►
From YouTube: How to use ‘GitLab Kubernetes Agent Working Examples for Training and Demos’ 2022-06-01
Description
Darwin provided an overview of the training and demos that currently exist.
A
All
right,
thank
you,
everyone
for
joining
us
for
cs
skills
exchange.
Thank
you,
darwin,
for
hosting
us
last
minute.
I
know
we
didn't
have
a
topic
for
today
for
a
very
long
time.
So
thank
you
so
much
for
taking
that
responsibility
on
and
I'll
give
you
as
much
time
as
you
need
and
we'll
go
ahead
and
get
started.
B
Note
all
almost
like
99
of
the
slides
in
anything
I
show
you
here-
that's
used
in
the
workshop
is
also
progressively
disclosed
or
what
I
call
visual
microstory
slides,
so
they
unpack
on
the
screen.
So
you
can
tell
a
story,
but
I
just
wanted
to
you
know:
walk
you
through
some
of
the
things
that
have
been
done
here.
Try
to
give
you
an
idea,
too,
of
the
ways
that
you
can
use
this
and
I'm
very
excited
to
to
have
your
feedback
on
things
and
improvements
over
time.
B
It's
also
all
designed,
of
course,
with
everyone
can
contribute
in
mind,
turns
out
guided
explorations
both
this
slide,
as
well
as
the
concept
and
the
area
on
gitlab.
The
group
are
about
two
years
old
now,
so
just
about
past
two-year-old
birthday,
the
kind
of
the
model
that
was
presented
there
as
being
sort
of
a
a
reflection
of
my
time
doing
a
lot
of
training
as
a
solo
entrepreneur
was
that
a
working
example
was
the
best
foundation
to
build
enablement
from
so
once
you
have
a
working
example.
B
If
you
write
a
blog
article,
you're,
not
saying
stuff,
you
didn't
test
and
find
out
later
it
takes
customers
three
weeks
to
actually
get
what
get
the
blog
article
working
because
of
things
that
you
had
missed
about.
You
know:
hey,
they
wouldn't
have
this.
They
wouldn't
have
that
so
always
working
from
a
working
example,
no
matter
what
enable
it
you
build,
and
then
you
can
layer
up
on
top
of
that,
so
you'll
see
that
reflected
in
this
structure.
This
particular
graphic
by
the
way
is
over
in
guided
exploration
as
there's
a
special
readme
sub
project.
A
B
B
Interestingly,
this
actually
started
with
me
doing
some
work
with
teaching
a
class
for
to
a
coding,
bootcamp
company,
that
that
that
does
career
ups,
upgrading
for
opportunity,
youth
and
people,
switching
their
careers
into
tech,
and
so
that
part
of
that
that
became
a
part
of
this
was
the
kubernetes
setup.
That's
super
lean,
scalable
deployed
on
spot,
so
very
enablement,
oriented
kubernetes
deployment
and
also
deployable
by
anybody
without
infrastructure's
code
experience
because
of
using
amazon
quick
starts
as
the
way
to
launch
it.
B
B
B
So
a
runner-based
cd
push
and
a
get
up,
cd,
pull,
which
is
the
the
new
stuff
as
far
as
we're
all
concerned,
but
because
the
first
one
also
runs
over
the
kubernetes
agent
connection,
it's
important
to
see
it
working
and
then
you
know
and
can
show
customers.
It
works
the
same
over
the
gitlab
agent
connection,
it's
suitable
or
I'm
claiming
it's
suitable
for
get
lab
team
members,
customers
and
partners
as
both
an
audience
or
a
trainer
seller.
So
I
work
in
alliances
and
I
we
in
alliances.
B
These
are
the
examples,
so
there's
zero
scaffolding
as
or
as
close
as
possible
to
the
example.
So
when
a
participant
sits
down
and
goes
to
start
working,
we
I
tried
to
as
much
as
possible
make
it
where
you
copy
a
repository,
push
run
pipeline
and
it's
ready
to
go
so
there's
some
different.
There's
a
lot.
Well,
there's
a
lot
of
soft
coding
capability
that
you
have
to
keep
in
mind
in
order
to
make
something
that
quick,
it's
kind
of
like
the
five
minute
app
that
you
all
know
about
here
at
gitlab.
B
B
When
you're
done
it's
suitable
for
demos,
so
the
cluster
itself,
if
you
decide
to
use
eks,
can
be
turned
off,
it
can
be
scheduled
availability
as
long
as
you
don't
put
anything
in
there,
that's
stateful,
and
so
you
can
stand
up
a
long
running
demo
environment
with
this
and
leave
it
sitting
there
with
examples
of
hey.
This
is
here's
the
the
pre-bakes
right
all
of
us
who
do
a
lot
of
demos.
We
always
have
a
pre-bake,
so
we
say
okay,
I
kicked
that
off,
but
guess
what
we're
not
going
to
wait?
B
20
minutes
twiddling
our
thumbs,
we're
going
to
go,
look
at
one,
that's
done,
and
so
it's
suitable
for
a
demo
environment.
It's
designed
for
long-term
maintenance.
I
learned
very
quickly
being
a
solo
entrepreneur
in
training
that
maintaining
training
can
be
very
challenging,
especially
if
you
screenshots,
because
there's
no
way
to
search
and
replace
that
stuff
and
you
have
to
restage
your
whole
environment
to
redo
screenshots.
B
So
the
approach
uses
zero
screenshots
and
a
special.
What
I'll
call
diction
or
vocabulary
of
describing
the
screen
in
text
in
ways
that
your
eyes
would
normally
follow.
So
it
doesn't
worry
about
english
sentences,
it
worries
about.
Can
you
follow
on
the
screen?
