GSP342: Ensure Access & Identity in Google Cloud
Overview
GSP342: Ensure Access & Identity in Google Cloud: In a challenge lab you’re given a scenario and a set of tasks. Instead of following step-by-step instructions, you will use the skills learned from the labs in the quest to figure out how to complete the tasks on your own! An automated scoring system (shown on this page) will provide feedback on whether you have completed your tasks correctly.
When you take a challenge lab, you will not be taught new Google Cloud concepts. You are expected to extend your learned skills, like changing default values and reading and researching error messages to fix your own mistakes.
To score 100% you must successfully complete all tasks within the time period!
This lab is recommended for students enrolled in the Ensure Access & Identity in Google Cloud quest. Are you ready for the challenge?
Topics tested
- Create a custom security role.
- Create a service account.
- Bind IAM security roles to a service account.
- Create a private Kubernetes Engine cluster in a custom subnet.
- Deploy an application to a private Kubernetes Engine cluster
Task 1: Create a custom security role.
- nano role-definition.yaml
Copy the below content to file
2. copy in role-definition.yaml
title: “orca_storage_editor_498” description: “Permissions” stage: “ALPHA” includedPermissions: – storage.buckets.get – storage.objects.get – storage.objects.list – storage.objects.update – storage.objects.create |
- Save by : ctrl + o -> enter -> ctrl + x
gcloud iam roles create orca_storage_editor_498 –project $DEVSHELL_PROJECT_ID \ –file role-definition.yaml |
Task 2 & 3 : Create a service account and Bind a custom security role to an account
- Navigate to
IAM & Admin
->Service Accounts
->CREATE SERVICE ACCOUNT
.
Service account name : orca-private-cluster-263-sa , then click create and add roles. Roles : orca_storage_update Monitoring Viewer Monitoring Metric Writer Logs Writer |
Click CONTINUE
-> DONE
Task 4 : Create and configure a new Kubernetes Engine private cluster
Replace the project id
gcloud container clusters create orca-cluster-479 –num-nodes 1 –master-ipv4-cidr=172.16.0.64/28 –network orca-build-vpc –subnetwork orca-build-subnet –enable-master-authorized-networks –master-authorized-networks 192.168.10.2/32 –enable-ip-alias –enable-private-nodes –enable-private-endpoint –service-account orca-private-cluster-263-sa@<project id>.iam.gserviceaccount.com –zone us-east1-b |
Task 5 : Deploy an application to a private Kubernetes Engine cluster
- SSH to orca-jumphost VM instance
- Replace the project id
gcloud container clusters get-credentials orca-cluster-479 –internal-ip –zone us-east1-b –project <project id> kubectl create deployment hello-server –image=gcr.io/google-samples/hello-app:1.0 |
Congratulations, you’re all done with the lab 😄