-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathEnsure Access & Identity in Google Cloud_ Challenge Lab
61 lines (39 loc) · 2.54 KB
/
Ensure Access & Identity in Google Cloud_ Challenge Lab
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#Task 1
gcloud auth list
gcloud config list project
gcloud config set compute/zone us-east1-b
nano role-definition.yaml
#Copy the following to the YAML file.
title: "Edirca Storage Update"
description: "Add and update objects in Google Cloud Storage buckets"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
gcloud iam roles create orca_storage_update \
--project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml
#Task 2: Create a service account.
gcloud iam service-accounts create orca-private-cluster-sa \
--display-name "Orca Private Cluster Service Account"
#Task 3: Bind a custom security role to a service account
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
--member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com --role projects/$DEVSHELL_PROJECT_ID/roles/orca_storage_update
JUMPHOST_IP=$(gcloud compute instances describe orca-jumphost \
--format='get(networkInterfaces[0].networkIP)')
SUBNET_IP_RANGE="10.142.0.0/20"
#Task 4: Create and configure a new Kubernetes Engine private cluster
gcloud container clusters create orca-test-cluster --num-nodes 1 --master-ipv4-cidr=172.16.0.64/28 --network orca-build-vpc --subnetwork orca-build-subnet --enable-master-authorized-networks --master-authorized-networks 192.168.10.2/32 --enable-ip-alias --enable-private-nodes --enable-private-endpoint --service-account orca-private-cluster-sa@<ENTER PROJECT ID>.iam.gserviceaccount.com --zone us-east1-b
#Task 5: Deploy an application to a private Kubernetes Engine cluster.
->NOTE: Run below commands on SSH (VM instance)
gcloud container clusters get-credentials orca-test-cluster --internal-ip --zone us-east1-b --project <Project ID>
kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0
For More Reference: https://onlineintercollege.blogspot.com/2021/03/ensure-access-identity-in-google-cloud.html