What
the
instruction
is
telling
you
to
do
and
that
important
shift
allows
a
there
to
be
less
maintenance
b,
less
page
volume
and
c.
B
Also
anyone
can
contribute.
So
you
could
actually
extend
this
with
adding
exercises.
You
can
report
issues
with
exercises.
Do
an
mr
against
the
exercises
to
to
have
it
addressed
if
you've
found
errors,
lease
configuration
participant,
seed
projects,
that's
kind
of
the
same
as
zero
scaffolding,
so
least
configuration
so
when
the
participant
uses
these
as
seed
projects
they're
very
quick
and
easy.
It
also
happens
to
be
least
privilege
and
that's
more
of
a
production
concern.
B
So
we
do
the
least
amount
of
permissions
management
to
get
these
two
projects
to
talk
together,
reusable
production.
So
there's
a
lot
of
information
in
the
readme
or
actually
it's
in
a
wiki
now
of
these
projects
that
talk
about
why
this
particular
model
should
be
usable
as
a
direct
production
usage,
and
then
it
follows
the
getups
de
facto
industry
model
of
using
two
projects
and
a
tool
called
customize
for
all
file.
Templating.
D
B
Projects
is
important.
The
reason
why
we'll
talk
about
in
a
little
bit
is
there's
multiple,
there's
potentially
multiple
production
targets,
so
you
have
a
specific
microservice
application.
You're
building
in
one
project,
you
might
be
deploying
that
to
5
15
50
environments,
if
you
have
per
if
you
have
dedicated
tenancy
like
we're
developing
at
gitlab
and
you're,
deploying
that
and
customers
have
the
option
of
when
to
take
a
new
version
or
they
might
even
have
a
staging
environment
because
they
have
their
own
extensions.
B
Then
these
two
projects
have
to
be
loosely
coupled
and
there
has
to
be
two.
So
that's
a
little
bit
of
a
shift
for
all
of
us,
because
we're
used
to
showing
auto
devops,
which
is
one
project
in
reality,
it's
kind
of
two
projects,
because
auto
devops
is
infrastructure's
code
for
kubernetes
and
it's
integrated
into
the
pipeline,
so
it's
kind
of
hidden.
But
in
reality,
if
a
customer
writes
one
of
those
flows
for
a
completely
different
environment,
say
to
nomad.
B
So
that's
everything
green
is
initial,
build
here.
So
then
for
the
classroom.
Self-Paced
training
part
it
inherently
demos,
the
value
of
gitlab
ultimate.
So
it
makes
sure
that
we're
not
just
showing
here's
how
you
can
do
git
ops
on
git
lab,
but
here's
how
all
the
get
lab
ultimate
features
fold
into
that
and
why
you
want
ultimate
get
ups
with
gitlab.
B
It
works
on
any
gitlab
instance.
My
testing
was
on
gitlab.com
with
a
free
group
that
had
an
ultimate
trial
turned
on,
and
I
did
everything
as
the
instructor
with
a
free
gitlab
account,
there's
a
few
little
things
that
are
documented
about
having
to
provide
your
own
runners.
If
you
don't
want
everyone
to
have
to
do
a
credit
card.
Verification
to
you
share.
B
When
I
say
use
them,
it's
called
the
runner
vending
machine,
they
used
it,
they
didn't
know
they
had
used
it
to
deploy
the
runner,
but
because
it's
only
10
steps
and
an
existing
infrastructures
code
that
you
bring
up
the
panel
drop
in
your
your
registration
code
for
your
runner
and
run
it
and
you
end
up
with
a
scaled
runner.
So,
but
anything
else
is
better
right,
so
this
was
worst
case.
B
The
worst
case
scenario
is
everyone's
got
a
free
account,
including
the
instructor
and
they're,
using
an
ultimate
trial
on
a
gitlab.com
namespace,
so
because
it
works
in
the
worst
case
it
works
in
every
other
case.
I
still
do
advocate
be
careful
about
using
shared
runner
pools
of
any
kind
because
it
might
slow
down
the
class
and
in
this
setup
you
can
at
any
point
go
into
the
runners
and
say
hey.
B
Then
the
eks
workshop
portion
is
the
top
level
umbrella.
So,
rather
than
build
this
as
an
eks
workshop
and
then
later
go
back
and
say,
I
wonder
if
parts
of
this
could
be
used
by
others,
it's
been
built
modularly
on
the
way
up,
so
the
eks
cluster
config
is
a
part
of
the
eks
workshop,
but
can
also
be
used
in
any
context.
In
fact,
it
can
be
used
for
anytime.
You
need
a
very
inexpensive
schedulable
cluster,
that's
kind
of
enablement-oriented,
not
production,
and
it
demonstrates
the
value
of
ultimate
to
that
crowd.
B
So
as
far
as
extensions,
we
can
use
this
for
customer
demos
again
whether
it's
us
or
channel
partners
or
customers,
doing
internal
demos.
If
they've
got
large
enablement
teams
and
any
training
there's
a
lot
of
instructor
enablement
built
in
and
the
classroom
resources
are
scalable.
So
if
you
use
the
eks
cluster,
it's
got
the
cluster
auto
scaler
turned
on
so
in
theory,
more
the
more
people
join
the
class
and
start
pushing
projects.
It'll
start
scaling
the
cluster
on
its
own.
B
If
you
don't
like
that,
and
you
want
to
be
faster,
you
can
go
and
manually
scale
it
and
say
give
me
10
cluster
nodes.
I
don't
want
to
wait
for
any
auto
scaling,
so
both
modes
are
supportable
and
then,
if
you're
running
a
long
running
class
or
say
a
customer
or
a
partner
who's
running
classes,
but
doesn't
want
to
keep
all
the
infrastructure
running
in
between
them.
