GSP-335 : Secure Workloads in Google Kubernetes Engine

May 19, 2021 · 3 min read · qwiklabs googlecloudready facilitator program 30 days of google cloud  ·
Share on:
GSP-335 : Secure Workloads in Google Kubernetes Engine

Overview

Please use your own credentials while completing the lab -- that means using your own service account, database credentials, etc. wherever necessary.

Start by executing the following commands:

1gsutil cp gs://spls/gsp335/gsp335.zip .

1unzip gsp335.zip

Task - 1: Setup cluster

1gcloud container clusters create <cluster-name> \
2   --zone us-central1-c \
3   --machine-type n1-standard-4 \
4   --num-nodes 2 \
5   --enable-network-policy

Create the Cloud SQL instance:

1gcloud sql instances create <your-sql-instance-name> --region us-central1

Task - 2: Setup wordpress

 1gcloud iam service-accounts create <your-service-account-credentials>
 2
 3gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
 4   --member="serviceAccount:<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
 5   --role="roles/cloudsql.client"
 6
 7gcloud iam service-accounts keys create key.json --iam-account=<your-service-account-credentials>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com
 8
 9kubectl create secret generic cloudsql-instance-credentials --from-file key.json
10
11kubectl create secret generic cloudsql-db-credentials \
12   --from-literal username=wordpress \
13   --from-literal password=''

Remember the passowrd you set-up above as you'll need it later.

Create the WordPress deployment and service

1kubectl create -f volume.yaml

Go to the editor and replace instance name with SQL instance name.

Go to the overview page of your Cloud SQL instance, and copy the Connection name.

Open wordpress.yaml with your any editor, and replace INSTANCE_CONNECTION_NAME (in line 61) with the Connection name of your Cloud SQL instance and Save the file changes.

1kubectl apply -f wordpress.yaml

Task - 3: Setup Ingress with TLS

1helm version
2
3helm repo add stable https://charts.helm.sh/stable
4helm repo update
  • If your environment does not install with Helm
1curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
2chmod 700 get_helm.sh
3./get_helm.sh
  • Now, you can continue:
 1helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
 2
 3kubectl get service nginx-ingress-controller
 4
 5. add_ip.sh
 6
 7kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml
 8
 9kubectl create clusterrolebinding cluster-admin-binding \
10   --clusterrole=cluster-admin \
11   --user=$(gcloud config get-value core/account)
  • Edit issuer.yaml and set the email address Save the file changes and run
1kubectl apply -f issuer.yaml

  • Edit ingress.yaml and set your YOUR_LAB_USERNAME.labdns.xyz DNS record to lines 11 and 14.

  • Save the file changes and run

1kubectl apply -f ingress.yaml

Task - 4: Set up Network Policy

1nano network-policy.yaml
  • Set the values of name and spec as shown below
 1apiVersion: networking.k8s.io/v1
 2kind: NetworkPolicy
 3metadata:
 4name: allow-nginx-access-to-internet
 5spec:
 6podSelector:
 7matchLabels:
 8    app: nginx-ingress
 9policyTypes:
10- Ingress
11ingress:
12- {}
  • Save the file by ctrl + x -> y -> enter
1kubectl apply -f network-policy.yaml

Task - 5: Setup Binary Authorization

  • Goto Cloud Console -> Security -> Binary Authorization.
  • Enable the Binary Authorization API.
  • On Binary Authorization page, click CONFIGURE POLICY.
  • Select Disallow all images for the Default rule.
  • Scroll down to Images exempt from this policy, click ADD IMAGE PATH and paste
1docker.io/library/wordpress:latest
  • Repeat the above two steps to add the following image paths
1us.gcr.io/k8s-artifacts-prod/ingress-nginx/*
2gcr.io/cloudsql-docker/*
3quay.io/jetstack/*

  • Click SAVE POLICY.

  • Navigate to Kubernetes Engine -> Clusters.

  • Click your cluster name to view its detail page.

  • Edit Binary authorization and Enable Binary Authorization then SAVE CHANGES.

Task - 6: Setup Pod Security Policy

In the video, editing for psp-restrictive.yaml is shown through script editor. For this tutorial, we are using nano.

1nano psp-restrictive.yaml

  • replace appVersion: extensions/v1beta1 with policy/v1beta1

  • Save the changes & apply the config through kubectl.

1kubectl apply -f psp-role.yaml
2kubectl apply -f pop-use.yaml
3kubectl apply -f psp-restrictive.yaml

Congratulations, you're all done with the lab 😄