Create a simple GKE cluster
Deploy a pod that mounts the host filesystem
Deploy a second node pool
Deploy PodSecurityPolicy objects
Deploy a blocked pod that mounts the host filesystem
Hardening Default GKE Cluster Configurations
This lab demonstrates some of the security concerns of a default GKE cluster configuration and the corresponding hardening measures to prevent multiple paths of pod escape and cluster privilege escalation. These attack paths are relevant in the following scenarios:
- An application flaw in an external facing pod that allows for Server-Side Request Forgery (SSRF) attacks.
- A fully compromised container inside a pod allowing for Remote Command Execution (RCE).
- A malicious internal user or an attacker with a set of compromised internal user credentials with the ability to create/update a pod in a given namespace.
This lab was created by GKE Helmsman engineers to help you grasp a better understanding of hardening default GKE cluster configurations.
The example code for this lab is provided as-is without warranty or guarantee*
Upon completion of this lab you will understand the need for protecting the GKE Instance Metadata and defining appropriate PodSecurityPolicy policies for your environment.
Create a small GKE cluster using the default settings.
Validate the most common paths of pod escape and cluster privilege escalation from the perspective of a malicious internal user.
Harden the GKE cluster for these issues.
Validate the cluster no longer allows for each of those actions to occur.
Join Qwiklabs to read the rest of this lab...and more!
- Get temporary access to the Google Cloud Console.
- Over 200 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.