B
B
Okay,
so
what
is
aws
workshop.io,
so
we
did
this
together
with
amazon
as
part
of
aws
workshop
io.
So
I
just
want
to
note
that
the
reason
why
we
put
this
much
effort
into
it
is
this:
is
a
strategic
go
to
market
with
amazon.
So
this
is
one
of
the
ways
they
encourage
partners
to
engage
with
them
and
then
they'll
put
their
full
marketing
engine
behind
it.
B
So
in
general,
aws
workshop
io
content
is
developed
by
the
partner
us,
in
this
case
it's
generally
delivered
by
the
partner,
but
of
course,
we're
giving
instructor
enablement
here.
So
that
wouldn't
be
a
restriction.
If
amazon
wanted
to
deliver
it
themselves,
aws
co-promotes
it
but
lets
us
capture
the
leads.
So
this
is
unique.
Sometimes
aws
when
they
promote
something
lead
capture
is
a
really
dicey
issue,
but
in
the
case
of
workshops
they
will
push
to
their
lists.
B
For
us
we
don't
get
their
lists,
but
they'll
push
to
our
lists
for
us
and
we
can
push
to
our
lists
and
we
collect
those
registrations
and
and
the
leads
they're
ready-made
workshops.
So
it's
basically
hugo
websites
with
the
learn
theme
from
hugo,
as
luck
would
have
it.
I
do
my
own
blog
in
hugo,
so
this
wasn't
too
hard
of
a
lift,
but
also
our
own
technical
marketing
organization
has
been
playing
with
hugo
and
embracing
it
for
some
of
their
workshops
as
well.
So
some
interesting
synergy
there.
B
It's
generally
delivered
live
at
aws
offices
when
first
announced-
and
you
know
told
to
the
public-
it's
also
backed
by
a
custom,
aws
classroom,
provisioning,
automation
framework.
So
we
can
tell
them.
I
need
an
amazon
account
for
each
person
and
an
eks
cluster
for
each
person
built
with
eks
click
start
and
they
can
set
that
up.
In
this
case,
this
classroom
is
very
flexible
to
have
either
instructor
led
where
there
is
a
cluster
natively
account
that
students
don't
even
have
access
to
the
club.
B
The
the
instructor
can
show
some
demos
or
instructor-led
with
infrastructure,
and
you
could
have
them
deploy
the
infrastructure,
but
if
they
do
it's
going
to
take
an
hour
to
wait
for
each,
you
know
for
the
eks
clusters
to
stand
up,
or
they
could
be
any
blend
of
those.
So
you
could
set
up
one
cluster
for
the
classroom,
but
give
everyone
a
bastion
host
to
log
in
to
the
cluster
and
do
stuff.
B
So
it
all
depends
on
timing,
though,
because
the
labs
just
to
show
gitlab
deploying
workloads
to
amazon
value,
that's
about
three
hours
without
breaks
and
without
explanatory
information.
So
it's
also
a
mode
where
you
can
kind
of
fight
off
as
much
as
you
think
you
can
chew.
If
you
want
to
run
an
eight-hour
workshop,
you
could
probably
do
that
with
the
content.
That's
here
also,
these
workshops
are
frequently
designed
to
double
as
a
self-faced
training
after
the
initial
marketing
push,
and
this
is
that
way
as
well.
B
B
For
us.
You
know
for
the
agent
workshop.
This
is
how
amazon
does
business,
and
if
we
align
with
the
with
the
elephant
in
the
room,
then
we
potentially
get
an
elephant-sized
set
of
leads
of
qualified
leads.
So
that's
obvious.
A
big
impetus
for
us.
The
instruct
workshop
is
instruct
has
a
unique
platform
and
it
deploys
everything
for
an
individual
student
on
demand
within
about
four
or
five
minutes.
So
they've
really
focused
on
nailing
this
part
of
the
infrastructure
and
our
marketing
organization.
B
B
It
also
happens
to
function
as
an
after
words
on
demand
platform
as
well
for
the
same
reasons
if
a
student
comes
and
wants
to
do,
self-learning,
whether
we're
giving
it
away
for
free
or
charging
for
it
or
whatever
they
can
go
in
there
and
initiate
that
platform.
The
really
cool
thing
with
that
platform,
too,
is
it
also
is
very
marketing
enabled
and
conscious.
So
it's
always
trying
to
capture,
leads
and
understand.
B
Who
is
this
and
what
are
they
interested
in
that
kind
of
stuff,
so
awesome
platform
that
we
definitely
need
current
feature
coverage
as
far
as
the
get
lab
product
and
the
instructor
workshops
that
are
currently
underway,
you
can
accomplish
them
with
free.
You
can
also
do
accomplish
the
get
lab
agent
workshops
with
free,
but
we
go
on
to
continue
to
show
the
ultimate
features
that
we
can
make.
You
know
git
ops,
work
with
security
scanning,
dynamic
review
environments
and
other
other
bits
primary,
our
optimal
delivery
mode.
B
B
The
costs
go
up
with
on
the
instruct
side,
because
I
think
I
can
do
almost
a
classroom
of
one
for
the
same
price
as
one
self-paced
instance.
So
this
the
cost
scaling
is
a
little
bit
different.
The
agent
requires
you
to
provision
some
infrastructure
to
get
started
so
either
an
instructor
does
that
as
a
prep
lab
in
order
to
get
the
the
instruct
organization
or
the
classroom
environment
ready
or
the
students
do
it
themselves,
they
provision
the
full
infrastructure
themselves.
B
If
you're
running
a
lab
to
teach
infrastructure,
then
of
course
it
might
make
complete
sense
to
have
them
deployed
into
themselves.
