Skip to content

Instantly share code, notes, and snippets.

@misskecupbung

misskecupbung/Ensure Access & Identity in Google Cloud: Challenge Lab.md

Created June 5, 2021 15:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save misskecupbung/1be090b716ccdf57fb0930517d8f889a to your computer and use it in GitHub Desktop.
Save misskecupbung/1be090b716ccdf57fb0930517d8f889a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Ensure Access & Identity in Google Cloud: Challenge Lab.md 
gcloud config set compute/zone us-east1-b

vim roles.yaml
...
title: "Orca Storage Update"
description: "Add and update objects in Google Cloud Storage buckets"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
...

gcloud iam roles create orca_storage_update \
   --project $DEVSHELL_PROJECT_ID \
   --file roles.yaml

gcloud iam service-accounts create orca-private-cluster-sa \
   --display-name "Orca Private Cluster Service Account"
   
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
   --role roles/monitoring.viewer

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
   --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
   --role roles/logging.logWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
   --role projects/$DEVSHELL_PROJECT_ID/roles/orca_storage_update


JUMPHOST_IP=$(gcloud compute instances describe orca-jumphost \
--format='get(networkInterfaces[0].networkIP)')

SUBNET_IP_RANGE="10.142.0.0/28"

gcloud beta container clusters create orca-test-cluster \
   --network orca-build-vpc \
   --subnetwork orca-build-subnet \
   --service-account orca-private-cluster-sa@$DEVSHELL_PROJECT_ID.iam.gserviceaccount.com \
   --enable-master-authorized-networks \
   --master-authorized-networks $JUMPHOST_IP/32 \
   --enable-private-nodes \
   --master-ipv4-cidr $SUBNET_IP_RANGE \
   --enable-ip-alias \
   --enable-private-endpoint
   
gcloud container clusters get-credentials orca-test-cluster --internal-ip

kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0

kubectl expose deployment hello-server --name orca-hello-service \
    --type LoadBalancer --port 80 --target-port 8080
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment