►
Description
For the "happy path" video, see https://www.youtube.com/watch?v=R2O2Y8_MrQ8
Documentation used:
- https://docs.gitlab.com/ee/user/clusters/applications.html#install-cilium-using-gitlab-cicd
- https://docs.gitlab.com/ee/user/clusters/management_project.html#usage
- https://docs.gitlab.com/ee/user/application_security/threat_monitoring/#container-network-policy
A
Okay,
so
today
we
are
here
to
go
through
a
couple
of
steps
related
to
having
the
network
policies
working
with
cilium,
using
both
the
cluster
integration
and
gma
v2
and
git
lab.
So
we
are
going
to
go
through
alexander's
setup
he's
not
starting
from
the
scratch
today.
So
it's
going
to
be
a
free
session.
So
let's
go
from
there.
B
Cool
so
as
that
sign
in
basically
what
I
have
done
thus
far
is.
I
have
my
onboarding
from
months
and
months
and
months
ago,
I'm
almost
that
year
by
the
way,
one
one
more
month
and
in
here
in
the
defense,
what
was
called
the
protect,
no
defend,
I'm
wearing
they
talk
about
after
you,
runner,
set
up
here's
the
kooby
control
and
stuff
all,
and
all
that,
so
I
did
go
through
all
this.
I
installed
google
cloud
sdk,
which
I'm
not
using
that
much
I
installed,
kuby
control,
helm,
mini,
mini
cube.
B
I
have
all
this
docker,
as
you
can
see
up
here,
the
runner,
that's
not
part
of
this
local
registry.
I
did
this.
I
set
up
the
local
cluster
as
defined
here.
I
believe
I
got
these
ip
addresses
from
some.
How
to's
in
here
one
must
always
remember
that
the
the
get
the
gdk
repo
has
a
plethora
of
how-to
docs
right
here,
and
so
one
of
them
is
the
registry.
It
tells
you
set
up
all
this
with
your
gk
yaml.
I've
done
that.
B
B
Yeah
in
here
it
talks
about
all
that
I
have
not
been
able
to
use
http.
Yet
that
is
something
I've
sort
of
pushed
off
for
now.
I
don't
really
care
about
it,
but
I
am
sort
of
locked
right
here,
but
anyways
mini
cube
is
something
I
have
set
up
and
if
I
go
in
here
make
you,
how
do
I
view
my
registry
as
amir.
A
B
B
Got
it
oh
yeah
sure,
so
I
have
a
cluster
set
up,
and
so
I
went
to
the
project.
I
wanted
to
configure
that
cluster
with
I
went
to
operations
kubernetes.
B
And
I
connected
a
cluster
with
certificate,
which
is
what
this
one
was,
but
I,
if
you
could
connect
existing
cluster
and
I
just
followed
this
documentation-
and
I
did
all
these
things
so
when
filling
this
out,
you
know
the
cluster
name
can
be
whatever
the
api
url
you
can
get
by
running
this
command.
B
You
throw
that
in
there
you
do.
You
do
all
basically
just
follow
this
and
I
was
able
to
connect
my
cluster
no
problem.
So,
as
you
see
non-environments,
as
you
see
here
with
the
cluster,
it's
I've
named
it
local
cluster
one.
But
if
there
is
information
where
we
do
see
that
there's
one
node,
so
that
means
it
is
actually
attached
and
if
I
can
go,
if
I
go
here,
I
must
install
prometheus,
and
here
I
could
do
that.
B
This
will
take
a
while,
but
it'll
work.
I
had
this
working
before,
and
so
this
is
where
I
sort
of
get
stuck
now,
because
I
don't
know
for
policies,
we
need
psyllium
installed
and
I
don't
know
what
that
next
step
is.
I
have
this
that
I
ripped
from
staging,
and
I
believe
this
is
what
you're
talking
about
where
the
yam
you
have
the
yaml
file,
maybe
yeah.
A
Yeah,
when
you
have
the
template,
when
you
def,
when
you
use
that
and
page
managed
application,
apps,
that's
the
the
cluster
gjmav2,
and
this
is
the
configuration
file
that
sets
the
applications
that
you
want
to
install.