Instruct
workshop
in
five
minutes
after
initiating
the
platform,
you're
ready
to
go
with
all
the
infrastructure,
which
is
really
cool,
participate,
cluster
access
and
experience.
So
the
the
workshop
has
multiple
modes
in
self-paced.
You
absolutely
get
this
because
you
have
to
because
you're
doing
all
the
infrastructure
to
support
your
own
learning
of
the
gitlab
platform
in
instructor
led.
B
We
could
do
it
as
demos
so
to
show
the
agent
being
registered
as
a
demo,
but
we
could
also
do
it
participant
based.
The
default
is
for
the
instructor
to
show
the
agent
being
registered
once
and
then
all
students
use
the
same
agent
registered
at
a
group
level
for
all
auto
devops
and
all
git
ops
examples
and
I'm
still
trying
to
test
the
scaling
of
the
agent
itself
to
monitor,
say
20
projects,
because
we
could
install
multiple
agents
if
it
won't
scale
with
one
customer
touch
level.
B
Both
are
high
and
zero,
so
you
can
deliver
them
in
classroom
environments,
where
you
get
a
lot
of
interaction
with
the
customer
trusted
advisor
conversations
or
xero.
The
customer
finds
this
stuff
and
does
it
themselves
cost
scaling
and
payer.
So
with
the
gitlab
agent
workshop,
the
participant
or
the
classroom
sponsor
pays
for
the
infrastructure,
so
it's
very
low
because
we're.
B
I
should
I'll
try
to
remember
to
show
you
the
cost
page,
but
because
it's
a
spot
cluster
running
on
spot-
and
you
can
turn
it
off
when
you
want
to
the
price-
is
crazy
low
per
hour.
If
you're
going
to
stand,
it
up
run
a
class
and
tear
it
down
it's
crazy,
low,
so
very
inexpensive
per
classroom
instruct
workshop.
B
B
I
I'm
not
sure
I
I
have
a
question
out
whether
we
would
allow
partners
to
send
you
know
to
conduct
a
workshop
and
use
20
instances
of
our
instruct
workshop
at
when
we
pay
or
not
or
if
there's
options
for
them
to
pay
lab
authoring.
Markdown
with
hugo
instruct
has
its
own
specific
authoring
system
reuse.
B
Cost
controls
instruct
is
very
low,
cost
it
pauses
environments
and
there's
no
charge
it
tears
them
down
automatically
after
time,
and
this
is
very
low
cost
due
to
some
some
similar
features,
but
there's
certain
fixed
overheads.
You
can't
get
rid
of
and
then
a
long
live
setup
for
prebek
demos,
especially
the
the
working
examples,
this
one's
very
suitable
for
that,
because
once
you
run
through
once
you
have
a
set
of
run
examples,
and
then
you
can
also
run
examples
while
you're
demoing
instruct
is.
B
You
could
use
it
for
this,
but
you
have
to
go
through
the
labs
to
set
up
your
done
one,
and
then
it
will
pause
the
environment
and
then
also
over
time.
If
you
don't
keep
going
into
it,
my
understanding
is,
it
will
eventually
expire
the
setup,
so
it's
a
little
bit
more
oriented
to
on
demand
for
a
participant,
as
opposed
to
for
a
demo
giver.
B
B
B
I
want
to
run
a
class
of
at
least
20
internally
to
see
how
various
parts
of
it
scale
and
make
sure
that
I
have
the
scaling
parameters
right
for
students
right
now.
I
tell
them
create
one
runner
for
every
five
students
and
I
don't
really
have
a
agent
a
feel
for
how
many
agents
should
be
created
per
student,
I'm
hoping
that
we
can
do
one
for
up
to
20
students,
but
we'll
figure
that
out
as
well.
B
B
I
have
one
more
update
to
this
site
that
has
not
been
merged
yet
on
the
amazon
side.
So
I'm
going
to
hop
to
this
is
on
git
lab
I
o.
So
this
is
a
gitlab
pages
version
of
the
updated
site,
but
officially
everyone
will
need
to
go
to
aws
workshop
one
and
we'll
push
people
there
and
give
you
links
using
hi
spot
in
order
to
promote
it
when
the
time
is
right.
B
B
B
There's
this
new
section
section
overview
and
this
section
overview
right
at
the
top.
It
says
the
visuals
in
this
section
are
also
provided
as
progressive
disclosure,
visual
microstory
slides
here.
So
it's
a
powerpoint
deck,
but
if
people
want
to
do
simple
delivery
or
for
those
who
are
self-learners,
they
can
just
expand
these
to
see
a
static
slide
without
unpacking
animations,
which
is
busy,
because
these
are
meant
to
be
viewed
by
unpacking
them
slowly
with
animations.
B
B
It'll
depend
on
the
audience
now
with
that.
That's
another
thing
too,
that
I
didn't
highlight
on
the
audience
that
is
audience
on
an
instruct
versus
this
one.
We
can
generally
rely
on
people
entering
aws
workshops
as
having
a
significant
amount
of
experience.
Most
of
them
are
not
entering
like
with
no
concept
of
what
the
underlying
technologies
are,
or
do
obviously
always
have
exceptions,
but
my
understanding
is
when
we
engage
the
general
public
on
our
instructional
sites.
B
B
B
So
they
have
steps.
They
have
a
certain
addiction
so
to
speak
or
vocabulary
where
they
try
to
help.
You
locate
where
you
should
be,
where
you
should
look
what
you
should
do
to
what
thing
on
the
screen
so
and
using
that
I've
had
a
lot
of
success
in
having
all
kinds
of
learners
with
all
kinds
of
details,
levels
of
wanting
to
be
instructed
or
wanting
to
be
free
form,
be
able
to
be
successful
with
following
this
kind
of
format
and
then
having
them
proceed
through
to
the
next
exercise.
