Deploy an app to GKE and view security insights
Learn how to deploy an intentionally vulnerable container to a GKE cluster and get security insights about the vulnerability in the security posture dashboard. The GKE security posture dashboard displays information about known operating system vulnerabilities. If you also want language scanning for vulnerabilities in Go or Java packages, refer to Build an application and view security insights.
Objectives
- Build and push a containerized application to Artifact Registry using Cloud Build.
- Create a delivery pipeline in Cloud Deploy.
- Deploy the application to a staging GKE cluster and promote it to a production cluster.
- View insights about vulnerabilities in the deployed application using the security posture dashboard in the Google Cloud console.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:
gcloud services enable artifactregistry.googleapis.com
cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com containeranalysis.googleapis.com - Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:
gcloud services enable artifactregistry.googleapis.com
cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com containeranalysis.googleapis.com
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.
Prepare your environment
Set your project ID as an environment variable:
export PROJECT_ID=$(gcloud config get project)
Set the default Google Cloud region for Cloud Deploy:
gcloud config set deploy/region us-central1
Clone the GitHub repository that contains the sample code for this task:
git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git cd ~/software-delivery-shield-demo-java/backend
Create an IAM service account for your GKE
clusters to use:
gcloud iam service-accounts create sds-runtime \ --display-name="Security insights with GKE service account"
Grant permissions to the IAM service account:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \ --role="roles/container.nodeServiceAccount" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \ --role="roles/clouddeploy.jobRunner" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \ --role="roles/container.developer" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \ --role="roles/artifactregistry.reader"
Grant the default Compute Engine service account access to GKE clusters. Cloud Deploy uses this access to deploy apps to the clusters in your delivery pipeline.
PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')" gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \ --member=serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com \ --role=roles/container.developer
Create the Artifact Registry repository for your image
Create the repository:
gcloud artifacts repositories create containers \ --repository-format=docker \ --location=us-central1 \ --description="Security insights with GKE repository"
Verify that the repository exists:
gcloud artifacts repositories list \ --location=us-central1 \ --filter="REPOSITORY:containers"
The output displays the
containers
repository you created.
Create the GKE clusters
Create two GKE clusters, a staging cluster named dev-cluster
and a production cluster named prod-cluster
. In Autopilot,
workload vulnerability scanning is automatically enabled for new clusters running
version 1.27 and later. If you use a Standard
cluster, specify the --workload-vulnerability-scanning=standard
flag.
gcloud container clusters create-auto dev-cluster \
--region=us-central1 \
--release-channel=rapid \
--service-account=sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com
gcloud container clusters create-auto prod-cluster \
--region=us-central1 \
--release-channel=rapid \
--service-account=sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com
Cluster creation can take up to five minutes to complete. You can also enable workload vulnerability scanning by updating existing GKE clusters.
Build the image
Build and submit the image using Cloud Build:
gcloud builds submit --region us-central1 --config cloudbuild.yaml
When the build completes, the output is similar to the following:
DONE
-----------------------------------------------------------------------------
ID: 3e23094f-7f57-4449-bc68-51c37hn34d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://my-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f.tgz
IMAGES: us-central1-docker.pkg.dev/PROJECT_ID/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS
Deploy the image to GKE using Cloud Deploy
Update the Cloud Deploy configuration file with your project ID:
sed -i "s/PROJECT_ID/${PROJECT_ID}/g" clouddeploy.yaml
Register the pipeline and targets:
gcloud deploy apply --file=clouddeploy.yaml
To verify that your pipeline exists, go to the Delivery pipelines page in the Google Cloud console:
The list of pipelines displays your new pipeline,
guestbook-app-delivery
.Click the name of the pipeline to monitor progress. The Delivery pipeline details page opens.
Create a new release in Cloud Deploy:
gcloud deploy releases create guestbook-release-001 \ --delivery-pipeline=guestbook-app-delivery \ --images=java-guestbook-backend=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart
The new release appears in the Releases section on the Delivery pipeline details page.
On the Delivery pipeline details page, monitor the Pipeline visualization view until the Promote button displays for
dev-cluster
. You might need to refresh the page.Click Promote in the
dev-cluster
visualization.On the Promote release pane, click Promote to confirm the promotion to your production cluster.
To verify that your release was successful, check the Releases section. The Last rollout status column displays
Successfully deployed to prod-cluster
.
View vulnerabilities
In this section, view OS vulnerability insights using the security posture dashboard. The dashboard displays information about vulnerabilities in your running workloads after you deploy them to your clusters.
Go to the GKE security posture page in the Google Cloud console.
To view scan results, refresh the page. The initial scan might take up to 15 minutes to complete.
On the GKE security posture page, review the Workload OS vulnerability section. This section lists the top CVEs affecting your deployed workload.
For details, click See all vulnerability concerns. The Concerns tab opens and applies a filter for the Vulnerability concern type. The table shows an overview of each vulnerability and its impact.
For details about a specific vulnerability, click the name of the concern in the table. The Vulnerability pane opens. On this pane, you can do the following:
- Read a detailed description of the CVE, including affected versions, packages, and the CVSS score.
- View recommended actions to mitigate the concern, such as documentation and patch version information.
- View the specific workloads that are affected by the vulnerability in the Affected workloads tab.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.
Delete individual resources
Delete the Cloud Deploy pipeline:
gcloud deploy delivery-pipelines delete guestbook-app-delivery --force
Delete the GKE clusters:
gcloud container clusters delete dev-cluster \ --region=us-central1 gcloud container clusters delete prod-cluster \ --region=us-central1
Delete the Artifact Registry repository:
gcloud artifacts repositories delete containers \ --location=us-central1
Delete the IAM service account:
gcloud iam service-accounts delete sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com
Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.