B
Yeah
got
it
okay,
so
I
could
do
cluster
and
like
link
it
this
way.
I
don't
know.
A
Yes,
there
is
one
thing:
is
that,
as
you
are
using
mini
cube,
mini
cube,
has
a
couple
of
options
and
the
way
that
ceiling
works
is
that
ceiling
is
a
cni
plugin.
B
Do
I
have
sodium
installed,
I
do.
I
went
to
the
psyllium.
Documentation
went
to
getting
started
using
mini
cube,
and
I
did
all
this
and
just
followed
all
these
things
and
then
I
we
can
validate
that
installation.
C
The
admins
tend
to
want
to
do
their
own
thing
and
and
gitlab
for
a
smaller
cluster.
It
does
the
job,
but
once
you
start
running
to
more
complex
problems,
you
won't.
You
won't
address
that
and
then
you're
going
to
have
to
do
manual
things
anyway,
so
for
for
the
people
that
we're
targeting
for
this
they're
already
doing
all
that.
So
there's
no
point
asking
them
to
go
to
gitlab
and
clicking
they.
C
They
can
just
run
helm
and
do
the
the
command
line
install,
and
this
is
probably
the
direction
that
the
configure
team
is
going
as
well
with
removing
some
of
the
stuff.
So
you
you're
gonna
have
the
option
to
tell
gitlab
hey
this.
Application
is
already
installed
in
the
cluster.
Here's
how
you
talk
to
it,
but
you
won't
be
able
to
install
it
in
the
in
the
using
the
interface
anymore.
So
we've
already
done
that,
which
is
which
is
great.
B
A
I
do
now
so
okay,
so
then
I
sent
you
the
mini
cube
configuration
on
the
slack.
It
means
that
for
us
to
be
able
to
install
cd
into
mini
cube,
we
need
to
be
able
to
start
mini
cube
with
settings.
That's
going
to
allow
sydney
to
overwrite
the
the
cni
that's
set
by
default,
so
you
probably
need
to
do
you
need
to
change
your
insecure
registry
and
also
you
probably
need
to
do
a
mini
cube.
Delete
before,
because
mini
cubes
is
a
single
node,
and
I
think
you
just
support
one
instance.
C
B
Awesome,
I
yes,
okay
and
then
I
know
I
want
to.
A
So
so
you
yeah
okay,
so
you
did
the
cni
celium.
If
you
do
that,
it
actually
installs
cilium.
So
then
you're
not
going
to
use
gma
v2.
Does
it
make
sense,
yeah
got
it.
What
we
want
is
that
we
just
want
to
say
that
we
are
going
to
have
a
cni
and
we
are
going
to
let
mini
cube,
use
the
default
one
and
then,
after
you
run,
gma
v2
ceiling
is
going
to
be
installed.
The
pods
are
going
to
be
restarted
and
you
are
going
to
have
ceiling
installed
by
using
vgf.
A
First
step
we
are
going
to
do
what
alexander
did
before
we
are
going
to
use
the
cluster
integration
to
fill
up
the
information
about
the
cluster
api,
because
the
credentials
search
the
token
and
then
with
that
alexander
is
going
to
set
the
project
that
he
has
as
a
cluster
management
alpha
and
then
we
can
just
hit
the
pipeline.
We
can
just
double
check
the
configuration
that
he
has
in
his
project
and
then
we
hit
the
pipeline
to
install
serum
using
vgmav2
into
the
cluster.
C
And-
and
the
advantage
of
that
of
course,
is
that
if
you're
sharing
a
cluster
with
someone,
everybody
can
see,
can
work
off
the
same
source
right,
they
all
have
the
same
project
management,
whereas
if
you
do
it
manually,
you
know
people
don't
know
what
values
you've
used
for
the
installation.
Who
knows
what
you've
done
right.
A
Yeah,
and
also
with
cluster
management,
which
you,
if
you
make
a
change
on
the
project,
let's
say
that
you
install
prometheus,
you
go
there
and
configure
file.
You
say
prometheus,
install
true,
that's
going
to
trigger
a
new
pipeline
and
then
it's
going
to
just
check
the
difference
and
it's
going
to
stop
removing
the
cluster.