B
All
right
so
now
I
want
to
teach
you
a
little
bit
about
the
get
ops
agent,
because
I
had
to
learn
this
stuff
and
a
lot
of
the
questions
I
see
coming
through
cs
questions
and
a
lot
of
the
status
meetings,
I'm
in
for
solutions,
architects,
the
stuff
I'm
about
to
show
you
comes
up
again
and
again
and
again
and
again
so
I
think
these
are
things
that,
to
me
were
kind
of
a
haas
that
I'm
hoping
are
helpful
to
you
about
what
is
the
kubernetes
agent?
Why
did
we
do
it?
B
What's
the
business
value
and
it
does
two
things
so
sometimes
people
get
kind
of
cross-wired
because
they're
like
well.
How
is
it
doing
the
old
thing
and
what's
the
value
of
the
new
thing?
So
let's
just
talk
about
some
of
these
things
and
then
we're
going
to
go
into
how
it
actually
works
as
well,
so
that
first
piece
of
text,
is
you
totally
ignore
that
I'll
take
that
out
later?
So
the
first
benefit
is
improved
security
posture
for
what
called
traditional
runner
cd
push
mode.
B
So,
on
the
next
slide,
I'm
going
to
show
you
we're
going
to
go
through
the
flows,
but
basically
previously
in
order
for
git
lab
to
talk
to
kubernetes.
You
had
to
like
make
sure
that
the
gitlab
instance,
wherever
that
is,
had
the
api
control
plane
of
the
kubernetes
cluster
available.
So
they
could
initiate
a
certificate
connection,
so
it
was
ssl,
but
that
could
that
interface
had
to
be
sitting
on
that
network.
Now.
B
This
was
all
in
private
networks,
maybe
not
a
big
deal,
but
as
soon
as
you're
on
gitlab.com,
you
have
to
put
your
cluster
endpoint
on
the
internet
or
you
have
to
yeah.
You
have
to
put
it
on
the
internet.
We
don't
have
vpns.com
so
that,
because
of
this,
this
is
one
of
the
reasons
why
our
configure
team
went
down
the
route
of
saying,
okay,
just
like
runner,
has
been
doing
for
years,
where
the
runner
initiates
with
a
connection
with
gitlab
and
then
control
information
flows
into
that
connection.
B
Let's
do
the
same
with
kubernetes
and
put
an
agent
in
the
cluster.
Have
it
reach
out
to
gitlab,
and
then
we
can
have
a
control
channel
open
to
that
cluster.
Without
it
ever
exposing
its
control
plane,
we'll
see
in
just
a
minute
how
that
works.
So
that's
the
a
big
value
is
our
traditional
cd
push
now
has
a
way
better
security
posture
with
the
kubernetes
agent,
when
you're,
integrating
with
the
kubernetes
cluster
anywhere.
B
The
second
one
is
support
for
a
true
get
off
cd
pull
mode.
So
basically
we
put
manifests
in
a
git
repository
and
the
agent
is
watching
those
man,
those
manifest
locations,
literal
repository
names
and
subfolders,
with
a
file
glob.
So
it
says
if
any
of
those
change
I'm
going
to
re-read
them
and
see
if
I
need
to
make
state
changes
to
the
application
running
in
the
cluster.
B
This
handles
both
initial
application
deployments,
as
well
as
upgrades
and
policy-based
configuration
management.
So
it's
not
just
about
the
images
that
the
manifests
are
pointing
to,
but
it's
also
about.
Oh,
you
changed
the
way
the
cluster
should
operate
or
you
added
a
whole
new
image
for
a
whole
new
pod.
B
So
all
that
configuration
based
management-
that's
policy
based,
so
you
set
it
in
the
manifest
and
the
cluster
agent
makes
it
so
so
that
is
our
ability
to
compete
with
the
likes
of
weave
works
and
other
argo,
cd
and
other
ones
that
are
doing
cd
pull
agents
into
kubernetes
clusters.
Both
are
supported
in
the
classroom.
We
use
one
agent
to
do
both.
You
can
use
10
agents
in
20
projects
on
five
clusters.
You
can
use
20
agents
in
20
projects
on
one
cluster.
B
The
clusters
can
be
anywhere,
so
it's
literally
many
to
many
to
many
there's
no
limit
in
the
class.
We
limit
it
to
one
agent
so
that
a
whole
hierarchy
integrates,
but
you
don't
have
to
do
it.
That
way,
and
that's
been
some
of
the
confusion,
is
the
group
level
integration
of
a
cluster
kind
of
went
away
and
then
a
lot
of
the
examples
that
were
given
are
oriented
towards
integrating
a
given
application
repository
to
a
cluster
with
an
agent.
B
B
B
Keep
in
mind
that
for
get
ops,
you
still
need
runners,
because
gitops
agents
don't
build
your
docker
file,
for
instance,
into
an
image
and
they
don't
run
security
scanning.
They
don't
do
any
of
that.
So
you
still
need
for
a
full
on
ultimate
solution.
You
need
runners
in
the
mix.
The
only
part
and
get
ops
agent
from
any
company
handles
is
the
actual
deployment
and
configuration
reinforcement,
so
you're
only
handling
deploy
with
a
get
a
kubernetes,
git,
ops,
agent
and
ours
only
handles
deploy.
B
So
you
still
need
cd
runner
capability
for
all
the
other
ci
activities
that
you're
going
to
do
so
in
that
mode
you
can
see.
Git
lab
is
being
ci
only
for
a
git
ops
project
and
then
the
kubernetes
agent
as
being
the
cd
portion.
