Secure Workloads in Google Kubernetes Engine: Challenge Lab

 

Secure Workloads in Google Kubernetes Engine: Challenge Lab

Note : Before Proceeding the lab don't forget to change the red text with the values provided in the lab to you.. as it changes person to person :))


Task 1: 

gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip

Note : just in case open SQL & Kubernetes Cluster 

gcloud container clusters create security-demo-cluster613 \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy

gcloud sql instances create wordpress-db-449 --region us-central1

Now, refresh both new windows and check the work and wait until you get green check mark



Task 2: 

Create database - wordpress
Add user - wordpress (no password)

Service account
gcloud iam service-accounts create sa-wordpress-912

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:sa-wordpress-912@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=sa-wordpress-912@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''


Now, Create the WordPress deployment and service


kubectl create -f volume.yaml

Now, go to editor and replace instance name with sql instance name 
save (click on sql and overview then click copy to the url) {oof! check the below video if you didn't get it}

kubectl apply -f wordpress.yaml


 
Task 3: 


helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service

. add_ip.sh  


student0300fdd647df7f.labdns.xyz (save it for latter use for host name)


kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

goto editor and edit issuer.yaml to include lab email address

kubectl apply -f issuer.yaml

goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh

kubectl apply -f ingress.yaml


 
Task 4:

Now go to editor and in network-policy.yaml add to end

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-world-to-nginx-ingress
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nginx-ingress
  policyTypes:
  - Ingress
  ingress:
  - {}


kubectl apply -f network-policy.yaml


 
Task 5:

goto security - Binary authorization enable it and click on edit policy under specific rule select gke rule

- configure policy 
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom expetion path 
- add iamge paths given 
- save policy 

enable binary authorization for Kubernetes cluster


 
Task 6
Copy and paste ->

kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml


Hope it helped :))
If you find it little bit useful subscribe "TECH_ED" on youtube (It means a lot)


Very Short Video Explanation :