tutorial.md

GCP CI/CD security demo and tutorial

This repo demostrates a security focused CI/CD pipeline for GKE with Google Cloud tools Cloud Build, Binary Authorization, Artifact Registry, Container Analysis, and Google Cloud Deploy.

Select a project

Once you've selected a project, click "Start".

Set the PROJECT_ID environment variable

Set the PROJECT_ID environment variable. This variable will be used in forthcoming steps.

export PROJECT_ID=<walkthrough-project-id/>

Enable needed APIs and Create Google Cloud Deploy pipeline

The bootstrap/init.sh script enables your APIs, customizes your clouddeploy.yaml and creates a Cloud Deploy pipeline for you. You'll still need to do some steps manually after these scripts run, though.

Run the initialization script:

. ./bootstrap/init.sh

View your Google Cloud Deploy Pipeline

Verify that the Google Cloud Deploy pipeline was created in the Google Cloud Deploy UI

Turn on automated container vulnerability analysis

Google Cloud Container Analysis can be set to automatically scan for vulnerabilities on push (see pricing).

Enable Container Analysis API for automated scanning:

Configure your Github.com repo

If you have not forked this repo yet, please do so now:

Fork this repo on Github

To keep file changes you make in Cloud Shell in sync with your repo, you can check these file changes into your new Github repo by following these docs. Note that the Github CLI is available in Cloud Shell.

Setup a Cloud Build trigger for your repo

Now that your Github repo is setup, configure Cloud Build to run each time a change is pushed to the main branch. To do this, add a Trigger in Cloud Build:

• Navigate to Cloud Build triggers page
• Follow the docs and create a Github App connected repo and trigger.

Create GKE clusters

You'll need GKE clusters to deploy to. The Google Cloud Deploy pipeline in this example refers to two clusters:

• test-sec
• prod-sec

Feel free to add more clusters, just update the clouddeploy.yaml file with the additional steps and targets. If you have/want different cluster names update cluster definitions in:

• bootstrap/gke-init.sh
• clouddeploy.yaml
• bootstrap/gke-delete.sh

Make sure you have Binary Authorization enabled for any existing clusters you may want to use.

Create GKE clusters

. ./bootstrap/gke-init.sh

Note that these clusters are created asynchronously, so check on the GKE UI periodically to ensure that the clusters are up before submitting your first release to Google Cloud Deploy.

IAM and service account setup

You must give Cloud Build explicit permission to trigger a Google Cloud Deploy release.

1. Read the docs
2. Navigate to IAM and locate your Cloud Build service account
3. Add these two roles

• Cloud Deploy Releaser
• Service Account User

Kritis Signer and attestor setup

This section is WIP See: https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis

Binary Authorization policy

This section is WIP See: https://cloud.google.com/binary-authorization/docs/setting-up

Demo Overview

This section is WIP. For now, see the gist

Tear down

To remove the three running GKE clusters, run:

. ./bootstrap/gke-delete.sh