Task 0: Download the necessary files:
gsutil cp gs://spls/gsp335/gsp335.zip .unzip gsp335.zip
Task - 1: Setup cluster
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy
gcloud sql instances create <your-sql-instance-name> --region us-central1
Task - 2: Setup wordpress:
Create database - wordpress
Go to the SQL -> open the created instance (wordpress-db-387) -> then database -> Create database
Database name :wordpress
Create
-> users-> add user Account
User name: wordpress
Add
Add user - wordpress (no password)
Service account
gcloud iam service-accounts create <your-service-account-
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:<
--role="roles/cloudsql.
gcloud iam service-accounts keys create key.json --iam-account=<your-service-
kubectl create secret generic cloudsql-instance-credentials --from-file key.json
kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''
Remember the passowrd you set-up above as you'll need it later.
Create the WordPress deployment and service
kubectl create -f volume.yaml
Go to the overview page of your Cloud SQL instance, and copy the Connection name.
Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.
kubectl apply -f wordpress.yaml
Task - 3: Setup Ingress with TLS:
helm versionhelm repo add stable https://charts.helm.sh/stable
helm repo update
If your environment does not install with Helm
curl -fsSL -o get_helm.sh https://raw.githubusercontent.
chmod 700 get_helm.sh
./get_helm.sh
Now, you can continue:
helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
kubectl get service nginx-ingress-controller
. add_ip.sh
kubectl apply -f https://github.com/jetstack/
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
Edit issuer.yaml and set the email address Save the file changes and run
kubectl apply -f issuer.yaml
Edit ingress.yaml and set your YOUR_LAB_USERNAME.labdns.xyz DNS record to lines 11 and 14.
Save the file changes and run
kubectl apply -f ingress.yaml
Task - 4: Set up Network Policy:
Goto editor and in network-policy.yaml add it at the end
kind: NetworkPolicy
metadata:
name: allow-nginx-access-to-internet
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
Then run below command in cloud shell
kubectl apply -f network-policy.yaml
Task - 5: Setup Binary Authorization:
Goto Cloud Console -> Security -> Binary Authorization.
Enable the Binary Authorization API.
On Binary Authorization page, click Edit POLICY.
Select Disallow all images for the Default rule.
Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern
Repeat the above two steps to add the following image paths
Click SAVE POLICY.
Navigate to Kubernetes Engine -> Clusters.
Click your cluster name to view its detail page.
Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.
Task - 6: Setup Pod Security Policy:
Editing for psp-restrictive.yaml is shown through the script editor.
replace appVersion: extensions/v1beta1 with policy/v1beta1
Save the changes & apply the config through kubectl.
kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml
Comments
Post a Comment