Only
so
the
runner
has
been
doing
this
for
years.
It's
a
really
cool
architecture
whereby
the
runner
reaches
out
to
the
instance
to
the
rail
service
and
establishes
an
ssl
connection.
It
presents
its
credentials.
B
So
it's
runner
token
saying
hey
I
I
previously
you
authorized
me
to
talk
with
you
and
then
it
pulls
for
jobs
and
pulls
jobs
down.
The
really
cool
thing
is,
you
can
bury
this
in
a
very
secure
environment
and
as
long
as
it's
able
to
get
out
to
the
gitlab
instance,
wherever
that
is
and
return
conversations
are
allowed
stateful
firewalling,
then
you
can
bury
the
gitlab
runner
in
any
secure
environment
and
have
a
very
good
security
posture.
B
Then
it
presents
its
credentials,
hey
you
and
I
have
previously
been
wired
together
and
here's.
My
proof
that
we
I'm
authenticated
to
be
able
to
talk
with
you
that
happens
to
have
a
forward
into
the
rail
service.
That's
a
bit
of
architecture
that
doesn't
necessarily
need
to
be
represented
here
and
then
we
pull
those
manifests
and
pull
them
down
and
do
whatever
they
say.
So
that's
how
that
works.
B
D
B
Do
your
traditional
cd
push,
the
runner
does
its
normal
connection
up
here.
The
agent
does
its
normal
connection
here
and
then
this
is
possible
when
both
of
the
above
two
channels
are
established.
So
the
git
lab
runner
receives
a
job
that
happens
to
have
some
kubernetes
control
information
in
it.
It
then
initiates
to
back
to
git
lab
and
the
proxy
we
proxy
the
inter-service
connection
see
if
that's
it.
B
This
might
actually
be
talking
right
to
the
cavs.
Sorry
about
that.
This
may
not
be
the
most
updated
diagram.
This
is
plant
uml,
so
I'll,
amend
it
and
make
sure
this
is
correct,
but
I
think
the
gitlab
runner
might
be
talking
directly
to
the
cad
service
at
this
point,
but
in
any
case
it
can
then
push
a
job
down
to
that
agent,
and
so
that's
how
you
can
still
do
auto
devops
any
questions
about
the
overall
architecture
of
how
our
git,
ops,
agent,
works,
or
maybe
steven,
maybe
clarifications.
If
I,
if
I
got
something
wrong.
C
Hey
darwin,
one
of
the
things
that
I've
heard
was
the
the
level
of
permissions
at
the
gitlab.
The
kubernetes
agent
requires
I've,
seen
a
couple
of
things
about
how
to
lock
down
those
service
accounts
and
only
give
the
agent
the
permission
that
it
really
needs.
Have
you
found
or
is
that
level
of
information
included
in
in
the
workshop?
Those
details,
because
no.
B
It's
not,
and
part
of
that
is
probably
like
product
generally
builds
stuff.
That
is
enables
at
the
highest
level
and
leaves
it
up
to
customers
to
to
do
things.
Like
least
privileged
engineering
part
of
the
problem
is
that
could
be
very
platform
specific,
so
like
on
amazon
eks,
you
might
use
kubernetes,
I
am,
but
on
another
kubernetes
cluster
use
something
else.
Also
a
customer's
disposition
to
what
is
truly
least
privileged,
can
vary
dramatically.
B
Basically,
the
agents
are
bounded
by
namespace
as
a
default
as
my
understanding,
so
you
are
always
registering
it
into
a
namespace,
so
you
have
at
least
that
level
they.
I
don't
think
they
have
cluster-wide
permissions,
but
maybe
you
know
rob,
maybe
maybe
you
dug
into
it
deeper
already,
but
yeah
you,
you
need
to
work
that
out
with
a
given
customer
or
the
customer
would
need
to
work
it
out.
That
doesn't
mean
in
the
future.
B
We
can't
have
examples
like
if
you
came
up
with
an
example
of
you
know
a
use
case
where
you're
like
hey,
I
think
my
use,
my
least
privileged
permissions
for
the
kubernetes
agent
definition
would
apply
to
80
of
use
cases
or
you
get
the
pareto's
law.
80
of
these
privilege
benefits
with
the
fewest
possible
hassles.
B
B
F
B
B
Well,
it
all
depends
what
you
think
polling
is:
I'm
I'm
depicting
polling
as
pulling
something
from
the
so
here
in
runner
polling,
I'm
also
depicting
that
the
control,
so
these
are.
This-
is
control
channels.
So
this
final
one
is
app
control,
so
this
app
is
pulling
information
from
there.
This
manifest
is
being
pulled.
B
All
right
all
right,
thanks,
yeah
super
quick,
I'm
gonna,
I'm
gonna
go
into.
If
you
didn't
think
I
was
going
fast
already,
I'm
gonna
go
faster,
so
this
slide
is
how
you
demonstrate
to
students
how
the
registration
happens
and
then
how
the
the
cd
push
happens.
You
don't
have
to
give
this
slide
to
students.
You
could
just
completely
skip
it,
so
it
depends.
If
there's
an
infrastructure
crowd,
they
probably
care
a
lot
more
than
if
it's
a.
B
B
The
agent
gets
installed
and
then,
in
my
case,
the
config
file
registers
it
to
a
top
level
group
at
the
same
level
as
that
cluster
management
project
and
that's
important,
because
that's
going
to
cascade
the
capabilities
all
the
way
through
the
group
hierarchy,
then
I
use
the
managed
apps
ingress
insert
manager.
So
we
can
get
an
environment
up
to
speed
quickly
as
a
training
environment.
So
we
want
try
to
get
ssl
working
and
for
sure
have
an
ingress
working
so
that
we
can
see
our
apps
get
deployed
and
see
the
front
end.
