menu
arrow_back

Hardening Default GKE Cluster Configurations

—/100

Checkpoints

arrow_forward

Create a simple GKE cluster

Deploy a pod that mounts the host filesystem

Deploy a second node pool

Deploy PodSecurityPolicy objects

Deploy a blocked pod that mounts the host filesystem

Hardening Default GKE Cluster Configurations

1시간 30분 크레딧 9개

GSP496

Google Cloud Self-Paced Labs

Overview

This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:

  1. An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
  2. A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
  3. A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.

This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.

*The example code for this lab is provided as-is without warranty or guarantee*

Objectives

Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.

You will:

  1. Create a small GKE cluster using the default settings.

  2. Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.

  3. Harden the GKE cluster for these issues.

  4. Validate the cluster no longer allows for each of those actions to occur.

이 실습의 나머지 부분과 기타 사항에 대해 알아보려면 Qwiklabs에 가입하세요.

  • Google Cloud Console에 대한 임시 액세스 권한을 얻습니다.
  • 초급부터 고급 수준까지 200여 개의 실습이 준비되어 있습니다.
  • 자신의 학습 속도에 맞춰 학습할 수 있도록 적은 분량으로 나누어져 있습니다.
이 실습을 시작하려면 가입하세요