Skip to main content

Solution | Secure Workloads in Google Kubernetes Engine: Challenge Lab | 2022

 

Task 0: Download the necessary files: 

gsutil cp gs://spls/gsp335/gsp335.zip .

unzip gsp335.zip


Task - 1: Setup cluster


gcloud container clusters create <cluster-name> \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy



gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress:

  • Create database - wordpress


Go to the SQL -> open the  created instance (wordpress-db-387) -> then database -> Create database 
Database name :wordpress
Create

-> users-> add user Account
User name: wordpress
Add

  • Add user - wordpress (no password)

  • Service account


gcloud iam service-accounts create <your-service-account-credentials>


gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''

  • Remember the passowrd you set-up above as you'll need it later.


  • Create the WordPress deployment and service


kubectl create -f volume.yaml

  • Go to the overview page of your Cloud SQL instance, and copy the Connection name.


  • Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.


kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS:

helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

  • If your environment does not install with Helm


curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

  • Now, you can continue:


helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service nginx-ingress-controller

. add_ip.sh

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

  • Edit issuer.yaml and set the email address Save the file changes and run


kubectl apply -f issuer.yaml


kubectl apply -f ingress.yaml


Task - 4: Set up Network Policy:


  • Goto editor and in network-policy.yaml add it at the end

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: allow-nginx-access-to-internet
spec:
 podSelector:
     matchLabels:
          app: nginx-ingress
 policyTypes:
 - Ingress
 ingress:
 - {}

  • Then run below command in cloud shell 


kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization:


  • Goto Cloud Console -> Security -> Binary Authorization.

  • Enable the Binary Authorization API.

  • On Binary Authorization page, click Edit POLICY.

  • Select Disallow all images for the Default rule.

  • Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern

  1. docker.io/library/wordpress:latest

  • Repeat the above two steps to add the following image paths

  1. us.gcr.io/k8s-artifacts-prod/ingress-nginx/*

  2. gcr.io/cloudsql-docker/*

  3. quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.


Task - 6: Setup Pod Security Policy:


  • Editing for psp-restrictive.yaml is shown through the script editor. 

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.



kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml



Thanks for reading this blog!!!
Labels:

Comments

Post a Comment

Popular Posts

A Digital Computer

 A digital computer is a digital system that performs various computational tasks. The word "Digital" implies that the information in the computer is represented by variables that take a limited number of discrete values. These values are processed internally by components that can maintain a limited number of discrete states. These discrete values are taken by the decimal digits 0 to 9.  The first electronic digital systems was developed at 1940s late, it was primarily only used for some numerical computations.  As we all know a digital computer uses binary number system & it can only understand a binary number. And a binary number has only 2 digits 0 & 1 . Let me tell you one more interesting thing is that a binary digit is called "bit" here. That means if we use 0 it means its a bit, and vise versa.  In a digital computer all information is only represented in group of bits. After using various programming techniques & some algorithms, these grou...
1 comment
Read more

Programing Langauges HLL vs LLL

High Level Languages:      High level languages are abbreviated as HLL, these languages are too much similar to human language. These are more programmer friendly languages easy to code, debug and maintain. Actually they don't interact with the hardware , rather they focuses more on the complex arithmetic operations, optimal program efficiency and easiness in coding.      High level language requires a compilers or an interpreters to translate source code written in high level language to machine language. We can compile the source code written in HLL to multiple languages. Thus they are machine independent language. Advantages of HLL: It provides higher level of abstraction from machine languages. It is machine independent languages. Less error prone, easy to find debug errors. They provides the better programming productivity. Disadvantages of HLL:  Its take additional time to translate its code to machine code. HLL programmer are much slower than...
Post a Comment
Read more

Most Important Full Forms

  CPU : CENTRAL PROCESSING UNIT   OS : OPERATING SYSTEM UPS : UNINTERRUPTIBLE POWER SUPPLY RAM : RANDOM-ACCESS MEMORY ROM : READ-ONLY MEMORY LCD : LIQUID CRYSTAL DISPLAY   LED : LIGHT-EMITTING DIODE   FAT : FILE ALLOCATION TABLE DOC : DOCUMENT   MMC : MULTIMEDIA CARD   CD : COMPACT DISC   DVD : DIGITAL VERSATILE DISC   ISO : INTERNATIONAL ORGANIZATION FOR STANDARDIZATION   DB : DATABASE   IC : INTEGRATED CIRCUIT   TEMP : TEMPORARY   WMP : WINDOWS MEDIA PLAYER   MP3 : MOVING PICTURE EXPERTS GROUP PHASE 3 (MPEG-3)   MPEG : MOVING PICTURE EXPERTS GROUP PHASE (MPEG)   JPG : JOINT PHOTOGRAPHIC EXPERTS GROUP   AVI : AUDIO VIDEO INTERLEAVE   WMV : WINDOWS MEDIA VIDEO   GIF : GRAPHICS INTERCHANGE FORMAT   USB : UNIVERSAL SERIAL BUS   IP : INTERNET PROTOCOL   DNS : DOMAIN NAME SYSTEM   HTTP : HYPERTEXT TRANSFER PROTOCOL   HTTPS : HYPERTEXT TRANSFER PROTOC...
Post a Comment
Read more