Checkpoints
Create a simple GKE cluster
/ 20
Deploy a pod that mounts the host filesystem
/ 20
Deploy a second node pool
/ 20
Deploy PodSecurityPolicy objects
/ 20
Deploy a blocked pod that mounts the host filesystem
/ 20
Hardening Default GKE Cluster Configurations
GSP496
Overview
This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:
- An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
- A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
- A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.
This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.
*The example code for this lab is provided as-is without warranty or guarantee*
Objectives
Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.
You will:
-
Create a small GKE cluster using the default settings.
-
Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.
-
Harden the GKE cluster for these issues.
-
Validate the cluster no longer allows for each of those actions to occur.
Dołącz do Qwiklabs, aby zapoznać się z resztą tego modułu i innymi materiałami.
- Uzyskaj tymczasowy dostęp do Google Cloud Console.
- Ponad 200 modułów z poziomów od początkującego do zaawansowanego.
- Podzielono na części, więc można uczyć się we własnym tempie.