Can anyone help me out?
I'm having issues in solving the lab "Secure Workloads in Google Kubernetes Engine: Challenge Lab", it gets stuck in task 3 even though I'm doing it correctly.
Error: Install cert-manager.io
Please help me out time is running out!
Solved! Go to Solution.
Use this guide : https://drive.google.com/file/d/17gQuuh_4jpJFieEEWpYTfN0fjqHwgcu4/view
and the commands from here:
Please follow the below steps for the lab Secure Workloads in Google Kubernetes Engine: Challenge:
Task 1: Setup Cluster
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
search kubernetes engine and open in seprate tab similarly search sql
gcloud container clusters create 'Cluster_name' \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy
gcloud sql instances create Cloud SQL Instance --region us-central1
refresh both new windows and check the work and wait until you get green check mark
************************************************************************
Task 2: Setup wordpress
Create database - wordpress
Add user - wordpress (no password)
Service account
gcloud iam service-accounts create 'Service_Account'
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:'Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"
gcloud iam service-accounts keys create key.json --iam-account='Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic cloudsql-instance-credentials --from-file key.json
kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''
Create the WordPress deployment and service
kubectl create -f volume.yaml
goto editor and reolace isntance name with sql instance name
save
kubectl apply -f wordpress.yaml
************************************************************************
Task 3: Setup Ingress with TLS
helm version
helm repo add stable https://charts.helm.sh/stable
helm repo update
helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
kubectl get service
. add_ip.sh
student0047f4ad80a2dd.labdns.xyz (save it for latter use for host name)
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
goto editor and edit issuer.yaml to include lab email address
kubectl apply -f issuer.yaml
goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh
kubectl apply -f ingress.yaml
************************************************************************
Task 4: Set up Network Policy
goto editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
kubectl apply -f network-policy.yaml
************************************************************************
Task 5: Setup Binary Authorization
goto security - Binary authorisatioin enable it and click on edit policy under specific rule select gke rule
- configure policy
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom exception path
- add image paths given
- save policy
enanble binary authorisation for kuberetes clusater
************************************************************************
TAsk 6`
edit psp-restrictive.yaml
line 2 change extensions/v1beta1 to policy/v1beta1
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
-------------------------
till that task
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U (till 10.29 )
after that from network policy one follow this video : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)
if you have got the solution then accept it as a solution
Use this guide : https://drive.google.com/file/d/17gQuuh_4jpJFieEEWpYTfN0fjqHwgcu4/view
and the commands from here:
Please follow the below steps for the lab Secure Workloads in Google Kubernetes Engine: Challenge:
Task 1: Setup Cluster
gsutil cp gs://spls/gsp335/gsp335.zip .
unzip gsp335.zip
search kubernetes engine and open in seprate tab similarly search sql
gcloud container clusters create 'Cluster_name' \
--zone us-central1-c \
--machine-type n1-standard-4 \
--num-nodes 2 \
--enable-network-policy
gcloud sql instances create Cloud SQL Instance --region us-central1
refresh both new windows and check the work and wait until you get green check mark
************************************************************************
Task 2: Setup wordpress
Create database - wordpress
Add user - wordpress (no password)
Service account
gcloud iam service-accounts create 'Service_Account'
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member="serviceAccount:'Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudsql.client"
gcloud iam service-accounts keys create key.json --iam-account='Service_Account'@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com
kubectl create secret generic cloudsql-instance-credentials --from-file key.json
kubectl create secret generic cloudsql-db-credentials \
--from-literal username=wordpress \
--from-literal password=''
Create the WordPress deployment and service
kubectl create -f volume.yaml
goto editor and reolace isntance name with sql instance name
save
kubectl apply -f wordpress.yaml
************************************************************************
Task 3: Setup Ingress with TLS
helm version
helm repo add stable https://charts.helm.sh/stable
helm repo update
helm install nginx-ingress stable/nginx-ingress --set rbac.create=true
kubectl get service
. add_ip.sh
student0047f4ad80a2dd.labdns.xyz (save it for latter use for host name)
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.yaml
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
goto editor and edit issuer.yaml to include lab email address
kubectl apply -f issuer.yaml
goto editor and edit ingress.yaml to include dns address received as output from . add_ip.sh
kubectl apply -f ingress.yaml
************************************************************************
Task 4: Set up Network Policy
goto editor and in network-policy.yaml add to end
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-world-to-nginx-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: nginx-ingress
policyTypes:
- Ingress
ingress:
- {}
kubectl apply -f network-policy.yaml
************************************************************************
Task 5: Setup Binary Authorization
goto security - Binary authorisatioin enable it and click on edit policy under specific rule select gke rule
- configure policy
- disallow all images
- create specific rules, select cluster
- add specific rule, type us and select from dropdown, click add
- custom exception path
- add image paths given
- save policy
enanble binary authorisation for kuberetes clusater
************************************************************************
TAsk 6`
edit psp-restrictive.yaml
line 2 change extensions/v1beta1 to policy/v1beta1
kubectl apply -f psp-restrictive.yaml
kubectl apply -f psp-role.yaml
kubectl apply -f psp-use.yaml
-------------------------
gcloud projects list
gcloud config set project YOUR_PROJECT_ID
gcloud services enable privateca.googleapis.com \
--project=YOUR_PROJECT_ID
run in cloud shell
till that task
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U (till 10.29 )
after that from network policy one follow this video : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)
https://www.youtube.com/watch?v=tA1TdNevdPo&feature=youtu.be Refer this video.
till that task
of cert manager do from this video : https://www.youtube.com/watch?v=p3dFPtL4W1U (till 10.29 )
after that from network policy one follow this video : https://www.youtube.com/watch?v=DFEtolRXLQU (from 11.02)
if you have got the solution then accept it as a solution
User | Count |
---|---|
21 | |
12 | |
7 | |
2 | |
2 |