GSP342 - Ensure Access & Identity in Google Cloud: Challenge Lab

Setup

Setup Zone

gcloud config set compute/zone us-central1-a

Task 1. Create a custom security role

Buat yaml file
```
nano role-definition.yaml
```

Create yaml

title: "orca_storage_controller_768"
description: "Orca Storage Controller 768"
stage: "ALPHA"
includedPermissions:
  - storage.buckets.get
  - storage.objects.get
  - storage.objects.list
  - storage.objects.update
  - storage.objects.create

Execute

gcloud iam roles create orca_storage_controller_768 --project $DEVSHELL_PROJECT_ID \
    --file role-definition.yaml

Task 2. Create a service account

Buat service account

gcloud iam service-accounts create orca-private-cluster-484-sa --display-name "orca-private-cluster-484-sa"

Task 3. Bind a custom security role to a service account

Bind

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-484-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-484-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-484-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member serviceAccount:orca-private-cluster-484-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role projects/$DEVSHELL_PROJECT_ID/roles/orca_storage_controller_768

Task 4. Create and configure a new Kubernetes Engine private cluster

Buat cluster

gcloud beta container clusters create orca-cluster-703 --num-nodes 1 --master-ipv4-cidr=172.16.0.64/28 --network orca-build-vpc --subnetwork orca-build-subnet --enable-master-authorized-networks  --master-authorized-networks 192.168.10.2/32 --enable-ip-alias --enable-private-nodes --enable-private-endpoint --service-account orca-private-cluster-484-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --zone us-east1-b

Task 5. Deploy an application to a private Kubernetes Engine cluster

Deploy

gcloud compute ssh orca-jumphost  --zone us-east1-b

sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc
source ~/.bashrc

gcloud container clusters get-credentials orca-cluster-703 --internal-ip --project=qwiklabs-gcp-03-b510551a8d8b --zone us-east1-b

kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0

kubectl expose deployment hello-server --name orca-hello-service --type LoadBalancer --port 80 --target-port 8080

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GSP342.md

GSP342.md

GSP342 - Ensure Access & Identity in Google Cloud: Challenge Lab

Setup

Task 1. Create a custom security role

Task 2. Create a service account

Task 3. Bind a custom security role to a service account

Task 4. Create and configure a new Kubernetes Engine private cluster

Task 5. Deploy an application to a private Kubernetes Engine cluster

Files

GSP342.md

Latest commit

History

GSP342.md

File metadata and controls

GSP342 - Ensure Access & Identity in Google Cloud: Challenge Lab

Setup

Task 1. Create a custom security role

Task 2. Create a service account

Task 3. Bind a custom security role to a service account

Task 4. Create and configure a new Kubernetes Engine private cluster

Task 5. Deploy an application to a private Kubernetes Engine cluster