Skip to content

Latest commit

 

History

History
157 lines (104 loc) · 2.55 KB

GSP480.md

File metadata and controls

157 lines (104 loc) · 2.55 KB
Raw

GSP480 - How to Use a Network Policy on Google Kubernetes Engine

Setup

  1. Clone the repository

    git clone https://github.com/GoogleCloudPlatform/gke-network-policy-demo.git
cd gke-network-policy-demo

  2. Set region and zone

    gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a

Task 1. Lab setup

  1. Enable API & generate terrraform

    make setup-project
    cat terraform/terraform.tfvars

  2. Apply terraform

    make tf-apply

Task 2. Validation

  1. Verify networkPolicyEnabled and networkPolicyProvider

    gcloud container clusters describe gke-demo-cluster | grep  -A2 networkPolicy

  2. SSH to bastion host

    gcloud compute ssh gke-demo-bastion

  3. Install

    sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
    echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc

  4. Run

    source ~/.bashrc
    gcloud container clusters get-credentials gke-demo-cluster --zone us-central1-a

Task 3. Installing the hello server

  1. Run

    kubectl apply -f ./manifests/hello-app/
    kubectl get pods

Task 4. Confirming default access to the hello server

  • Cek logs

    kubectl logs --tail 10 -f $(kubectl get pods -oname -l app=hello)
    kubectl logs --tail 10 -f $(kubectl get pods -oname -l app=not-hello)

Task 5. Restricting access with a Network Policy

  1. Terapkan policy

    kubectl apply -f ./manifests/network-policy.yaml

  2. Cek logs

    kubectl logs --tail 10 -f $(kubectl get pods -oname -l app=not-hello)

Task 6. Restricting namespaces with Network Policies

  1. Delete network policy

    kubectl delete -f ./manifests/network-policy.yaml

  2. Buat namespace

    kubectl create -f ./manifests/network-policy-namespaced.yaml

  3. Cek log

    kubectl logs --tail 10 -f $(kubectl get pods -oname -l app=hello)

  4. Deploy

    kubectl -n hello-apps apply -f ./manifests/hello-app/hello-client.yaml

Task 7. Validation

  1. Cek logs

    kubectl logs --tail 10 -f -n hello-apps $(kubectl get pods -oname -l app=hello -n hello-apps)

Task 8. Teardown

  1. Exit from bastion host

    exit

  2. Destroy environment

    make teardown

Task 9. Troubleshooting in your own environment