Skip to main content

Solution | Secure Workloads in Google Kubernetes Engine: Challenge Lab | 2022

 

Task 0: Download the necessary files: 

gsutil cp gs://spls/gsp335/gsp335.zip .

unzip gsp335.zip


Task - 1: Setup cluster


gcloud container clusters create <cluster-name> \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy



gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress:

  • Create database - wordpress


Go to the SQL -> open the  created instance (wordpress-db-387) -> then database -> Create database 
Database name :wordpress
Create

-> users-> add user Account
User name: wordpress
Add

  • Add user - wordpress (no password)

  • Service account


gcloud iam service-accounts create <your-service-account-credentials>


gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''

  • Remember the passowrd you set-up above as you'll need it later.


  • Create the WordPress deployment and service


kubectl create -f volume.yaml

  • Go to the overview page of your Cloud SQL instance, and copy the Connection name.


  • Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.


kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS:

helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

  • If your environment does not install with Helm


curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

  • Now, you can continue:


helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service nginx-ingress-controller

. add_ip.sh

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

  • Edit issuer.yaml and set the email address Save the file changes and run


kubectl apply -f issuer.yaml


kubectl apply -f ingress.yaml


Task - 4: Set up Network Policy:


  • Goto editor and in network-policy.yaml add it at the end

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: allow-nginx-access-to-internet
spec:
 podSelector:
     matchLabels:
          app: nginx-ingress
 policyTypes:
 - Ingress
 ingress:
 - {}

  • Then run below command in cloud shell 


kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization:


  • Goto Cloud Console -> Security -> Binary Authorization.

  • Enable the Binary Authorization API.

  • On Binary Authorization page, click Edit POLICY.

  • Select Disallow all images for the Default rule.

  • Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern

  1. docker.io/library/wordpress:latest

  • Repeat the above two steps to add the following image paths

  1. us.gcr.io/k8s-artifacts-prod/ingress-nginx/*

  2. gcr.io/cloudsql-docker/*

  3. quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.


Task - 6: Setup Pod Security Policy:


  • Editing for psp-restrictive.yaml is shown through the script editor. 

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.



kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml



Thanks for reading this blog!!!
Labels:

Comments

Post a Comment

Popular Posts

C programming basics - part 1

Data Types: There are two data types in C programming language - (1)- Primary Data Types  (2)- Secondary Data Types   (1)- Primary Data Types :      Primary data types are those data types which are defined already in the           language. They can be used directly in the program. These data types one of the main important thing in C programming.  There are mainly three types primary data types----- a)- int : For integer values range = -32767 to 32768 b)- float : For float values range = c)- char : For character values range = -127 to 128
Post a Comment
Read more

Types of operating systems

Today there are lot of operating systems in the internet but actually they are only based on these main operating systems. What we see on internet is that windows is an OS, Linux is an OS but actually it is not really true. These are true only in simple understanding but when we explore computers more then we see there are lot of types of operating systems available in the market. These are written below...... Batch Operating System Multi-programming OS. Time-sharing or multitasking operating systems Distributed operating System Network operating System Real Time operating System Hard real--time systems Soft real--time systems Batch operating system: These operating system can not interact directly with the computer. Batch processing is a technique in which an Operating System collects the programs and data together in a batch before processing starts.   Multi-programming OS: These type of OS are able to run multiple jobs simultaneously in the memory. For it, memory is considered a...
1 comment
Read more

Know Operating Systems (Briefly)

OPERATING SYSTEM :     Today's lot of operating systems have arrived in the marketplace, but some OS gets failed because of their specifications or trends. Let me tell you what is an Operating System in short " an operating system is just a system software which help us to communicate with a machine using graphical or command line interface."     That's means when someone using his/her smartphone or computer or any type of device that's sure this device has an operating system and there is a proper way to use this device. Every Operating system has its own way or type of using it.    An OS is also making a vital role in the device because there are lot of things in a device which depends on the OS like bluetooth-connectivity, wireless-connections, display and many more things.   WORKING PROCESS :   Basically an OS is a system software so it contains all information about the hardware of this device.    Now...
Post a Comment
Read more

Application Softwares (types of softwares)

  Application Software:   An application software always works under a system software. These softwares are generally a set of one or more programmes, designed to solve a specific problem, or do a specific task e.g. An application software for payroll processing produces pay slips as the major output, and an application software for processing examination results produces mark sheets as the major output along with some other statistical reports.    And also if a person is writing a program to solve his/her personal and particular problems is also comes under the application software. These programs included in an application software package are called application programmes and who made these programs are also known as application programmers. The most commonly known application software are 1. Word Processing Software: A word processing software enables us to make use of a computer system for creating editing, viewing, formatting, storing retrieving and painting ...
Post a Comment
Read more

why visiting darkweb is not too easy?

DARK WEB :       Today we will talk about Dark-Web ,   the Dark-Web is a WWW(World wide web) content that exists on the internet but we need specific software, system configurations or authorized access to see or make changes in this content. Dark-web is just a part of the internet where 90% of internet data is available right now. The Dark-Web contents are not shown by normal search engines like Google , Bing or other search engines.          The dark-web include small peer to peer and friend to friend networks, as well as large, popular networks such as Tor, Freenet etc. operated by public organizations and individuals.  Users of the dark web refer to the regular web as clean net due to its unencrypted nature. The Tor dark web or onion browsing uses the traffic anonymization technique of onion-routing in the network's top-level-domain suffix .onion REAL WORLD:  If we talk about real world scenarios ...
1 comment
Read more