to
keep
up
with
the
screenshots,
but
I'm
thinking
that
I
mean
have
to
do
without
this
update
actually
do
without
any
screenshots,
because
the
ui
just
changes
so
much
that
you
know
it
just
requires
a
lot
of
time
to
update
a
screenshot,
because
I
have
so
many,
but
this
is
another
resource
that
you
have
at
your
disposal.
C
A
Wonderful,
thank
you
so
much
for
your
time.
Yeah,
I
don't
see
anything
additional
in
the
dock,
but
if
you
have
any
questions
feel
free
to
add
them
on
there.
This
recording
will
be
ready
by
the
probably
by
the
end
of
the
day
and
I'll
post
it
on
customer
success,
just
as
I
always
do,
but
thank
you
so
much
for
your
time
today.
Cesar.
Thank
you
for
the
great
demo
and
thank
you
for
the
great
questions.