Deploy an app to GKE and view security insights

Learn how to deploy an intentionally vulnerable container to a GKE cluster and get security insights about the vulnerability in the security posture dashboard. The GKE security posture dashboard displays information about known operating system vulnerabilities. If you also want language scanning for vulnerabilities in Go or Java packages, refer to Build an application and view security insights.

Objectives

  • Build and push a containerized application to Artifact Registry using Cloud Build.
  • Create a delivery pipeline in Cloud Deploy.
  • Deploy the application to a staging GKE cluster and promote it to a production cluster.
  • View insights about vulnerabilities in the deployed application using the security posture dashboard in the Google Cloud console.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.
  3. To initialize the gcloud CLI, run the following command:

    gcloud init
  4. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:

    gcloud services enable artifactregistry.googleapis.com cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com  containeranalysis.googleapis.com
  7. Install the Google Cloud CLI.
  8. To initialize the gcloud CLI, run the following command:

    gcloud init
  9. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  10. Make sure that billing is enabled for your Google Cloud project.

  11. Enable the Artifact Registry, Cloud Build, Cloud Deploy, Google Kubernetes Engine, Container Security, and Container Analysis APIs:

    gcloud services enable artifactregistry.googleapis.com cloudbuild.googleapis.com clouddeploy.googleapis.com container.googleapis.com containersecurity.googleapis.com  containeranalysis.googleapis.com

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.

Prepare your environment

  1. Set your project ID as an environment variable:

    export PROJECT_ID=$(gcloud config get project)
    
  2. Set the default Google Cloud region for Cloud Deploy:

    gcloud config set deploy/region us-central1
    
  3. Clone the GitHub repository that contains the sample code for this task:

    git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git
    cd ~/software-delivery-shield-demo-java/backend
    
  4. Create an IAM service account for your GKE

    clusters to use:

    gcloud iam service-accounts create sds-runtime \
        --display-name="Security insights with GKE service account"
    
  5. Grant permissions to the IAM service account:

    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \
        --role="roles/container.nodeServiceAccount"
    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \
        --role="roles/clouddeploy.jobRunner"
    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \
        --role="roles/container.developer"
    gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member=serviceAccount:sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com \
        --role="roles/artifactregistry.reader"
    
  6. Grant the default Compute Engine service account access to GKE clusters. Cloud Deploy uses this access to deploy apps to the clusters in your delivery pipeline.

    PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')"
    gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
        --member=serviceAccount:${PROJECT_NUMBER}[email protected] \
        --role=roles/container.developer
    

Create the Artifact Registry repository for your image

  1. Create the repository:

    gcloud artifacts repositories create containers \
        --repository-format=docker \
        --location=us-central1 \
        --description="Security insights with GKE repository"
    
  2. Verify that the repository exists:

    gcloud artifacts repositories list \
        --location=us-central1 \
        --filter="REPOSITORY:containers"
    

    The output displays the containers repository you created.

Create the GKE clusters

Create two GKE clusters, a staging cluster named dev-cluster and a production cluster named prod-cluster. In Autopilot, workload vulnerability scanning is automatically enabled for new clusters running version 1.27 and later. If you use a Standard cluster, specify the --workload-vulnerability-scanning=standard flag.

gcloud container clusters create-auto dev-cluster \
    --region=us-central1 \
    --release-channel=rapid \
    --service-account=sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com
gcloud container clusters create-auto prod-cluster \
    --region=us-central1 \
    --release-channel=rapid \
    --service-account=sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com

Cluster creation can take up to five minutes to complete. You can also enable workload vulnerability scanning by updating existing GKE clusters.

Build the image

Build and submit the image using Cloud Build:

gcloud builds submit --region us-central1 --config cloudbuild.yaml

When the build completes, the output is similar to the following:

DONE
-----------------------------------------------------------------------------
ID: 3e23094f-7f57-4449-bc68-51c37hn34d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://my-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f.tgz
IMAGES: us-central1-docker.pkg.dev/PROJECT_ID/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS

Deploy the image to GKE using Cloud Deploy

  1. Update the Cloud Deploy configuration file with your project ID:

    sed -i "s/PROJECT_ID/${PROJECT_ID}/g" clouddeploy.yaml
    
  2. Register the pipeline and targets:

    gcloud deploy apply --file=clouddeploy.yaml
    
  3. To verify that your pipeline exists, go to the Delivery pipelines page in the Google Cloud console:

    Go to Delivery pipelines

    The list of pipelines displays your new pipeline, guestbook-app-delivery.

  4. Click the name of the pipeline to monitor progress. The Delivery pipeline details page opens.

  5. Create a new release in Cloud Deploy:

    gcloud deploy releases create guestbook-release-001 \
        --delivery-pipeline=guestbook-app-delivery \
        --images=java-guestbook-backend=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart
    

    The new release appears in the Releases section on the Delivery pipeline details page.

  6. On the Delivery pipeline details page, monitor the Pipeline visualization view until the Promote button displays for dev-cluster. You might need to refresh the page.

  7. Click Promote in the dev-cluster visualization.

  8. On the Promote release pane, click Promote to confirm the promotion to your production cluster.

  9. To verify that your release was successful, check the Releases section. The Last rollout status column displays Successfully deployed to prod-cluster.

View vulnerabilities

In this section, view OS vulnerability insights using the security posture dashboard. The dashboard displays information about vulnerabilities in your running workloads after you deploy them to your clusters.

  1. Go to the GKE security posture page in the Google Cloud console.

    Go to GKE security posture

  2. To view scan results, refresh the page. The initial scan might take up to 15 minutes to complete.

  3. On the GKE security posture page, review the Workload OS vulnerability section. This section lists the top CVEs affecting your deployed workload.

  4. For details, click See all vulnerability concerns. The Concerns tab opens and applies a filter for the Vulnerability concern type. The table shows an overview of each vulnerability and its impact.

  5. For details about a specific vulnerability, click the name of the concern in the table. The Vulnerability pane opens. On this pane, you can do the following:

    • Read a detailed description of the CVE, including affected versions, packages, and the CVSS score.
    • View recommended actions to mitigate the concern, such as documentation and patch version information.
    • View the specific workloads that are affected by the vulnerability in the Affected workloads tab.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.

Delete individual resources

  1. Delete the Cloud Deploy pipeline:

    gcloud deploy delivery-pipelines delete guestbook-app-delivery --force
    
  2. Delete the GKE clusters:

    gcloud container clusters delete dev-cluster \
        --region=us-central1
    gcloud container clusters delete prod-cluster \
        --region=us-central1
    
  3. Delete the Artifact Registry repository:

    gcloud artifacts repositories delete containers \
        --location=us-central1
    
  4. Delete the IAM service account:

    gcloud iam service-accounts delete sds-runtime@${PROJECT_ID}.iam.gserviceaccount.com
    

Delete the project

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next