Create a simple GKE cluster
Deploy a pod that mounts the host filesystem
Deploy a second node pool
Deploy PodSecurityPolicy objects
Deploy a blocked pod that mounts the host filesystem
Hardening Default GKE Cluster Configurations
This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:
- An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
- A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
- A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.
This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.
The example code for this lab is provided as-is without warranty or guarantee*
Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.
Create a small GKE cluster using the default settings.
Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.
Harden the GKE cluster for these issues.
Validate the cluster no longer allows for each of those actions to occur.
Crea un account Qwiklabs per leggere il resto del lab e tanto altro ancora.
- Acquisisci accesso temporaneo a Google Cloud Console.
- Oltre 200 lab dal livello iniziale a quelli più avanzati.
- Corsi brevi per apprendere secondo i tuoi ritmi.