Skip to main content

Solution | Secure Workloads in Google Kubernetes Engine: Challenge Lab | 2022

 

Task 0: Download the necessary files: 

gsutil cp gs://spls/gsp335/gsp335.zip .

unzip gsp335.zip


Task - 1: Setup cluster


gcloud container clusters create <cluster-name> \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy



gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress:

  • Create database - wordpress


Go to the SQL -> open the  created instance (wordpress-db-387) -> then database -> Create database 
Database name :wordpress
Create

-> users-> add user Account
User name: wordpress
Add

  • Add user - wordpress (no password)

  • Service account


gcloud iam service-accounts create <your-service-account-credentials>


gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''

  • Remember the passowrd you set-up above as you'll need it later.


  • Create the WordPress deployment and service


kubectl create -f volume.yaml

  • Go to the overview page of your Cloud SQL instance, and copy the Connection name.


  • Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.


kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS:

helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

  • If your environment does not install with Helm


curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

  • Now, you can continue:


helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service nginx-ingress-controller

. add_ip.sh

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

  • Edit issuer.yaml and set the email address Save the file changes and run


kubectl apply -f issuer.yaml


kubectl apply -f ingress.yaml


Task - 4: Set up Network Policy:


  • Goto editor and in network-policy.yaml add it at the end

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: allow-nginx-access-to-internet
spec:
 podSelector:
     matchLabels:
          app: nginx-ingress
 policyTypes:
 - Ingress
 ingress:
 - {}

  • Then run below command in cloud shell 


kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization:


  • Goto Cloud Console -> Security -> Binary Authorization.

  • Enable the Binary Authorization API.

  • On Binary Authorization page, click Edit POLICY.

  • Select Disallow all images for the Default rule.

  • Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern

  1. docker.io/library/wordpress:latest

  • Repeat the above two steps to add the following image paths

  1. us.gcr.io/k8s-artifacts-prod/ingress-nginx/*

  2. gcr.io/cloudsql-docker/*

  3. quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.


Task - 6: Setup Pod Security Policy:


  • Editing for psp-restrictive.yaml is shown through the script editor. 

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.



kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml



Thanks for reading this blog!!!
Labels:

Comments

Post a Comment

Popular Posts

A Digital Computer

 A digital computer is a digital system that performs various computational tasks. The word "Digital" implies that the information in the computer is represented by variables that take a limited number of discrete values. These values are processed internally by components that can maintain a limited number of discrete states. These discrete values are taken by the decimal digits 0 to 9.  The first electronic digital systems was developed at 1940s late, it was primarily only used for some numerical computations.  As we all know a digital computer uses binary number system & it can only understand a binary number. And a binary number has only 2 digits 0 & 1 . Let me tell you one more interesting thing is that a binary digit is called "bit" here. That means if we use 0 it means its a bit, and vise versa.  In a digital computer all information is only represented in group of bits. After using various programming techniques & some algorithms, these grou...
1 comment
Read more

A technical preview of an Operating System

Operating System (OS): An Operating system consists of a set of programs which controls, co-ordinates and supervises the activities of the various components of a computer system. Its function is to link between the computer hardware and the user. An operating system is a software or a series of programmes, which performs various types of functions in order to manage and organize file so". Objectives:  There are lot of objectives of an operating system, actually it covers the birth of a perfect operating system. A user is just like a wanting animal they just want everything. But as a developer we are just tying to make our software more & more better as per user requests. These are some main objectives ------ To describe the basic organization of computer systems. To provide a grand tour of the major components of operating systems. Provide more convenient environment for users. Provide maximum utilized performance to users as per hardware existance. Computer Startup: When a c...
1 comment
Read more

why visiting darkweb is not too easy?

DARK WEB :       Today we will talk about Dark-Web ,   the Dark-Web is a WWW(World wide web) content that exists on the internet but we need specific software, system configurations or authorized access to see or make changes in this content. Dark-web is just a part of the internet where 90% of internet data is available right now. The Dark-Web contents are not shown by normal search engines like Google , Bing or other search engines.          The dark-web include small peer to peer and friend to friend networks, as well as large, popular networks such as Tor, Freenet etc. operated by public organizations and individuals.  Users of the dark web refer to the regular web as clean net due to its unencrypted nature. The Tor dark web or onion browsing uses the traffic anonymization technique of onion-routing in the network's top-level-domain suffix .onion REAL WORLD:  If we talk about real world scenarios ...
1 comment
Read more

Types of operating systems

Today there are lot of operating systems in the internet but actually they are only based on these main operating systems. What we see on internet is that windows is an OS, Linux is an OS but actually it is not really true. These are true only in simple understanding but when we explore computers more then we see there are lot of types of operating systems available in the market. These are written below...... Batch Operating System Multi-programming OS. Time-sharing or multitasking operating systems Distributed operating System Network operating System Real Time operating System Hard real--time systems Soft real--time systems Batch operating system: These operating system can not interact directly with the computer. Batch processing is a technique in which an Operating System collects the programs and data together in a batch before processing starts.   Multi-programming OS: These type of OS are able to run multiple jobs simultaneously in the memory. For it, memory is considered a...
1 comment
Read more

Types of Softwares

Software generally categorized into two types, which are as follows : System Softwares Application Softwares.        System Softwares:      A system software is a set of programs which is designed to control different-different operations and more extend processing capabilities of a computer system. It can perform these functions one or more depending on program requirements on a given task. Supports the development of other application software. Supports the execution of other application software. Handles the effective & efficient use of various hardware resources, such as CPU, memory peripherals etc.  Controls and communicate with the operation of peripheral devices such as printer disk, tape etc.     And system software makes the operation of a computer system more effective and efficient as we can see in its functions. It help the hardware components work together. These programme which are included in a system software p...
1 comment
Read more