Issue in a lab of level 1

Can anyone help me out?

I'm having issues in solving the lab "Secure Workloads in Google Kubernetes Engine: Challenge Lab",  it gets stuck in task 3 even though I'm doing it correctly. 

Error: Install cert-manager.io

Please help me out time is running out!

Solved Solved
1 6 894
3 ACCEPTED SOLUTIONS

Use this guide : https://drive.google.com/file/d/17gQuuh_4jpJFieEEWpYTfN0fjqHwgcu4/view

and the commands from here: 

Please follow the below steps for the lab Secure Workloads in Google Kubernetes Engine: Challenge:

Task 1: Setup Cluster
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
search kubernetes engine and open in seprate tab similarly search sql

gcloud container clusters create 'Cluster_name' \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy

gcloud sql instances create Cloud SQL Instance --region us-central1

refresh both new windows and check the work and wait until you get green check mark
************************************************************************
Task 2: Setup wordpress
Create database - wordpress
Add user - wordpress (no password)

Service account
gcloud iam service-accounts create 'Service_Account'

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:'Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account='Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''

Create the WordPress deployment and service

kubectl create -f volume.yaml

goto editor and reolace isntance name with sql instance name
save

kubectl apply -f wordpress.yaml

************************************************************************
Task 3: Setup Ingress with TLS
helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service

. add_ip.sh

student0047f4ad80a2dd.labdns.xyz (save it for latter use for host name)

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)

goto editor and edit issuer.yaml to include lab email address

kubectl apply -f issuer.yaml

goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh

kubectl apply -f ingress.yaml

************************************************************************
Task 4: Set up Network Policy
goto editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}

kubectl apply -f network-policy.yaml
************************************************************************
Task 5: Setup Binary Authorization
goto security - Binary authorisatioin enable it and click on edit policy under specific rule select gke rule
- configure policy
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom exception path
- add image paths given
- save policy
enanble binary authorisation for kuberetes clusater
************************************************************************
TAsk 6`
edit psp-restrictive.yaml
line 2 change extensions/v1beta1 to policy/v1beta1
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml

-------------------------

View solution in original post

till that task 
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U   (till  10.29 )

after that from network  policy one follow this video  : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)
if you have got the solution then accept it as a solution

View solution in original post

6 REPLIES 6

Open in new incognito mode and try again or use different browser .

Use this guide : https://drive.google.com/file/d/17gQuuh_4jpJFieEEWpYTfN0fjqHwgcu4/view

and the commands from here: 

Please follow the below steps for the lab Secure Workloads in Google Kubernetes Engine: Challenge:

Task 1: Setup Cluster
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
search kubernetes engine and open in seprate tab similarly search sql

gcloud container clusters create 'Cluster_name' \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy

gcloud sql instances create Cloud SQL Instance --region us-central1

refresh both new windows and check the work and wait until you get green check mark
************************************************************************
Task 2: Setup wordpress
Create database - wordpress
Add user - wordpress (no password)

Service account
gcloud iam service-accounts create 'Service_Account'

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:'Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"

gcloud iam service-accounts keys create key.json --iam-account='Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com

kubectl create secret generic cloudsql-instance-credentials --from-file key.json

kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''

Create the WordPress deployment and service

kubectl create -f volume.yaml

goto editor and reolace isntance name with sql instance name
save

kubectl apply -f wordpress.yaml

************************************************************************
Task 3: Setup Ingress with TLS
helm version

helm repo add stable https://charts.helm.sh/stable
helm repo update

helm install nginx-ingress stable/nginx-ingress --set rbac.create=true

kubectl get service

. add_ip.sh

student0047f4ad80a2dd.labdns.xyz (save it for latter use for host name)

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml

kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)

goto editor and edit issuer.yaml to include lab email address

kubectl apply -f issuer.yaml

goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh

kubectl apply -f ingress.yaml

************************************************************************
Task 4: Set up Network Policy
goto editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}

kubectl apply -f network-policy.yaml
************************************************************************
Task 5: Setup Binary Authorization
goto security - Binary authorisatioin enable it and click on edit policy under specific rule select gke rule
- configure policy
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom exception path
- add image paths given
- save policy
enanble binary authorisation for kuberetes clusater
************************************************************************
TAsk 6`
edit psp-restrictive.yaml
line 2 change extensions/v1beta1 to policy/v1beta1
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml

-------------------------

gcloud projects list

gcloud config set project YOUR_PROJECT_ID

gcloud services enable privateca.googleapis.com \
--project=YOUR_PROJECT_ID

 

run in cloud shell

till that task 
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U   (till  10.29 )

after that from network  policy one follow this video  : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)

till that task 
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U   (till  10.29 )

after that from network  policy one follow this video  : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)
if you have got the solution then accept it as a solution

Top Labels in this Space