Put this https://alwaysupalwayson.com/asm-security as a workshop.
- Create a GKE cluster
- Install ASM
- Ingress Gateway
- Egress Gateway
- Install OnlineBoutique
- mTLS
- Sidecar
- AuthorizationPolicies
- NetworkPolicies
- Policy Controller
- Config Sync
- Monitoring: Topology, SLOs, Traces, etc.
- Misc: any Istio's features about traffic management, etc.
Further considerations:
- Do the same with BankOfAnthos?
- What about Kubernetes RBAC where we could distinguish sec, dev, ops folks/authz and which resource kinds or namespaces they could touch?
- Multi-cluster?
- MCP (control/data plane)?
- Integrate CRfA in there? Or do another similar crfa-workshop?
- Do a Neos tutorial based on this? Qwiklabs or Codelabs?
git clone --recurse-submodules https://github.com/mathieu-benoit/asm-workshop
cd asm-workshop
docker build -t asm-workshop .
docker run -d -p 8080:8080 asm-workshop
projectId=FIXME
gcloud config set project $projectId
# Setup Service account
saName=asm-workshop-gha-cr-push
saId=$saName@$projectId.iam.gserviceaccount.com
gcloud iam service-accounts create $saName \
--display-name=$saName
gcloud iam service-accounts keys create ~/tmp/$saName.json \
--iam-account $saId
# Setup Artifact Registry
artifactRegistryName=FIXME
artifactRegistryLocation=FIXME
gcloud artifacts repositories add-iam-policy-binding $artifactRegistryName \
--project $projectId \
--location $artifactRegistryLocation \
--member "serviceAccount:$saId" \
--role roles/artifactregistry.writer
gcloud projects add-iam-policy-binding $projectId \
--member=serviceAccount:$saId \
--role=roles/ondemandscanning.admin
# Setup GitHub actions variables
gh auth login --web
gh secret set CONTAINER_REGISTRY_PUSH_PRIVATE_KEY < ~/tmp/$saName.json
rm ~/tmp/$saName.json
gh secret set CONTAINER_REGISTRY_PROJECT_ID -b"${projectId}"
gh secret set CONTAINER_REGISTRY_NAME -b"${artifactRegistryName}"
gh secret set CONTAINER_REGISTRY_HOST_NAME -b"${artifactRegistryLocation}-docker.pkg.dev"