B
B
So
we
now
have
those
two
apps
and
then
it's
important
to
put
these
variables
at
the
top
group
level.
The
most
and
also
I
have
steps
in
the
labs
to
wait
for
to
make
sure
that
your
nip.io
ip
is
being
issued
at
the
right
time
and
waiting
before
moving
forward,
so
that
will
work
correctly
in
the
next
lab.
One
of
the
most
fundamental
things
here
is
at
the
cube
name,
space
level
abstracting
it
by
project.
B
This
is
something
I
didn't
know
if
it
was
going
to
work,
but
it
does
work
so
this
when
this
variable
is
not
resolved
until
it
gets
into
a
project.
So
now
I
have
a
globally
unique
namespace
across
all
projects
in
an
entire
hierarchy
whenever
they
deploy
using
auto
devops
or
auto
devops.
Specifically,
if
you're
doing
cd
push,
you
might
manually,
make
the
coupe
name
space,
what
you
want
it
to
be
for
your
application,
but
for
auto
devops
to
work
this
has
to
with
the
least
amount
of
scaffolding
in
class.
B
B
Then
when
they
go
to
use
this,
they
do
an
automat,
devops
managed
app.
They
configure
autodevops
that
uses
a
runner,
so
autodevops
and
cd
push
always
use
a
runner
and
then
using
that
kubernetes
agent
proxy.
We
talk
to
the
agent
and
the
agent
does
the
install,
but
we've
essentially
pushed
it
to
the
agent.
This
is
not
get
ops
and
then
the
same
applies.
B
The
same
abstractions
are
necessary
for
the
for
the
actual
push.
This
is
get
ops
for
cd
pull,
so
we
have
the
cluster
management
project.
We
register
the
agent
we
install
the
agent
we're
now
registered
at
this
group
level,
but
this
is
kind
of
this
is
for
labs.
This
is
for
classroom
production,
especially
a
production,
app
they're,
probably
going
to
only
register
their
group.
B
B
I
also
happen
to
use
four
labs,
the
ingress
and
the
cert
manager.
Now,
production,
you
definitely
would
not
use
the
cert
manager
and
the
ingress
might
be
different.
So
this
is
number
five
here
is
more
an
artifact
of
creating
a
classroom
environment
or
a
self-paced
environment
where
you
can
quickly
get
to
be
production
ready
without
having
to
know
how
to
make
all
this
junk
work
in
a
kubernetes
cluster
same
deal
same
abstraction,
except
we'll
see
that
we're
going
to
override
we're
going
to
override
coupe
context.
B
Cert
manager
is
only
for
classroom
convenience
and
the
prod
cluster
registration
would
probably
be
perhaps
not
an
entire
cluster
for
an
entire
group
hierarchy.
So
just
so
you
understand,
then
we
do
cd
pull.
We
have
our
app
build
project
and
okay.
So
now
this
is
I'm
I'm
I'm
sorry
to
bend
your
mind,
but
remember
the
get
ops
agent
is
only
for
cd
push.
B
So
if
I
want
to
do
kit
lab
security
scanning,
I
do
have
to
enable
the
easiest
way
to
enable
auto
devops
on
the
artifact
generating
repository
that
normally
just
results
in
a
generated
artifact
and
nothing
else.
But
now
we're
going
to
push
it
through
an
auto
devops
pipeline
so
that
we
can
do
all
the
security
scanning
before
we
even
consider
the
image
as
production
ready.
B
So
it's
a
little
bit
of
a
mind
bend
here
in
that
we
are
going
to
enable
even
auto
devops
or
security
scanning.
Specifically,
if
you
only
want
to
enable
security
scanning
the
runner
executions-
and
we
do
need
the
runner
to
build
the
image
in
any
case,
whether
we're
using
autodevops
or
not.
We
need
the
runner
to
build
the
image.
B
F
B
If
we
do
auto
devops
that
that
would
proxy
an
auto
devops
build
of
the
app
exactly
like
auto
devops
works
today,
it's
not
using
the
kubernetes
agent,
but
we
don't
care
because
we
want
us
to
be
able
to
scan
that
and
to
see
the
changes
in
the
ui.
So
we
want
dynamic
review
environments.
Easiest
way
to
get
them
is
enable
auto
devops
on
the
application
building
repository
in
the
labs.
B
B
B
C
B
B
B
Okay,
I'm
not
going
to
walk
through
this,
but
this
is
showing
you
today's
auto
devops,
which
is
basically
trunk
based
development.
So
this
is
how
auto
devops
works
today
and
how
it
works
as
a
gitlab
ci
cd
agent,
and
you
can
turn
on
or
off
the
staging
environment,
which
is
basically
switching
between
continuous
deployment
and
continues
delivery
to
staging
or
continuous
deployment
to
production,
the
multi-production
configs.
B
So
why
would
you
need
for
git
ops?
Why
would
you
need
multiple
production
configs,
sometimes
at
gitlab
and
sometimes
customers
themselves?
Small
teams
don't
understand
that
for
scaled,
get
ops,
there's
lots
of
reasons
why
you
might
have
one
application
project
building
an
application
that
then
is
used
by
five
ten
fifteen
hundreds
of
target
environments,
and
so
because
of
that
I've
documented
these
and
you
can
walk
through
and
talk
talk
through
them
with
the
customer.
B
So
the
getups
part
one
is
basically
when
you're
done,
there's
no
deployment,
you
basically
release
artifacts
and
the
way
we
do
this
is
mark.
An
image
latest
dash
prod
is
the
final
step
of
the
get
ops.
