- Configure org policies
- Restrict allowed IAM domains
- Disable key download
- Disable default network
- Disable external IP
- Require shielded VM
- Prepare for VPC service controls (data protection)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##################################################################### | |
# REFERENCES | |
# - https://cloud.google.com/kubernetes-engine/docs/how-to/creating-an-autopilot-cluster | |
# - https://cloud.google.com/storage/docs/creating-buckets | |
# - https://cloud.google.com/storage/docs/access-control/using-iam-permissions | |
# - https://cloud.google.com/storage/docs/authentication/managing-hmackeys#command-line | |
# - https://github.com/Altinity/clickhouse-operator/blob/master/docs/quick_start.md | |
# - https://clickhouse.com/docs/en/getting-started/quick-start |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##################################################################### | |
# REFERENCES | |
# - https://cloud.google.com/iap/docs/concepts-overview | |
# - https://cloud.google.com/iap/docs/enabling-kubernetes-howto | |
# - https://cloud.google.com/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_iap | |
# - https://cloud.google.com/sdk/gcloud/reference/container/clusters/create | |
# - https://github.com/digitalocean/kubernetes-sample-apps/tree/master/podinfo-example | |
# - https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##################################################################### | |
# REFERENCES | |
# - https://cloud.google.com/run/docs/securing/private-networking#from-other-services | |
# - https://cloud.google.com/run/docs/securing/private-networking#from-vpc | |
# - https://cloud.google.com/appengine/docs/flexible/disable-external-ip | |
# - https://cloud.google.com/dns/docs/records#adding_or_removing_a_record | |
# - https://cloud.google.com/vpc/docs/configure-private-google-access | |
# - https://cloud.google.com/run/docs/quickstarts/build-and-deploy/deploy-go-service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##################################################################### | |
# REFERENCES | |
# - https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#cloud_cdn | |
# - https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#expandable-1 | |
##################################################################### | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_USER=$(gcloud config get-value core/account) # set current user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
steps: | |
# Build image and push to GCR | |
- name: 'gcr.io/cloud-builders/docker' | |
id: Build | |
args: | |
- 'build' | |
- '-t' | |
- 'gcr.io/$PROJECT_ID/$_SERVICE_NAME:$SHORT_SHA' | |
- '.' | |
# TODO: look into [images] |
- don’t expect a tool to solve
- cultural change and need “believers” in senior role to advocate within company
- people need to absorb info within their own mindset
- it is a process that can span 6-9 months in orgs w/ 5000 engineers; nothing happens immediately
- Step 1: “I want to be reliable when I grow up” (you must believe you have problem first)
- Step 2: “Read the book!” and watch SRE v DevOps
- Step 3: “Panic!” (myth: fire team and retrain; not the case and can retrain team in house)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##################################################### | |
# SETUP (OPTIONAL) | |
# | |
# Note: this code is not meant to just run; | |
# copy and paste snippets as you go. | |
##################################################### | |
export PROJECT_ID=$(gcloud config get-value project) |
- determine the number of servers and IP address you need
- determine number of private hosts first
- 10.0.0.0/8 (24-bit; Class A)
- 172.16.0.0/12 (20-bit; 16 Class B blocks)
- 192.168.0.0/16 (16-bit; 256 Class C blocks)
- use route summarization for better routing performance and management
- 192.168.0.0/24 and 192.168.1.0/24 could be 192.168.0.0/23, spanning both (borrowing a bit)
NewerOlder