Secure Workloads in Google Kubernetes Engine: Challenge Lab
Note : Before Proceeding the lab don't forget to change the red text with the values provided in the lab to you.. as it changes person to person :))
Task 1:
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
Note : just in case open SQL & Kubernetes Cluster
gcloud container clusters create security-demo-cluster613 \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy
gcloud sql instances create wordpress-db-449 --region us-central1
Now, refresh both new windows and check the work and wait until you get green check mark
Task 2:
Create database - wordpress
Add user - wordpress (no password)
Service account
gcloud iam service-accounts create sa-wordpress-912
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:sa-wordpress-912@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"
gcloud iam service-accounts keys create key.json --iam-account=sa-wordpress-912@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic cloudsql-instance-credentials --from-file key.json
kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''
Now, Create the WordPress deployment and service
kubectl create -f volume.yaml
Now, go to editor and replace instance name with sql instance name
save (click on sql and overview then click copy to the url) {oof! check the below video if you didn't get it}
kubectl apply -f wordpress.yaml
Task 3:
helm version
helm repo add stable https://charts.helm.sh/stable
helm repo update
helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
kubectl get service
. add_ip.sh
student0300fdd647df7f.labdns.xyz (save it for latter use for host name)
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
goto editor and edit issuer.yaml to include lab email address
kubectl apply -f issuer.yaml
goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh
kubectl apply -f ingress.yaml
Task 4:
Now go to editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
kubectl apply -f network-policy.yaml
Task 5:
goto security - Binary authorization enable it and click on edit policy under specific rule select gke rule
- configure policy
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom expetion path
- add iamge paths given
- save policy
enable binary authorization for Kubernetes cluster
Task 6
Copy and paste ->
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
Hope it helped :))
If you find it little bit useful subscribe "TECH_ED" on youtube (It means a lot)
Very Short Video Explanation :