-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Cloud Armor in front of this deployed demo #689
Conversation
🚲 PR staged at http://104.154.87.241 |
🚲 PR staged at http://104.154.87.241 |
🚲 PR staged at http://104.154.87.241 |
Tests conducted: Bash commands to test this PR...
PROJECT_ID=FIXME
gcloud config set project $PROJECT_ID
kubectl create ns onlineboutique
kubectl apply -f release/kubernetes-manifests.yaml -n onlineboutique
gcloud compute addresses create online-boutique-ip --global
PUBLIC_IP=$(gcloud compute addresses describe online-boutique-ip \
--global \
--format "value(address)")
HOST_NAME="onlineboutique.endpoints.${PROJECT_ID}.cloud.goog"
cat <<EOF > dns-spec.yaml
swagger: "2.0"
info:
description: "Cloud Endpoints DNS"
title: "Cloud Endpoints DNS"
version: "1.0.0"
paths: {}
host: "${HOST_NAME}"
x-google-endpoints:
- name: "${HOST_NAME}"
target: "${PUBLIC_IP}"
EOF
gcloud endpoints services deploy dns-spec.yaml
SECURITY_POLICY_NAME=online-boutique-security-policy
gcloud compute security-policies create $SECURITY_POLICY_NAME \
--description "Block XSS attacks"
gcloud compute security-policies rules create 1000 \
--security-policy $SECURITY_POLICY_NAME \
--expression "evaluatePreconfiguredExpr('xss-stable')" \
--action "deny-403" \
--description "XSS attack filtering"
gcloud compute security-policies rules create 12345 \
--security-policy $SECURITY_POLICY_NAME \
--expression "evaluatePreconfiguredExpr('cve-canary')" \
--action "deny-403" \
--description "CVE-2021-44228 and CVE-2021-45046"
gcloud compute security-policies update $SECURITY_POLICY_NAME \
--enable-layer7-ddos-defense
gcloud compute security-policies update $SECURITY_POLICY_NAME \
--log-level=VERBOSE
SSL_POLICY_NAME=online-boutique-ssl-policy
gcloud compute ssl-policies create $SSL_POLICY_NAME \
--profile COMPATIBLE \
--min-tls-version 1.0
sed -i "s,onlineboutique.dev,${HOST_NAME},g" .github/release-cluster/managed-cert.yaml
kubectl apply -f .github/release-cluster/ -n onlineboutique |
🚲 PR staged at http://104.154.87.241 |
🚲 PR staged at http://104.154.87.241 |
Ready for your review and comments, thanks. |
🚲 PR staged at http://104.154.87.241 |
Thanks so much for creating this pull-request. And apologies for the late review. Warning: I have added a commit to the Question:
I am currently testing everything out in my own GCP project (i.e., still reviewing). |
Thanks for the wording changes @NimJay. |
Ah, that's a good idea. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just finished testing this on my own cluster and domain.
See deletemenow.peachytools.com (which I'll take down once this PR is merged).
Cloud Armor was applied:
I didn't test Cloud Armor itself — but I trust that it works.
I left 2 comments.
They're minor so I'll approve this.
Thanks again for doing this, @mathieu-benoit! And thanks for the very details PR description. It made the changes easy to review. 👏
I'll apply the changes (set up Cloud Armor) to onlineboutique.dev as soon as this is merge. :)
🚲 PR staged at http://104.154.87.241 |
Thanks for the review and comments @NimJay, let me know if there is anything else. |
I just applied the changes to the onlineboutique.dev cluster (online-boutique-release). |
Update on Investigation@mathieu-benoit and I just investigated a bit. The
which I had deleted using:
after I applied the new manifests from the But we just reapplied the old |
Found out the issue: because of the update of the ingress to v1, I haven't set the defaultBakend field. The issue was not there on a brand new GKE cluster we tested, but because the Ingress of the live cluster of onlineboutique.dev was pointing to the deleted frontendservice-nodeport, it raised that issue. All good now, #698 is fixing the issue. |
* Update README with instruction * Delete frontend-nodeport.yaml * Update frontend-ingress.yaml * Update README.md * add backend-config and frontend-config * update according to the tests conducted * fix typo in --redis-version=redis_6_x * Alter wording/casing in release-cluster/README.md * Taking into consideration comments Co-authored-by: Nim Jayawardena <nimjay@google.com>
* Update README with instruction * Delete frontend-nodeport.yaml * Update frontend-ingress.yaml * Update README.md * add backend-config and frontend-config * update according to the tests conducted * fix typo in --redis-version=redis_6_x * Alter wording/casing in release-cluster/README.md * Taking into consideration comments Co-authored-by: Nim Jayawardena <nimjay@google.com>
Document the way to setup Cloud Armor in front of the public endpoint of this demo onlineboutique.dev.
What's in this PR:
release-cluster
part with more automation withgcloud
BackendConfig
to bind Cloud Armor to theIngress
FrontendConfig
to bind the SSL Policy and redirect http to httpsIngress
'sapiVersion
fromapiVersion: networking.k8s.io/v1beta1
tonetworking.k8s.io/v1
to avoid future breaking change because deprecation with GKE 1.22frontend-nodeport.yaml
because it's not anymore a requirement, the defaultClusterIP
one is sufficient/working now.kubectl delete svc frontend-external
in the process tooNext steps: