Skip to main content

Solution | Secure Workloads in Google Kubernetes Engine: Challenge Lab | 2022

 

Task 0: Download the necessary files: 

gsutil cp gs://spls/gsp335/gsp335.zip .

unzip gsp335.zip


Task - 1: Setup cluster


gcloud container clusters create <cluster-name> \
   --zone us-central1-c \
   --machine-type n1-standard-4 \
   --num-nodes 2 \
   --enable-network-policy



gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress:

  • Create database - wordpress


Go to the SQL -> open the  created instance (wordpress-db-387) -> then database -> Create database 
Database name :wordpress
Create

-> users-> add user Account
User name: wordpress
Add

  • Add user - wordpress (no password)

  • Service account


gcloud iam service-accounts create <your-service-account-credentials>


gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
   --role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
   --from-literal username=wordpress \
   --from-literal password=''

  • Remember the passowrd you set-up above as you'll need it later.


  • Create the WordPress deployment and service


kubectl create -f volume.yaml

  • Go to the overview page of your Cloud SQL instance, and copy the Connection name.


  • Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.


kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS:

helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

  • If your environment does not install with Helm


curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

  • Now, you can continue:


helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service nginx-ingress-controller

. add_ip.sh

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
   --clusterrole=cluster-admin \
   --user=$(gcloud config get-value core/account)

  • Edit issuer.yaml and set the email address Save the file changes and run


kubectl apply -f issuer.yaml


kubectl apply -f ingress.yaml


Task - 4: Set up Network Policy:


  • Goto editor and in network-policy.yaml add it at the end

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
   name: allow-nginx-access-to-internet
spec:
 podSelector:
     matchLabels:
          app: nginx-ingress
 policyTypes:
 - Ingress
 ingress:
 - {}

  • Then run below command in cloud shell 


kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization:


  • Goto Cloud Console -> Security -> Binary Authorization.

  • Enable the Binary Authorization API.

  • On Binary Authorization page, click Edit POLICY.

  • Select Disallow all images for the Default rule.

  • Scroll down to Custom exemption rules, click ADD Add Image Pattern then paste the below image path in New image pattern

  1. docker.io/library/wordpress:latest

  • Repeat the above two steps to add the following image paths

  1. us.gcr.io/k8s-artifacts-prod/ingress-nginx/*

  2. gcr.io/cloudsql-docker/*

  3. quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.


Task - 6: Setup Pod Security Policy:


  • Editing for psp-restrictive.yaml is shown through the script editor. 

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.



kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
kubectl apply -f psp-restrictive.yaml



Thanks for reading this blog!!!
Labels:

Comments

Post a Comment

Popular Posts

Types of operating systems

Today there are lot of operating systems in the internet but actually they are only based on these main operating systems. What we see on internet is that windows is an OS, Linux is an OS but actually it is not really true. These are true only in simple understanding but when we explore computers more then we see there are lot of types of operating systems available in the market. These are written below...... Batch Operating System Multi-programming OS. Time-sharing or multitasking operating systems Distributed operating System Network operating System Real Time operating System Hard real--time systems Soft real--time systems Batch operating system: These operating system can not interact directly with the computer. Batch processing is a technique in which an Operating System collects the programs and data together in a batch before processing starts.   Multi-programming OS: These type of OS are able to run multiple jobs simultaneously in the memory. For it, memory is considered a...
1 comment
Read more

Know Operating Systems (Briefly)

OPERATING SYSTEM :     Today's lot of operating systems have arrived in the marketplace, but some OS gets failed because of their specifications or trends. Let me tell you what is an Operating System in short " an operating system is just a system software which help us to communicate with a machine using graphical or command line interface."     That's means when someone using his/her smartphone or computer or any type of device that's sure this device has an operating system and there is a proper way to use this device. Every Operating system has its own way or type of using it.    An OS is also making a vital role in the device because there are lot of things in a device which depends on the OS like bluetooth-connectivity, wireless-connections, display and many more things.   WORKING PROCESS :   Basically an OS is a system software so it contains all information about the hardware of this device.    Now...
Post a Comment
Read more

A technical preview of an Operating System

Operating System (OS): An Operating system consists of a set of programs which controls, co-ordinates and supervises the activities of the various components of a computer system. Its function is to link between the computer hardware and the user. An operating system is a software or a series of programmes, which performs various types of functions in order to manage and organize file so". Objectives:  There are lot of objectives of an operating system, actually it covers the birth of a perfect operating system. A user is just like a wanting animal they just want everything. But as a developer we are just tying to make our software more & more better as per user requests. These are some main objectives ------ To describe the basic organization of computer systems. To provide a grand tour of the major components of operating systems. Provide more convenient environment for users. Provide maximum utilized performance to users as per hardware existance. Computer Startup: When a c...
1 comment
Read more

PROGRAMMING LANGUAGES

  Today a programming language is very essential thing in technology market, everything is going to transform in digital world. We handle these digital things with lot of hardware and using programming language. Currently there are lot of programming languages arrived in market like Python, Java, Perl and many more. So today we will talk about what is programming language & how its works?   A programming language is the way to talk to a computer machine, generally we can not directly go to the computer and we can not say to the computer to do a specific task, Because a computer only understand the binary data . We need to program it or we can say we need to talk to the computer in computer language to give then computer will understand what we want with them. Generally we talk in different - different languages, so we can also communicate in different - different languages with a computer. Sometimes computer languages goes to complicated for a human being bu...
Post a Comment
Read more

Man in the middle attack types

Types Of Man-In-The-Middle Attacks : Today internet is one of the most essential thing in our normal life and it plays a vital role in every industries. Our demand of internet is growing day by day and it is not going to stop until now.  Man in the middle attack is one of the most common cyber-attack. In this attack an attacker act as a medium between the user and the server when a user send a request to a website for a particular data it can be in any form like login credentials, bank details etc. then server send data to user but when a person is interacting between user & server he/she can see all data. So today i will tell you how an attacker can perform a man in the middle attack ,so just read this blog careful................... 1⃣ IP spoofing:   Every device capable of connecting to the web has an online protocol (IP) address, which is analogous to the road address for your home.  By spoofing an IP address, an attacker can trick you into thinking you’re intera...
Post a Comment
Read more