Based mostly on Hardening your cluster's security and GKE's Security overview.
- Install
gcloud - Install
kubectl - Install
docker
projectName=mygke
randomSuffix=$(shuf -i 100-999 -n 1)
projectId=$projectName-$randomSuffix
region=us-east4
zone=us-east4-a
clusterName=$projectName
## Setup Project
folderId=FIXME
gcloud projects create $projectId \
--folder $folderId \
--name $projectName
gcloud config set project $projectId
# Get the billingAccountId from `gcloud beta billing accounts list`
billingAccountId=FIXME
gcloud beta billing projects link $projectId \
--billing-account $billingAccountId
cd cli
./run.sh
Here are the exhaustive list of the security best practices with your GKE clusters you should look at:
- Use least privilege Google service accounts
- Creating a Private cluster
- Adding authorized networks for cluster master access
- Nodes auto-upgrades
- Container-Optimized OS
- Using Shielded GKE Nodes
- RBAC
- Enable network policy
- Enable Workload Identity
- Enable Binary Authorization
- Enable Vulnerability scanning on container registry
- Application-layer Secrets Encryption
- Using network policy logging with Dataplane V2/eBPF
- (beta) Confidential VMs
Here are actions you may want to do once your GKE clusters are deployed to help solidify your security posture:
- Having a GitOps approach to deploy your app in GKE or for example Anthos Config Management
- Observing your GKE clusters with Google Cloud Ops Suite
- Control plane IP rotation
- Credential rotation
- Configure Security Context
- Harden workload isolation with GKE Sandbox
-
- Cloud Armor (DDOS + WAF) - FIXME
-
- Service Mesh - FIXME
Complementary resources: