►
From YouTube: Container Network Security Demo for GitLab 12.8
Description
This is a demo of the new Container Network Security feature available in GitLab 12.8. The feature embeds Cilium to allow users to write NetworkPolicy rules that can restrict traffic between Kubernetes pods in a GitLab managed deployment.
A
Several
pieces
in
volton
in
the
network
policy
department,
as
you
may
read,
policies
themselves.
Our
ID
is
supported
by
the
cuban
artists,
but
they
have
a
hard
work.
Is
it
on
continuing
talk
provided
as
a
support
for
network
policies
and
they
selected
s-salam
as
such
provider
for
sister?
We
see
so.
The
first
step
deploying
network
policies
will
be
to
set
up
a
question.
There
is
a
salam.
A
We
do
that
through
the
new
thing
called
cost
management
application
ever
it
works
is
he'll
create
a
cluster,
for
example,
in
my
demo
project,
if
I
will
go
under
the
keeping
of
the
settings,
I
already
have
a
network
policy
cost
the
creators
for
the
key
to
add,
and
one
important
thing
to
do
is
you
have
to
assign
a
cost
management
project
to
this
cluster?
You
do
this
by
selecting
another
github
project
in
this
drop
down
person
safe.
A
In
this
particular
instance,
I
have
already
assigned
a
network
policy
cost
management
repository
to
be
a
management
project
for
this
cluster.
So
if
I
will
switch
to
the
management
of
the
story,
this
one
structure
is
pretty
simple.
I
realized
so
on
CI
rana
to
deploy
management
applications
to
the
cost.
You
don't
have
to
create
a
cost
in
the
superstore.
A
A
cost
to
have
to
magically
will
be
derived
from
the
settings
with
just
assign
set
approach
is
quite
simple:
github
shapes
template
that
you
can
use
in
your
CI
configuration,
so
it's
essentially
two
lines
that
you
have
to
assign
in
your
psychotic
and
by
doing
that,
you
will
be
able
to
enable
certain
applications
in
your
question
for
this
particular
episode.
We
have
enabled
and
nginx
and
grass
to
be
deployed
to
this
cluster
and
psyllium
to
be
deploy
this
class,
so
I
have
already
run
the
pipeline
for
that.
A
It's
essential,
they'll
show
your
witch
helm
which,
given
exercises,
will
be
deployed
by
the
hell,
and
you
can
Seraphin
the
output
in
all
the
details
that
you
need
and
you
can
control
the
deployment
process
for
the
segue
points.
So
if
you'll
go
back
into
the
actual
demo
project,
this
is
second
part
of
our
work
that
we
did
so
essentially
the
simple
going
applications
that
they
may
did.
It
has
a
simple
web
interface
and
it
also
has
a
support
for
one
most
requested.
Essentially
it
being
a
response.
I
could
be
in
power
on
vacation.
A
We
are
deploying
applications
for
the
or
to
the
Box
backwards,
which
is
very
uses.
The
same
ought
to
do
offices.
Normally
we
just
remove
the
necessary
stages,
like
assassin
last,
because
it's
a
really
simple
occasion
and
did
not
want
to
lose
any
time
and
that
the
actual
network
deployment
application
is
enabled
by
defining
your
network
policy
inside
the
doget
fought
for
the
inn
or
to
the
point
values
file.
So
you
can
see
if
our
cause
is
father's
in
it.
What
policy
defiant
for
this
particular
application?
A
First
of
all,
you
have
to
obviously
do
enable
Network
policy
by
default.
Network
policies
are
disabled,
and
then
you
have
to
provide
the
specification
specification
is
optional.
This
she
lays
the
default
policies
are
defined
by
us.
It
doesn't
have
to
be
in
here.
What
I
will
change
it
later
on?
Just
enabling
here
is
enough.
A
So
what
is
policy?
Does
it
only
effects
ingress?
It
also
will
affect
all
parts
within
this
particular
application
namespace,
and
it
will
allow
traffic
from
all
applications
within
this
namespace
about.
It
will
also
allow
all
ingress
traffic
from
the
namespaces
managed
by
key
to
apps
in
this
particular
application.
This
namespace
is
named
space
where
we
could've
ever
installed,
nginx
and
grass,
so
yeah.
A
This
one
was
already
deployed,
so
does
I
made
that
this
simple
UI
allows
you
to
being
another
application
deployed
to
this
cluster
and
it
will
work
based
on
the
namespace
and
the
service
that
is
deployed
to
the
Coster.
Obviously,
by
itself
it
doesn't
do
much.
So
what
we
did
we
actually
set
up
a
second
application
from
the
branch
of
the
repository.
A
It
has
slightly
different
policy,
as
you
might
notice.
It
also
adds
an
additional
block,
and
this
block
essentially
whitelist
ingress
traffic
from
the
apps
that
I
just
showed
you.
It
does
it
by
selecting
that
namespace
using
two
labels-
and
you
can
see
the
app
name-
is
github
at
our
defense,
Network
policy
demo,
it's
the
name
that
is
generated
automatically
by
Sherry
around
the
photos,
application
and
they
only
target
production
environment.
So
we
are
flexible
to
choose
different
levels.
A
There
are
several
combinations
that
you
can
use,
but
for
all
your
cases,
most
interesting
one
so
again,
I
will
go
and
try
to
find
yeah
I
think
it
this
one
yeah
it's
a
different
and
they
all
look
exactly
the
same
so
yeah.
What
we
can
do
is
we
can
point
this
app
to
try
to
access
this
app,
and
this
one
should
not
succeed.
But
if
you
will
go
in
opposite
direction,
it
should
succeed
that,
based
on
the
policies
that
we
deployed.
A
B
So
what
I
am
seeing
is
that
there
are
two
different
applications
that
have
been
deployed
to
a
kubernetes
pod,
each
of
which
has
their
own
network
policies
that
have
been
applied,
one
that
has
been
completely
locked
down.
It
can
only
talk
within
its
own
application,
one
that
has
been
opened
up,
so
it
can
speak
to
other
applications
within
the
pod.