A
A
Yeah,
so
the
only
requirement
that
we
actually
need
is
the
lining
one
and
two,
of
course
we
it's
it's
important
to
have
the
other
scanners
and
everything,
but
in
terms
of
this
feature
line
one
and
two
would
be
enough.
A
The
only
thing
is
that
right
now
we
are
having.
I
have
an
mr
that's
going
to
make
hubble
installed
by
default
and
dmr
hasn't
got
merged
yet
so
then,
I'm
gonna
send
you
what
I
would
like
you
to
add
as
well.
Would
you
rather
have
this
on
a
slack
or.
B
Zoom,
okay,
okay,
also,
is
it
necessary
for
having
policies
set
up.
B
Let's
forgot
hubble
for
now,
then.
A
Okay-
let's
do
that
so
then,
if
you
go
inside
it
lab
management,
apps
directory
you're,
going
to
find
config.html.
A
Okay,
so
we
don't,
we
are
not
using
gke,
so
we
we
need
to
take
line
one
off
because
we
are
just
going
to
use
the
big
basic
default
that
basic
sections
that
doesn't
require
this.
A
A
Also
in
case
you,
you
were
looking
forward
to
have
celium
as
a
blocking
we,
you
would
have
to
create
a
folder
called
ceiling
under
management
apps
and
you
would
have
to
overwrite,
because
by
default
the
policy
is
in
audit
mode,
just
a
heads
up
for
the
future,
because
sometimes
you
deploy
it
and
then
you
check
sitting
logs
and
you
don't
see
anything
and
you're
wondering
oh.
Does
my
as
my
scene
work
on
things
like
this.
A
A
Okay,
so
now
we
want
to
just
end
up
the
configuration
file
first
and
then
we
go
back
to
the
host
sure
you.
What
was
that?
Did
you
save
all
the
changes
that
we
did
yeah?
I
committed
them
awesome.
Okay,
so
we
have
everything
you
master
right,
yep,
okay,
because
the
management
template
just
just
just
builds
if
we
are
on
master
yep.
A
A
B
Go
got
it
awesome,
yeah,
and
that
is
that's
somewhere
in
here
here.
It
is
yes,.
A
Cool
so
now
we
need
to
go
doing
that
cluster
integration.
B
Okay,
so
all
these
commands
you
sent
me
they
look
like
actually
do
you
want
me
to
basically
connect
another
cluster.
A
A
reminder
why
you're
doing
this
a
reminder
that
you
don't
need
to
go
this
one
first.
A
B
Yeah,
I've
done
this
already.
A
A
A
Project
when
you
go
when
you
go
to
your
cluster
integration,
and
you
say
that
the
cluster
management
project,
it
can
be
considered
as
a
cluster
management
alpha.
It
means
that
this
project
is
going
to
be
is
going
to
have
access
as
a
cluster,
I
mean
in
your
cluster
all
the
other
regular
projects.
They
don't
have
that
amount
of
power,
so
they
cannot
make
a
change
in
a
cluster
like
changing.
Updating
the
cni,
for
example.
A
C
You're
running
a
bunch
of
helm
and
cube
ctl
commands
behind
the
scenes.
A
A
A
A
B
There
documentation
for
hey
job
succeeded.
Is
there
documentation
for
gma
v2
somewhere.
A
B
A
Master
because
otherwise
the
deploy
is
not
going
to
run
it's
tied
to
master
branch.
A
We
can
go
to
that's
a
very
good
question.
I'm
gonna
send
you,
let's
do.
Can
you
open
another
terminal
besides.
A
Okay,
so
the
the
only
tricky
here
is
that
we
deployed
in
audits
mode.
That's
why
I
also
have
so
what
happened
is
that
on
the
cluster
integration,
you
define
this
project
with
cluster
admin
privileges,
so
it
means
that
whenever
you
run
this
pipeline
here,
it's
going
to
have
an
effect
in
the.
B
B
A
And
then
do
you
want
to
go
in
a
new
rule.
B
Okay,
thank
you.
What
were.
A
You
saying
you
have
a
you
need
to
add
a
new
rule
just
to
to
do
not
allow
anything
and
you
can
go
in
the
key
value
and
just
type
app
column,
none
yeah
that
doesn't
exist.
