Implement Cloud Security Fundamentals on Google Cloud: Challenge Lab Solution
Overview
In this challenge lab, you will be given a scenario and a set of tasks to complete using your Google Cloud skills. Instead of step-by-step instructions, you will leverage your knowledge to accomplish these tasks. An automated scoring system will provide feedback on your progress.
Lab Details
- Duration: 1 hour 30 minutes
- Credits: 5
- Level: Intermediate
- Lab ID: GSP342
This lab is ideal for students enrolled in the Implement Cloud Security Fundamentals on Google Cloud skill badge. You will not learn new concepts but rather apply your existing skills.
Topics Tested
- Create a custom security role.
- Create a service account.
- Bind IAM security roles to a service account.
- Create a private Kubernetes Engine cluster in a custom subnet.
- Deploy an application to a private Kubernetes Engine cluster.
Setup and Requirements
Before starting the lab:
- Use an Incognito or private browser window to avoid conflicts with your personal Google Cloud account.
- Do not use your personal Google Cloud account to avoid extra charges.
- Ensure you have access to a standard internet browser (Chrome recommended).
- Allocate uninterrupted time as the lab cannot be paused once started.
Challenge Scenario
As a junior member of the security team for the Orca team at Jooli Inc., you must deploy, configure, and test a new Kubernetes Engine cluster following the company’s security standards. Your tasks include:
- Creating a Custom Security Role
- Creating a Service Account
- Binding IAM Security Roles to a Service Account
- Creating and Configuring a Private Kubernetes Engine Cluster
- Deploying an Application to the Cluster
All tasks should use the us-west1
region and the us-west1-b
zone.
Task 0: Initial Steps
Access GCP Console and Terminal
Start the Lab by pressing the Start Lab button
Copy username and password from the sidebar
Press the Open Google Cloud Console button
Enter username and password to sign in
Press I understand button
Check Agreement and press Agree and Continue
Press the activate cloud shell button on the top right corner
In the cloud shell, click continue, and authorize if a popup appears
Export the following variables
Make sure to replace [content] with the values of your lab!
export CUSTOM_SECURIY_ROLE=[your_custom_security_role]
export SERVICE_ACCOUNT=[your_service_account]
export CLUSTER_NAME=[your_cluster_name]
export ZONE=[your_zone]
Task 1: Create a Custom Security Role
Create a custom IAM role named orca_storage_editor_597
with permissions to manage Google Cloud Storage objects.
Steps:
Set the Compute Zone:
gcloud config set compute/zone $ZONE
This command sets the default compute zone for your Google Cloud project. The $ZONE
variable should be set to the appropriate zone where your resources will be created.
Create a Role Definition File:
cat > role-definition.yaml <<EOF_END
title: "$CUSTOM_SECURIY_ROLE"
description: "Permissions"
stage: "ALPHA"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
EOF_END
Here, we create a YAML file that defines the custom IAM role. This file specifies the title, description, stage, and included permissions for the role.
Create the Custom Security Role:
gcloud iam roles create $CUSTOM_SECURIY_ROLE --project $DEVSHELL_PROJECT_ID --file role-definition.yaml
This command uses the role definition file created earlier to create the custom IAM role within the specified project.
Task 2: Create a Service Account
Create a service account named orca-private-cluster-254-sa
.
Steps:
Create the Service Account:
gcloud iam service-accounts create $SERVICE_ACCOUNT --display-name "Orca Private Cluster Service Account"
This command creates a new service account with the display name “Orca Private Cluster Service Account”.
Task 3: Bind IAM Security Roles to the Service Account
Bind the required roles to the service account.
Steps:
Bind IAM Policy Roles:
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role projects/$DEVSHELL_PROJECT_ID/roles/$CUSTOM_SECURIY_ROLE
These commands bind various IAM roles to the service account. The roles monitoring.viewer
, monitoring.metricWriter
, and logging.logWriter
provide monitoring and logging capabilities. The custom role created in Task 1 is also bound to the service account.
Task 4: Create and Configure a Private Kubernetes Engine Cluster
Deploy a Kubernetes Engine private cluster with specific configurations.
Steps:
Create the GKE Cluster:
gcloud container clusters create $CLUSTER_NAME --num-nodes 1 --master-ipv4-cidr=172.16.0.64/28 --network orca-build-vpc --subnetwork orca-build-subnet --enable-master-authorized-networks --master-authorized-networks 192.168.10.2/32 --enable-ip-alias --enable-private-nodes --enable-private-endpoint --service-account $SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --zone $ZONE
This command creates a private Google Kubernetes Engine (GKE) cluster. Key configurations include enabling private nodes and endpoints, setting master authorized networks, and specifying the service account for the cluster.
Task 5: Deploy an Application to the Private Kubernetes Engine Cluster
Validate the cluster by deploying a simple application.
Steps:
Connect to the Cluster and Deploy:
gcloud compute ssh --zone "$ZONE" "orca-jumphost" --project "$DEVSHELL_PROJECT_ID" --quiet --command "gcloud config set compute/zone $ZONE && gcloud container clusters get-credentials $CLUSTER_NAME --internal-ip && sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin && kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0 && kubectl expose deployment hello-server --name orca-hello-service --type LoadBalancer --port 80 --target-port 8080"
This command connects to the cluster via a jumphost, configures the environment, and deploys a sample application (hello-server
). The application is exposed as a LoadBalancer service.
Tips and Tricks
- Tip 1: Use the
gke-gcloud-auth-plugin
for kubectl commands.
sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc
source ~/.bashrc
gcloud container clusters get-credentials <your cluster name> --internal-ip --project=<project ID> --zone <cluster zone>
Install the GKE authentication plugin and configure your environment to use it for kubectl
commands.
- Tip 2: Use a
/32
netmask for the internal IP address of theorca-jumphost
. - Tip 3: Connect to the private cluster using a jumphost or proxy within the same VPC.
Conclusion
In this lab, you configured a Kubernetes Engine private cluster using a dedicated service account with the least privileges. You created a custom IAM role, bound necessary roles to the service account, and validated the setup by deploying a test application. This challenge reinforced your cloud security skills and ability to manage Kubernetes Engine clusters on Google Cloud.