menu
arrow_back
Wstecz

Hardening Default GKE Cluster Configurations

—/100

Checkpoints

arrow_forward

Create a simple GKE cluster

Deploy a pod that mounts the host filesystem

Deploy a second node pool

Deploy PodSecurityPolicy objects

Deploy a blocked pod that mounts the host filesystem

Hardening Default GKE Cluster Configurations

1 godz. 30 godz. Punkty: 9

GSP496

Google Cloud Self-Paced Labs

Overview

This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:

  1. An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
  2. A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
  3. A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.

This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.

*The example code for this lab is provided as-is without warranty or guarantee*

Objectives

Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.

You will:

  1. Create a small GKE cluster using the default settings.

  2. Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.

  3. Harden the GKE cluster for these issues.

  4. Validate the cluster no longer allows for each of those actions to occur.

Dołącz do Qwiklabs, aby zapoznać się z resztą tego modułu i innymi materiałami.

  • Uzyskaj tymczasowy dostęp do Google Cloud Console.
  • Ponad 200 modułów z poziomów od początkującego do zaawansowanego.
  • Podzielono na części, więc można uczyć się we własnym tempie.
Dołącz, aby rozpocząć ten moduł