So
it's
not
going
to
it's
not
going
to
allow
anything
and
you
can
create
enable
the
policy
first
yeah
or
you
can
create
and
enable
later
on.
A
Okay,
so
then,
oh
hey.
A
So
now
do
you
wanna.
Do
we
wanna
try
to
trigger
something
we
can
go
in
the
cluster?
Now
just
try
to
trigger
a
curl
awesome.
Do
you
to
open
another
terminal?
Sorry,
that's
a
little
bit
of!
Let's
try
the
do.
You
want
to
do.
Cubectl
get
svc,
all
dash,
namespace,
just
first
to
see
which
service
do
you
have
over
there
for
us.
A
So
we
have
oh,
there
is
something
here
that
might
be
good
to
mention.
Can
you
see
that
under
the
third
line?
Third,
not
third
line?
Third
server
third
serves.
We
have
a
git
lab
management
apps
and
we
having
grass
controller.
If
you
follow
that
to
the
right
you're
going
to
see
external
ip
spending,
can
you
see
that
yeah?
So
it
means
that
it's
waiting,
something
to
provide
it
an
external
id.
So
what
do
you
do
in
this
case?
You
just
have
another
terminal
and
you
do
a
mini
cube
tunnel.
B
Nice,
and
that
is
actually
in
the
onboarding
dock.
A
B
A
Can
check
you
can
check
that
out
now,
let's
go
to
the
repository
that
you
have
the
config
the
cluster
management
project
and
then,
let's
go
to
the
repository
okay,
we
need
to
go
inside
gitlab
management
apps.
A
Now
we
create
a
file
inside
this
folder
called
values:
dot,
eml
food
spelled.
B
A
And
then
inside
this
file,
sorry,
we
are
going
to
have.
I'm
gonna
send
you
here.
So
then
it's
not
like
awkward.
A
A
I
think
we
should
see
the
pipeline
running
automatically
and
there
is
going
to
be
an
update
on
the
ceiling
side
of
things.
It
shouldn't
touch
ingress
at
all.
A
Okay,
so
let's.
A
Yes,
awesome.
Okay,
so
there's
nothing
come
there
as
well.
So
then
this
is
the
source
of
truth.
It's
not
coming
here!
It's
not
generating
anything!
So
then,
what
we're
going
to
do
now
quit
this
log
there
we
are
going
to
from
this
pod.
We
are
going
to
access
the
other
search
inside
the
cluster.
So
in
this
case
it
should
force
the
network
policies
to
come
up
the
the
drop
attempt
to
come
up.
So
you
can
quit
this
one
ctrl
c.
A
C
C
A
B
A
C
I
can
explain
the
what
that
mess
so
get.
The
last
line
there
see
siri,
says
from
and
two
see
that
last
part
there
has
got
a
53
udp,
so
50
53
udp
is
is
one
of
the
ports
for
dns.
That's
what
that's,
how
I
know
that
it's
trying
to
resolve
so
he
gave
the
co
command,
is
trying
to
resolve
that
name.
That
zamir
gave
you,
but
because
the
policy
that
we
added
in
the
beginning
is
a
denial,
it's
denying
even
the
dns.
B
B
A
A
I
didn't:
can
you
check
again
the
name
of
the
service
alexander?
Sorry,
I
just
I
missed
that.
C
At
this
point,
let
me
explain
what
was
happening
there
we're
all
confused,
because
we
were
seeing
a
dns
resolution
error
that
we
were
not
expecting.
However,
there
were
no
drops
in
the
log
which
was
what
we
wanted,
because
we
we
went
to
gitlab
we
disabled
the
policy
and
applied
it
to
the
cluster.
So
that
was
right.
The
problem
is
that
the
the
namespace
and
the
service
name
in
the
url
used
in
co
were
in
the
reverse
order.
C
Had
we
noticed
that
and
and
and
reverted
them,
and
did
it
again,
we
would
have
seen
co
returning
a
response
from
from
the
http
service.
Zamir
recorded
a
video
with
a
this
exact
situation,
but
only
the
happy
paths
if
you
just
want
to
see
a
shorter,
more
direct
video
of
what
what
how
it
should
work,
have
a
watch
of
that
it's
in
the
description.