GSP-342: Ensure Access & Identity in Google Cloud

Jan 16, 2022 · 2 min read · qwiklabs googlecloudready facilitator program 30 days of google cloud  ·
Share on:
GSP-342: Ensure Access & Identity in Google Cloud

Overview

NOTE: Replace <IAM-ROLE-NAME-TASK-1>, <IAM-SERVICE-ACC-TASK-2> & <CLUSTER-NAME-TASK-4> with your own values as per your own account.

Task 1: Create a custom security role

1gcloud config set compute/zone us-east1-b
2nano role-definition.yaml
  • Copy the below content to file
1title: "<IAM-ROLE-NAME-TASK-1>"
2description: "Permissions"
3stage: "ALPHA"
4includedPermissions:
5- storage.buckets.get
6- storage.objects.get
7- storage.objects.list
8- storage.objects.update
9- storage.objects.create
  • Save by : ctrl + o -> enter -> ctrl + x
1gcloud iam service-accounts create orca-private-cluster-sa --display-name "Orca Private Cluster Service Account"
2gcloud iam roles create <IAM-ROLE-NAME-TASK-1> --project $DEVSHELL_PROJECT_ID --file role-definition.yaml

Task 2: Create a service account

1gcloud iam service-accounts create <IAM-SERVICE-ACC-TASK-2> --display-name "Orca Private Cluster Service Account"

Task 3: Bind a custom security role to an account

1gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:<IAM-SERVICE-ACC-TASK-2>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer
2
3gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:<IAM-SERVICE-ACC-TASK-2>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter
4
5gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:<IAM-SERVICE-ACC-TASK-2>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter
6
7gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:<IAM-SERVICE-ACC-TASK-2>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role projects/$DEVSHELL_PROJECT_ID/roles/<IAM-ROLE-NAME-TASK-1>

Task 4: Create and configure a new Kubernetes Engine private cluster

1gcloud container clusters create <CLUSTER-NAME-TASK-4> --num-nodes 1 --master-ipv4-cidr=172.16.0.64/28 --network orca-build-vpc --subnetwork orca-build-subnet --enable-master-authorized-networks  --master-authorized-networks 192.168.10.2/32 --enable-ip-alias --enable-private-nodes --enable-private-endpoint --service-account <IAM-SERVICE-ACC-TASK-2>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --zone us-east1-b

Step 5: Deploy an application to a private Kubernetes Engine cluster.

  1. Navigate to the Compute Engine in the Cloud Console.

  2. Click on the SSH button for the orca-jumphost instance.

In the SSH window, connect to the private cluster by running the following: Run the following commands in ssh of orca-jumphost:

1gcloud config set compute/zone us-east1-b
2
3gcloud container clusters get-credentials <CLUSTER-NAME-TASK-4> --internal-ip
4
5kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0
6
7kubectl expose deployment hello-server --name orca-hello-service --type LoadBalancer --port 80 --target-port 8080

Congratulations, you're all done with the lab 😄