Skip to content
This repository has been archived by the owner on Dec 22, 2022. It is now read-only.

mathieu-benoit/asm-workshop

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

79 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

asm-workshop

About the content of this lab

Put this https://alwaysupalwayson.com/asm-security as a workshop.

  1. Create a GKE cluster
  2. Install ASM
  3. Ingress Gateway
  4. Egress Gateway
  5. Install OnlineBoutique
  6. mTLS
  7. Sidecar
  8. AuthorizationPolicies
  9. NetworkPolicies
  10. Policy Controller
  11. Config Sync
  12. Monitoring: Topology, SLOs, Traces, etc.
  13. Misc: any Istio's features about traffic management, etc.

Further considerations:

  • Do the same with BankOfAnthos?
  • What about Kubernetes RBAC where we could distinguish sec, dev, ops folks/authz and which resource kinds or namespaces they could touch?
  • Multi-cluster?
  • MCP (control/data plane)?
  • Integrate CRfA in there? Or do another similar crfa-workshop?
  • Do a Neos tutorial based on this? Qwiklabs or Codelabs?

Developer setup

Build and run this static web site locally

git clone --recurse-submodules https://github.com/mathieu-benoit/asm-workshop
cd asm-workshop
docker build -t asm-workshop .
docker run -d -p 8080:8080 asm-workshop

Configure GitHub action

projectId=FIXME
gcloud config set project $projectId

# Setup Service account
saName=asm-workshop-gha-cr-push
saId=$saName@$projectId.iam.gserviceaccount.com
gcloud iam service-accounts create $saName \
    --display-name=$saName
gcloud iam service-accounts keys create ~/tmp/$saName.json \
    --iam-account $saId

# Setup Artifact Registry
artifactRegistryName=FIXME
artifactRegistryLocation=FIXME
gcloud artifacts repositories add-iam-policy-binding $artifactRegistryName \
    --project $projectId \
    --location $artifactRegistryLocation \
    --member "serviceAccount:$saId" \
    --role roles/artifactregistry.writer
gcloud projects add-iam-policy-binding $projectId \
    --member=serviceAccount:$saId \
    --role=roles/ondemandscanning.admin

# Setup GitHub actions variables
gh auth login --web
gh secret set CONTAINER_REGISTRY_PUSH_PRIVATE_KEY < ~/tmp/$saName.json
rm ~/tmp/$saName.json
gh secret set CONTAINER_REGISTRY_PROJECT_ID -b"${projectId}"
gh secret set CONTAINER_REGISTRY_NAME -b"${artifactRegistryName}"
gh secret set CONTAINER_REGISTRY_HOST_NAME -b"${artifactRegistryLocation}-docker.pkg.dev"