Add Cloud Armor in front of this deployed demo #689
Conversation
|
🚲 PR staged at http://104.154.87.241 |
|
🚲 PR staged at http://104.154.87.241 |
|
🚲 PR staged at http://104.154.87.241 |
|
Tests conducted: Bash commands to test this PR...
PROJECT_ID=FIXME
gcloud config set project $PROJECT_ID
kubectl create ns onlineboutique
kubectl apply -f release/kubernetes-manifests.yaml -n onlineboutique
gcloud compute addresses create online-boutique-ip --global
PUBLIC_IP=$(gcloud compute addresses describe online-boutique-ip \
--global \
--format "value(address)")
HOST_NAME="onlineboutique.endpoints.${PROJECT_ID}.cloud.goog"
cat <<EOF > dns-spec.yaml
swagger: "2.0"
info:
description: "Cloud Endpoints DNS"
title: "Cloud Endpoints DNS"
version: "1.0.0"
paths: {}
host: "${HOST_NAME}"
x-google-endpoints:
- name: "${HOST_NAME}"
target: "${PUBLIC_IP}"
EOF
gcloud endpoints services deploy dns-spec.yaml
SECURITY_POLICY_NAME=online-boutique-security-policy
gcloud compute security-policies create $SECURITY_POLICY_NAME \
--description "Block XSS attacks"
gcloud compute security-policies rules create 1000 \
--security-policy $SECURITY_POLICY_NAME \
--expression "evaluatePreconfiguredExpr('xss-stable')" \
--action "deny-403" \
--description "XSS attack filtering"
gcloud compute security-policies rules create 12345 \
--security-policy $SECURITY_POLICY_NAME \
--expression "evaluatePreconfiguredExpr('cve-canary')" \
--action "deny-403" \
--description "CVE-2021-44228 and CVE-2021-45046"
gcloud compute security-policies update $SECURITY_POLICY_NAME \
--enable-layer7-ddos-defense
gcloud compute security-policies update $SECURITY_POLICY_NAME \
--log-level=VERBOSE
SSL_POLICY_NAME=online-boutique-ssl-policy
gcloud compute ssl-policies create $SSL_POLICY_NAME \
--profile COMPATIBLE \
--min-tls-version 1.0
sed -i "s,onlineboutique.dev,${HOST_NAME},g" .github/release-cluster/managed-cert.yaml
kubectl apply -f .github/release-cluster/ -n onlineboutique |
|
🚲 PR staged at http://104.154.87.241 |
|
🚲 PR staged at http://104.154.87.241 |
|
Ready for your review and comments, thanks. |
|
🚲 PR staged at http://104.154.87.241 |
|
Thanks so much for creating this pull-request. And apologies for the late review. Warning: I have added a commit to the Question:
I am currently testing everything out in my own GCP project (i.e., still reviewing). |
|
Thanks for the wording changes @NimJay. |
|
Ah, that's a good idea. |
There was a problem hiding this comment.
Just finished testing this on my own cluster and domain.
See deletemenow.peachytools.com (which I'll take down once this PR is merged).
Cloud Armor was applied:
I didn't test Cloud Armor itself — but I trust that it works.
I left 2 comments.
They're minor so I'll approve this.
Thanks again for doing this, @mathieu-benoit! And thanks for the very details PR description. It made the changes easy to review. 👏
I'll apply the changes (set up Cloud Armor) to onlineboutique.dev as soon as this is merge. :)
|
🚲 PR staged at http://104.154.87.241 |
|
Thanks for the review and comments @NimJay, let me know if there is anything else. |
|
I just applied the changes to the onlineboutique.dev cluster (online-boutique-release). |
Update on Investigation@mathieu-benoit and I just investigated a bit. The which I had deleted using: after I applied the new manifests from the But we just reapplied the old |
|
Found out the issue: because of the update of the ingress to v1, I haven't set the defaultBakend field. The issue was not there on a brand new GKE cluster we tested, but because the Ingress of the live cluster of onlineboutique.dev was pointing to the deleted frontendservice-nodeport, it raised that issue. All good now, #698 is fixing the issue. |
* Update README with instruction * Delete frontend-nodeport.yaml * Update frontend-ingress.yaml * Update README.md * add backend-config and frontend-config * update according to the tests conducted * fix typo in --redis-version=redis_6_x * Alter wording/casing in release-cluster/README.md * Taking into consideration comments Co-authored-by: Nim Jayawardena <nimjay@google.com>
* Update README with instruction * Delete frontend-nodeport.yaml * Update frontend-ingress.yaml * Update README.md * add backend-config and frontend-config * update according to the tests conducted * fix typo in --redis-version=redis_6_x * Alter wording/casing in release-cluster/README.md * Taking into consideration comments Co-authored-by: Nim Jayawardena <nimjay@google.com>
Document the way to setup Cloud Armor in front of the public endpoint of this demo onlineboutique.dev.
What's in this PR:
release-clusterpart with more automation withgcloudBackendConfigto bind Cloud Armor to theIngressFrontendConfigto bind the SSL Policy and redirect http to httpsIngress'sapiVersionfromapiVersion: networking.k8s.io/v1beta1tonetworking.k8s.io/v1to avoid future breaking change because deprecation with GKE 1.22frontend-nodeport.yamlbecause it's not anymore a requirement, the defaultClusterIPone is sufficient/working now.kubectl delete svc frontend-externalin the process tooNext steps: