menu
arrow_back
Back

Hardening Default GKE Cluster Configurations

—/100

Checkpoints

arrow_forward

Create a simple GKE cluster

Deploy a pod that mounts the host filesystem

Deploy a second node pool

Deploy PodSecurityPolicy objects

Deploy a blocked pod that mounts the host filesystem

Hardening Default GKE Cluster Configurations

1 hour 30 minutes 9 Credits

GSP496

Google Cloud Self-Paced Labs

Overview

This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:

  1. An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
  2. A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
  3. A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.

This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.

*The example code for this lab is provided as-is without warranty or guarantee*

Objectives

Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.

You will:

  1. Create a small GKE cluster using the default settings.

  2. Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.

  3. Harden the GKE cluster for these issues.

  4. Validate the cluster no longer allows for each of those actions to occur.

Join Qwiklabs to read the rest of this lab...and more!

  • Get temporary access to the Google Cloud Console.
  • Over 200 labs from beginner to advanced levels.
  • Bite-sized so you can learn at your own pace.
Join to Start This Lab