Secure Workloads in Google Kubernetes Engine: Challenge Lab (GSP335)
In this tutorial blog, I am gonna show you how you can complete the lab — Secure Workloads in Google Kubernetes Engine which is the challenge lab on qwiklab platform. So, without wasting any other time lets start -
Task 0— Is to download required file for the lab
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
Task 1— Is to setup cluster for the lab
gcloud container clusters create <Cluster Name>\
— zone us-central1-c \
— machine-type n1-standard-4 \
— num-nodes 2 \
— enable-network-policygcloud container clusters get-credentials <Cluster Name> --zone us-central1-c
Task 2 — Is to setup WordPress
gcloud sql instances create <Cloud SQL Instance> --region us-central1gcloud sql databases create wordpress --instance <Cloud SQL Instance> --charset utf8 --collation utf8_general_cigcloud sql users create wordpress --host % --instance <Cloud SQL Instance> --password Passw0rd
Create a service account for access to your WordPress database from your WordPress instances
gcloud iam service-accounts create <Service Account>gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:<<Service Account>>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"gcloud iam service-accounts keys create key.json --iam-account=<<Service Account>>@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.comkubectl create secret generic cloudsql-instance-credentials --from-file key.jsonkubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password='Passw0rd'
Create the WordPress deployment and service
kubectl create -f volume.yaml
Open wordpress.yaml
and replace INSTANCE_CONNECTION_NAME with the instance name of your Cloud SQL database (the format is project:region:databasename)
kubectl apply -f wordpress.yaml
Task 3 — Setup Ingress with TLS
helm versionhelm repo add stable https://charts.helm.sh/stable
helm repo updatecurl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.shhelm install nginx-ingress stable/nginx-ingress --set rbac.create=truekubectl get service nginx-ingress-controller -w. add_ip.shkubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yamlkubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
. add_ip.sh command will return something like student0300fdd647df7f.labdns.xyz save it somewhere because it will be use latter.
Edit issuer.yaml
and set the email address to the email address of your wordpress service account.
kubectl apply -f issuer.yaml
Edit ingress.yaml
and set the dns and domain name to your YOUR_LAB_USERNAME.labdns.xyz. Don't forget to remove any _
characters from your username when using it as the dns
kubectl apply -f ingress.yaml
Task 4 - set up Network Policy
Now go to editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
Save the file and then run the following command
kubectl apply -f network-policy.yaml
Task 5 — Setup Binary Authorization
Configure Binary Authorization Policy
1) In the Cloud Console, navigate to Security > Binary Authorization.
2) Enable the Binary Authorization API.
3) On the Binary Authorization page, click on CONFIGURE POLICY.
4) Select Disallow all images for the Default rule.
5) Scroll down to Images exempt from this policy, click ADD IMAGE PATH.
6) Paste docker.io/library/wordpress:latest to the textbox, and click DONE.
7) Repeat the above two steps to add the following image paths:
— us.gcr.io/k8s-artifacts-prod/ingress-nginx/*
— gcr.io/cloudsql-docker/*
— quay.io/jetstack/*
8) Click SAVE POLICY.
Enable Binary Authorization in Google Kubernetes Engine
1) Navigate to Kubernetes Engine > Clusters.
2) Click your cluster name to view its detail page.
3) Click on the pencil icon for Binary authorization under the Security section.
4) Check Enable Binary Authorization in the dialog
5) Click SAVE CHANGES
Task 6 — Setup Pod Security Policy
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
Hope it helped :))
If you find it little bit useful subscribe “PythonScript” on youtube (It means a lot)
Link of the channel — PythonScript — YouTube