This
here
is
using
autodevops
so
that
before
we
ever
mark
an
image
as
prod,
we
can
see
how
it
works
through
auto
devops
and
dynamic
review
environments
and
security
scanning.
We
can
get
all
that
information
back
to
understand.
B
B
So
we
might
actually
want
to
see
a
review
environment
in
the
in
the
govcloud
environment
and
then,
when
we
deploy
we
might
or
and
or
we
might
want
a
staging
environment
to
see
if
it
works
with
all
the
gov
stuff
that
we've
done
to
the
app
to
make
it
work
right,
the
environment,
specific
gov
stuff
and
then
we
deployed
to
production.
So
don't
always
depict
this
as
high
trust
level
between
the
team
that
creates
the
app
and
the
team
that
deploys
it.
B
That
list
of
different
reasons
why
you
have
multiple
prods
shows
you
there's
different
levels
of
trusts.
So
therefore
there
would
be
different
levels
of
qualification
if
you're
one
team
deploying
one
app.
It's
probably
good
that
the
app
repository
has
got
such
good
testing
that
the
product
the
deployment
ones
can
just
suck
that
in
and
go
straight
to
production,
because
you've
done
such
good
testing
that
if
you've
ever
marked
an
image,
prod
latest
prod,
then
everyone
knows
they
can
deploy
it
without
a
problem.
B
If
that's
not
the
model,
then
of
course
you
can
loosen
the
trust
by
having
loose
coupling
the
the
teams
who
consume
can
be
less
trustworthy
up
number
two
is
an
operator
triggers
it,
so
they
can
just
run
a
pipeline
and
say
new
version
variable
equals
enter
and
shove
it
and
then
automated
pipeline
triggers.
This
is
way
the
examples
work.
They
monitor
the
new
image
versions
in
the
image
repository
and
then
you
can
either
create
a
scheduled
pipeline.
B
B
This
is
how
lease
configuration
and
lease
privilege
works.
So
basically,
why
does
this
work
for
how
how
have
I
re-enabled
groups
working
properly?
We
have
a
assumed,
apparent
level
group
for
which
everything
should
work
on
all
down-bound
groups.
We
then
create
a
cluster
management
project
at
that
level
and
do
an
agent
registration
at
that
level
and
publish
that
cube
context
at
that
top
group
level.
So
these
this
is
what
makes
one
agent
be
able
to
work
for
an
entire
hierarchy
into
one
cluster.
B
B
Then
any
group
hierarchy
is
allowable
underneath
that
so
this
group,
this
block,
represents
a
group
hierarchy.
That's
under
this
top
level
group
and
now
cd
push
works
by
sourcing
these
values,
a
application
building
project
works.
It
publishes
an
image
and
then
we
have
to
publish
a
read
regreed
token,
so
that
everything
in
the
hierarchy
can
read
this
image,
and
especially
this
label,
which
has
the
version
and
then
a
consuming
environment.
B
B
I'm
not
going
to
go
through
this.
We
don't
have
time,
but
I'll
just
quickly
say
that
this
ability-
I
discovered
this-
I
didn't
know
this
ahead
of
time.
Customers
have
been
doing.
Git,
ops
forever
would
know
it.
But
if
you
embed
the
version
as
a
tag
and
a
label,
then
you
don't
have
to
go
and
enumerate
tags,
try
to
guess
which
ones
are
formatted
to
be
the
version,
sort
them
and
pick
the
latest
in
order
to
find
the
latest.
B
You
just
pull
the
latest
prod
image
tag
and
you
look
at
the
version
label,
and
you
know
what
the
latest
version
is.
It
also
uses
scopio
and
crane
both
of
them,
which
read
remote
repositories
without
downloading
images.
So
it's
a
lot
more
efficient
than
any
approach
that
pulls
an
image
in
order
to
read
its
attributes
and
that
works
both
for
the
auto
incrementing,
auto
self
incrementing,
because
I
can
read
my
latest
version
increment.
B
B
B
I'll
show
you
the
workshop
site,
I
didn't
show
you
actual
I'll,
just
quickly
walk
you
through
these
are.
This
is
a
top
level
group
I've
integrated
in
this
way.
These
are
pretend
students
and
the
pretend
students
are
doing
a
auto
devops
workshop
and
then
they're
doing
git
ops
with
these
two.
It
all
works
as
advertised
and
as
we
discussed,
the
actual
projects
that
you
copy
are
under
guided
explorations.
B
B
In
the
workshop.
In
order
to
work
with
free,
we
use
deploy
tokens
in
production.
You
would
use
group
access
tokens
because
they
would
be
able
to
give
you
read
access
to
everything
under
apps
all
the
way
down
and
so,
but
to
get
around
the
limitations
of
free.
I
wanted
to
make
sure
this
worked
with
free
and
it
does
stay
in
the
exercises
using
group
access
all
right,
I'm
going
to
stop
speed
talking.
B
If
you
would
like
to
be
involved
in
a
class
where
I
am
the
instructor
and
you
all
sit
through
this
one
time,
I'm
going
to
try
to
have
that
in
the
next
either
two
or
three
weeks
from
now.
It
would
be
probably
I'd,
probably
schedule
a
four-hour
block
and
try
to
scale
it
up.
So
we
have
at
least
20
participants
of
some
type.
B
I
will
even
invite
external
folks
to
it
if
I
need
to
to
get
up
to
the
right
scale,
but
if
you
all
know
folks
who
want
to
learn
this
and
get
ready
for
demos,
let
them
know
and
then,
if
you
want
to
be
and
potentially
be
an
instructor
for
it,
I
would
really
really
ask
that
you
attend
that
the
instructor
notes
in
the
workshops
there's
an
entire
prep
section.
It
says
you
need
to
run
through
everything.