Deploy an app to GKE and view security insights
Learn how to deploy an intentionally vulnerable container to a GKE cluster and get security insights about the vulnerability in the security posture dashboard. The GKE security posture dashboard displays information about known operating system vulnerabilities. If you also want language scanning for vulnerabilities in Go or Java packages, refer to Build an application and view security insights .
Objectives
- Build and push a containerized application to Artifact Registry using Cloud Build.
- Create a delivery pipeline in Cloud Deploy.
- Deploy the application to a staging GKE cluster and promote it to a production cluster.
- View insights about vulnerabilities in the deployed application using the security posture dashboard in the Google Cloud console.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project .
-
Create a Google Cloud project:
gcloud projects create PROJECT_IDReplace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_IDReplace
PROJECT_IDwith your Google Cloud project name.
-
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:
gcloud services enable artifactregistry.googleapis.com
cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com containeranalysis.googleapis.com -
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project .
-
Create a Google Cloud project:
gcloud projects create PROJECT_IDReplace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_IDReplace
PROJECT_IDwith your Google Cloud project name.
-
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:
gcloud services enable artifactregistry.googleapis.com
cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com containeranalysis.googleapis.com
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up .
Prepare your environment
-
Set your project ID as an environment variable:
export PROJECT_ID = $( gcloud config get project ) -
Set the default Google Cloud region for Cloud Deploy:
gcloud config set deploy/region us-central1 -
Clone the GitHub repository that contains the sample code for this task:
git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git cd ~/software-delivery-shield-demo-java/backend -
Create an IAM service account for your GKE
clusters to use:
gcloud iam service-accounts create sds-runtime \ --display-name = "Security insights with GKE service account" -
Grant permissions to the IAM service account:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member = serviceAccount:sds-runtime@ ${ PROJECT_ID } .iam.gserviceaccount.com \ --role = "roles/container.nodeServiceAccount" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member = serviceAccount:sds-runtime@ ${ PROJECT_ID } .iam.gserviceaccount.com \ --role = "roles/clouddeploy.jobRunner" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member = serviceAccount:sds-runtime@ ${ PROJECT_ID } .iam.gserviceaccount.com \ --role = "roles/container.developer" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member = serviceAccount:sds-runtime@ ${ PROJECT_ID } .iam.gserviceaccount.com \ --role = "roles/artifactregistry.reader" -
Grant the default Compute Engine service account access to GKE clusters. Cloud Deploy uses this access to deploy apps to the clusters in your delivery pipeline.
PROJECT_NUMBER = " $( gcloud projects describe ${ PROJECT_ID } --format = 'get(projectNumber)' ) " gcloud projects add-iam-policy-binding ${ PROJECT_NUMBER } \ --member = serviceAccount: ${ PROJECT_NUMBER } -compute@developer.gserviceaccount.com \ --role = roles/container.developer
Create the Artifact Registry repository for your image
-
Create the repository:
gcloud artifacts repositories create containers \ --repository-format = docker \ --location = us-central1 \ --description = "Security insights with GKE repository" -
Verify that the repository exists:
gcloud artifacts repositories list \ --location = us-central1 \ --filter = "REPOSITORY:containers"The output displays the
containersrepository you created.
Create the GKE clusters
Create two GKE clusters, a staging cluster named dev-cluster
and a production cluster named prod-cluster
. In Autopilot,
workload vulnerability scanning is automatically enabled for new clusters running
version 1.27 and later. If you use a Standard
cluster, specify the --workload-vulnerability-scanning=standard
flag.
gcloud
container
clusters
create-auto
dev-cluster
\
--region =
us-central1
\
--release-channel =
rapid
\
--service-account =
sds-runtime@ ${
PROJECT_ID
}
.iam.gserviceaccount.com
gcloud
container
clusters
create-auto
prod-cluster
\
--region =
us-central1
\
--release-channel =
rapid
\
--service-account =
sds-runtime@ ${
PROJECT_ID
}
.iam.gserviceaccount.com
Cluster creation can take up to five minutes to complete. You can also enable workload vulnerability scanning by updating existing GKE clusters.
Build the image
Build and submit the image using Cloud Build:
gcloud
builds
submit
--region
us-central1
--config
cloudbuild.yaml
When the build completes, the output is similar to the following:
DONE
-----------------------------------------------------------------------------
ID: 3e23094f-7f57-4449-bc68-51c37hn34d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://my-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f.tgz
IMAGES: us-central1-docker.pkg.dev/ PROJECT_ID
/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS
Deploy the image to GKE using Cloud Deploy
-
Update the Cloud Deploy configuration file with your project ID:
sed -i "s/PROJECT_ID/ ${ PROJECT_ID } /g" clouddeploy.yaml -
Register the pipeline and targets:
gcloud deploy apply --file=clouddeploy.yaml -
To verify that your pipeline exists, go to the Delivery pipelinespage in the Google Cloud console:
The list of pipelines displays your new pipeline,
guestbook-app-delivery. -
Click the name of the pipeline to monitor progress. The Delivery pipeline detailspage opens.
-
Create a new release in Cloud Deploy:
gcloud deploy releases create guestbook-release-001 \ --delivery-pipeline = guestbook-app-delivery \ --images = java-guestbook-backend = us-central1-docker.pkg.dev/ ${ PROJECT_ID } /containers/java-guestbook-backend:quickstartThe new release appears in the Releasessection on the Delivery pipeline detailspage.
-
On the Delivery pipeline detailspage, monitor the Pipeline visualizationview until the Promotebutton displays for
dev-cluster. You might need to refresh the page. -
Click Promotein the
dev-clustervisualization. -
On the Promote releasepane, click Promoteto confirm the promotion to your production cluster.
-
To verify that your release was successful, check the Releasessection. The Last rollout statuscolumn displays
Successfully deployed to prod-cluster.
View vulnerabilities
In this section, view OS vulnerability insights using the security posture dashboard. The dashboard displays information about vulnerabilities in your running workloads after you deploy them to your clusters.
-
Go to the GKE security posturepage in the Google Cloud console.
-
To view scan results, refresh the page. The initial scan might take up to 15 minutes to complete.
-
On the GKE security posturepage, review the Workload OS vulnerabilitysection. This section lists the top CVEs affecting your deployed workload.
-
For details, click See all vulnerability concerns. The Concernstab opens and applies a filter for the Vulnerabilityconcern type. The table shows an overview of each vulnerability and its impact.
-
For details about a specific vulnerability, click the name of the concern in the table. The Vulnerabilitypane opens. On this pane, you can do the following:
- Read a detailed description of the CVE, including affected versions, packages, and the CVSS score.
- View recommended actions to mitigate the concern, such as documentation and patch version information.
- View the specific workloads that are affected by the vulnerability in the Affected workloadstab.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.
Delete individual resources
-
Delete the Cloud Deploy pipeline:
gcloud deploy delivery-pipelines delete guestbook-app-delivery --force -
Delete the GKE clusters:
gcloud container clusters delete dev-cluster \ --region = us-central1 gcloud container clusters delete prod-cluster \ --region = us-central1 -
Delete the Artifact Registry repository:
gcloud artifacts repositories delete containers \ --location = us-central1 -
Delete the IAM service account:
gcloud iam service-accounts delete sds-runtime@ ${ PROJECT_ID } .iam.gserviceaccount.com
Delete the project
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
