Skip to main content

Solution | Secure Workloads in Google Kubernetes Engine: Challenge Lab | 2022

 

Task 0: Download the necessary files: 

gsutil cp gs://spls/gsp335/gsp335.zip .

unzip gsp335.zip


Task - 1: Setup cluster


gcloud container clusters create <cluster-name> \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy



gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress:

  • Create database - wordpress


Go to the SQL -> open the  created instance (wordpress-db-387) -> then database -> Create database 
Database name :wordpress
Create

-> users-> add user Account
User name: wordpress
Add

  • Add user - wordpress (no password)

  • Service account


gcloud iam service-accounts create <your-service-account-credentials>


gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''

  • Remember the passowrd you set-up above as you'll need it later.


  • Create the WordPress deployment and service


kubectl create -f volume.yaml

  • Go to the overview page of your Cloud SQL instance, and copy the Connection name.


  • Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.


kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS:

helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

  • If your environment does not install with Helm


curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

  • Now, you can continue:


helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service nginx-ingress-controller

. add_ip.sh

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

  • Edit issuer.yaml and set the email address Save the file changes and run


kubectl apply -f issuer.yaml


kubectl apply -f ingress.yaml


Task - 4: Set up Network Policy:


  • Goto editor and in network-policy.yaml add it at the end

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: allow-nginx-access-to-internet
spec:
 podSelector:
     matchLabels:
          app: nginx-ingress
 policyTypes:
 - Ingress
 ingress:
 - {}

  • Then run below command in cloud shell 


kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization:


  • Goto Cloud Console -> Security -> Binary Authorization.

  • Enable the Binary Authorization API.

  • On Binary Authorization page, click Edit POLICY.

  • Select Disallow all images for the Default rule.

  • Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern

  1. docker.io/library/wordpress:latest

  • Repeat the above two steps to add the following image paths

  1. us.gcr.io/k8s-artifacts-prod/ingress-nginx/*

  2. gcr.io/cloudsql-docker/*

  3. quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.


Task - 6: Setup Pod Security Policy:


  • Editing for psp-restrictive.yaml is shown through the script editor. 

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.



kubectl apply -f psp-role.yaml

kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml



Thanks for reading this blog!!!

Comments

Popular Posts

A Digital Computer

 A digital computer is a digital system that performs various computational tasks. The word "Digital" implies that the information in the computer is represented by variables that take a limited number of discrete values. These values are processed internally by components that can maintain a limited number of discrete states. These discrete values are taken by the decimal digits 0 to 9.  The first electronic digital systems was developed at 1940s late, it was primarily only used for some numerical computations.  As we all know a digital computer uses binary number system & it can only understand a binary number. And a binary number has only 2 digits 0 & 1 . Let me tell you one more interesting thing is that a binary digit is called "bit" here. That means if we use 0 it means its a bit, and vise versa.  In a digital computer all information is only represented in group of bits. After using various programming techniques & some algorithms, these grou...

How to become a successful hacker

T he whole world is going to transform in Internet and internet related things, & still privacy is one of the most issued topic in market till now. So basically market needs a perfect hacker. As we all know nothing is safe on internet millions TB of data is also growing on internet day by day but along with this the efficient Cyber Security Experts (WHITE HAT HACKERS) counts are very few. So the market needs perfect Cyber Security Specialist to make company data safe from any unauthorized access and to be ready for any cyber attack, so demand are too increasing day by day.         If we talk about Hackers then we both know that hackers are also growing in the world day by day as we all know, it does not matter here what kind of hackers because where is god, devil is also there. And if we talk clearly then we know that Black Hat & White Hat both growing day by day. So if you want to become a successful hacker you should apply at least these p...

A technical preview of an Operating System

Operating System (OS): An Operating system consists of a set of programs which controls, co-ordinates and supervises the activities of the various components of a computer system. Its function is to link between the computer hardware and the user. An operating system is a software or a series of programmes, which performs various types of functions in order to manage and organize file so". Objectives:  There are lot of objectives of an operating system, actually it covers the birth of a perfect operating system. A user is just like a wanting animal they just want everything. But as a developer we are just tying to make our software more & more better as per user requests. These are some main objectives ------ To describe the basic organization of computer systems. To provide a grand tour of the major components of operating systems. Provide more convenient environment for users. Provide maximum utilized performance to users as per hardware existance. Computer Startup: When a c...

Man in the middle attack types

Types Of Man-In-The-Middle Attacks : Today internet is one of the most essential thing in our normal life and it plays a vital role in every industries. Our demand of internet is growing day by day and it is not going to stop until now.  Man in the middle attack is one of the most common cyber-attack. In this attack an attacker act as a medium between the user and the server when a user send a request to a website for a particular data it can be in any form like login credentials, bank details etc. then server send data to user but when a person is interacting between user & server he/she can see all data. So today i will tell you how an attacker can perform a man in the middle attack ,so just read this blog careful................... 1⃣ IP spoofing:   Every device capable of connecting to the web has an online protocol (IP) address, which is analogous to the road address for your home.  By spoofing an IP address, an attacker can trick you into thinking you’re intera...

Types of Softwares

Software generally categorized into two types, which are as follows : System Softwares Application Softwares.        System Softwares:      A system software is a set of programs which is designed to control different-different operations and more extend processing capabilities of a computer system. It can perform these functions one or more depending on program requirements on a given task. Supports the development of other application software. Supports the execution of other application software. Handles the effective & efficient use of various hardware resources, such as CPU, memory peripherals etc.  Controls and communicate with the operation of peripheral devices such as printer disk, tape etc.     And system software makes the operation of a computer system more effective and efficient as we can see in its functions. It help the hardware components work together. These programme which are included in a system software p...