forked from TechieZilla/Qwiklabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSecure Workloads in Google Kubernetes Engine: Challenge Lab [GSP335]
161 lines (99 loc) · 5.33 KB
/
Secure Workloads in Google Kubernetes Engine: Challenge Lab [GSP335]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
GSP335 : Secure Workloads in Google Kubernetes Engine: Challenge Lab :-
----------------------------------------------------------------------------------------------------------------------------------------------
gsutil -m cp gs://cloud-training/gsp335/* .
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 1 : Create kubernetes cluster :-
gcloud container clusters create kraken-cluster \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy
gcloud container clusters get-credentials kraken-cluster --zone us-central1-c
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 2 : Create Cloud SQL instance :-
gcloud sql instances create kraken-cloud-sql --region us-central1
gcloud sql databases create wordpress --instance kraken-cloud-sql --charset utf8 --collation utf8_general_ci
gcloud sql users create wordpress --host % --instance kraken-cloud-sql --password Passw0rd
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 3 : Create a service account :-
gcloud iam service-accounts create kraken-wordpress-sa
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:kraken-wordpress-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"
gcloud iam service-accounts keys create key.json --iam-account=kraken-wordpress-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic cloudsql-instance-credentials --from-file key.json
kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password='Passw0rd'
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 4 : Create the WordPress deployment and service :-
kubectl create -f volume.yaml
// Go to the overview page of your Cloud SQL instance, and copy the Connection name.
// Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61)
with the Connection name of your Cloud SQL instance and Save the file changes.
kubectl apply -f wordpress.yaml
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 5 : Setup Ingress with TLS :-
helm version
helm repo add stable https://charts.helm.sh/stable
helm repo update
// If your environment does not install with Helm :-
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
kubectl get service nginx-ingress-controller -w
. add_ip.sh
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
// Edit issuer.yaml and set the email address
Save the file changes and run :-
kubectl apply -f issuer.yaml
// Edit ingress.yaml and set your YOUR_LAB_USERNAME.labdns.xyz DNS record to lines 11 and 14.
// Save the file changes and run :-
kubectl apply -f ingress.yaml
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 6 : Setup Network Policy :-
nano network-policy.yaml
// Set the values of name and spec as shown below :-
apiVersion: Networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
// save the file by ctrl + x -> y -> enter
kubectl apply -f network-policy.yaml
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 7 : Setup Binary Authorization :-
// Goto Cloud Console -> Security -> Binary Authorization.
// Enable the Binary Authorization API.
// On Binary Authorization page, click CONFIGURE POLICY.
// Select Disallow all images for the Default rule.
// Scroll down to Images exempt from this policy, click ADD IMAGE PATH and paste :-
-> docker.io/library/wordpress:latest
// Repeat the above two steps to add the following image paths :-
-> us.gcr.io/k8s-artifacts-prod/ingress-nginx/*
-> gcr.io/cloudsql-docker/*
-> quay.io/jetstack/*
// Click SAVE POLICY.
// Navigate to Kubernetes Engine -> Clusters.
// Click your cluster name to view its detail page.
// Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.
----------------------------------------------------------------------------------------------------------------------------------------------
Task - 8 : Setup Pod Security Policy :-
kubectl apply -f psp-role.yaml
kubectl apply -f pop-use.yaml
nano psp-restrictive.yaml
// replace appVersion: extensions/v1beta1 with policy/v1beta1
// Save the changes.
kubectl apply