Implement Cloud Security Fundamentals on Google Cloud: Challenge Lab Solution

Muhammad Hassaan Javed
5 min readMay 30, 2024

--

Implement Cloud Security Fundamentals on Google Cloud Skill

Overview

In this challenge lab, you will be given a scenario and a set of tasks to complete using your Google Cloud skills. Instead of step-by-step instructions, you will leverage your knowledge to accomplish these tasks. An automated scoring system will provide feedback on your progress.

Lab Details

  • Duration: 1 hour 30 minutes
  • Credits: 5
  • Level: Intermediate
  • Lab ID: GSP342

This lab is ideal for students enrolled in the Implement Cloud Security Fundamentals on Google Cloud skill badge. You will not learn new concepts but rather apply your existing skills.

Topics Tested

  1. Create a custom security role.
  2. Create a service account.
  3. Bind IAM security roles to a service account.
  4. Create a private Kubernetes Engine cluster in a custom subnet.
  5. Deploy an application to a private Kubernetes Engine cluster.

Setup and Requirements

Before starting the lab:

  • Use an Incognito or private browser window to avoid conflicts with your personal Google Cloud account.
  • Do not use your personal Google Cloud account to avoid extra charges.
  • Ensure you have access to a standard internet browser (Chrome recommended).
  • Allocate uninterrupted time as the lab cannot be paused once started.

Challenge Scenario

As a junior member of the security team for the Orca team at Jooli Inc., you must deploy, configure, and test a new Kubernetes Engine cluster following the company’s security standards. Your tasks include:

  1. Creating a Custom Security Role
  2. Creating a Service Account
  3. Binding IAM Security Roles to a Service Account
  4. Creating and Configuring a Private Kubernetes Engine Cluster
  5. Deploying an Application to the Cluster

All tasks should use the us-west1 region and the us-west1-b zone.

Task 0: Initial Steps

Access GCP Console and Terminal

Start the Lab by pressing the Start Lab button
Copy username and password from the sidebar
Press the Open Google Cloud Console button
Enter username and password to sign in
Press I understand button
Check Agreement and press Agree and Continue
Press the activate cloud shell button on the top right corner
In the cloud shell, click continue, and authorize if a popup appears

Export the following variables

Make sure to replace [content] with the values of your lab!

export CUSTOM_SECURIY_ROLE=[your_custom_security_role]
export SERVICE_ACCOUNT=[your_service_account]
export CLUSTER_NAME=[your_cluster_name]
export ZONE=[your_zone]

Task 1: Create a Custom Security Role

Create a custom IAM role named orca_storage_editor_597 with permissions to manage Google Cloud Storage objects.

Steps:

Set the Compute Zone:

gcloud config set compute/zone $ZONE

This command sets the default compute zone for your Google Cloud project. The $ZONE variable should be set to the appropriate zone where your resources will be created.

Create a Role Definition File:

cat > role-definition.yaml <<EOF_END
title: "$CUSTOM_SECURIY_ROLE"
description: "Permissions"
stage: "ALPHA"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
EOF_END

Here, we create a YAML file that defines the custom IAM role. This file specifies the title, description, stage, and included permissions for the role.

Create the Custom Security Role:

gcloud iam roles create $CUSTOM_SECURIY_ROLE --project $DEVSHELL_PROJECT_ID --file role-definition.yaml

This command uses the role definition file created earlier to create the custom IAM role within the specified project.

Task 2: Create a Service Account

Create a service account named orca-private-cluster-254-sa.

Steps:

Create the Service Account:

gcloud iam service-accounts create $SERVICE_ACCOUNT --display-name "Orca Private Cluster Service Account"

This command creates a new service account with the display name “Orca Private Cluster Service Account”.

Task 3: Bind IAM Security Roles to the Service Account

Bind the required roles to the service account.

Steps:

Bind IAM Policy Roles:

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role projects/$DEVSHELL_PROJECT_ID/roles/$CUSTOM_SECURIY_ROLE

These commands bind various IAM roles to the service account. The roles monitoring.viewer, monitoring.metricWriter, and logging.logWriter provide monitoring and logging capabilities. The custom role created in Task 1 is also bound to the service account.

Task 4: Create and Configure a Private Kubernetes Engine Cluster

Deploy a Kubernetes Engine private cluster with specific configurations.

Steps:

Create the GKE Cluster:

gcloud container clusters create $CLUSTER_NAME --num-nodes 1 --master-ipv4-cidr=172.16.0.64/28 --network orca-build-vpc --subnetwork orca-build-subnet --enable-master-authorized-networks --master-authorized-networks 192.168.10.2/32 --enable-ip-alias --enable-private-nodes --enable-private-endpoint --service-account $SERVICE_ACCOUNT@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --zone $ZONE

This command creates a private Google Kubernetes Engine (GKE) cluster. Key configurations include enabling private nodes and endpoints, setting master authorized networks, and specifying the service account for the cluster.

Task 5: Deploy an Application to the Private Kubernetes Engine Cluster

Validate the cluster by deploying a simple application.

Steps:

Connect to the Cluster and Deploy:

gcloud compute ssh --zone "$ZONE" "orca-jumphost" --project "$DEVSHELL_PROJECT_ID" --quiet --command "gcloud config set compute/zone $ZONE && gcloud container clusters get-credentials $CLUSTER_NAME --internal-ip && sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin && kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0 && kubectl expose deployment hello-server --name orca-hello-service --type LoadBalancer --port 80 --target-port 8080"

This command connects to the cluster via a jumphost, configures the environment, and deploys a sample application (hello-server). The application is exposed as a LoadBalancer service.

Tips and Tricks

  • Tip 1: Use the gke-gcloud-auth-plugin for kubectl commands.
sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc
source ~/.bashrc
gcloud container clusters get-credentials <your cluster name> --internal-ip --project=<project ID> --zone <cluster zone>

Install the GKE authentication plugin and configure your environment to use it for kubectl commands.

  • Tip 2: Use a /32 netmask for the internal IP address of the orca-jumphost.
  • Tip 3: Connect to the private cluster using a jumphost or proxy within the same VPC.

Conclusion

In this lab, you configured a Kubernetes Engine private cluster using a dedicated service account with the least privileges. You created a custom IAM role, bound necessary roles to the service account, and validated the setup by deploying a test application. This challenge reinforced your cloud security skills and ability to manage Kubernetes Engine clusters on Google Cloud.

--

--

Muhammad Hassaan Javed
Muhammad Hassaan Javed

Written by Muhammad Hassaan Javed

🚀 Certified DevOps & Cloud Engineer | AWS, GCP, Azure | CI/CD, IaC, Automation | Docker, Kubernetes, Terraform, Ansible | Streamlining & Scaling Infra.

No responses yet