Securing the Deployment Pipeline
The course is part of this learning path
This course explores how to secure your deployment pipelines on GCP. We will cover the four main techniques to securely build and deploy containers using Google Cloud and you will follow along with guided demonstrations from Google Cloud Platform so that you get a practical understanding of the techniques covered.
If you have any feedback relating to this course, please contact us at firstname.lastname@example.org.
By completing this course, you will understand:
- The advantages of using Google managed base images
- How to detect security vulnerabilities in containers using Container Analysis
- How to create and enforce GKE deployment policies using Binary Authorization
- How to unauthorized changes to production using IAM
This course is intended for:
- Infrastructure/Release engineers interested in the basics of building a secure CI/CD pipeline in GCP
- Security professionals who want to familiarize themselves with some of the common security tools Google provides for container deployment
- Anyone taking the Google “Professional Cloud DevOps Engineer” certification exam
To get the most out of this course, you should be familiar with:
- Building CI/CD pipelines
- Building containers and deploying them to Kubernetes
- Setting up IAM roles and policies
First, let me talk about how to minimize security vulnerabilities in your containers. In order to find security issues, you have to know where to look for them. Hopefully, you already understand that containers are built in layers. First, there is a base image. Then, that base image is extended by building other layers on top of it.
These extra layers include the additional software that is needed to form the microservice. Security vulnerabilities can appear in any of these layers. Every container developer bases their container off of another image maintained by someone else. These base or parent images are usually quite simple, and typically include basic operating systems such as Ubuntu or Debian. But some parent images can also be quite complex, and can include many, many different components. Unfortunately, developers tend to blindly trust that these images are secure, but that often is not the case.
Picking the right base or parent image is important. Ideally, you want one that has everything you need, with nothing else. If the base image doesn't have enough, you're going to need to add and maintain it. If the base image has too much, your resulting image will be larger than necessary and it might have extra security vulnerabilities in it. And because there are so many images out there, how do you know the right one to use? It is quite possible to pick an image that is not regularly maintained, resulting in a lack of timely security patches. Or you might pick an image that is updated too often and too much, which could result in constantly breaking your builds. Also, if you're not careful, you could even pick an image that contains malicious code.
It is absolutely essential to know where your images are coming from and to understand exactly what they contain. That is why Google offers a collection of base images for any GCP customer to use. These images are available in the Cloud Marketplace and are rigorously tested and scanned for known vulnerabilities using the CVE, or Common Vulnerabilities and Exposures, database.
As soon as a patch is available, Google applies it, and updates typically happen at least once a month. Now, these images are not just maintained for customers. Google also uses them as well for building its own applications: services such as Google App Engine. So you know they are well-maintained.
The current list of base images includes Debian, Ubuntu, and CentOS. There are also a number of other more featured containers available as well. So if you want the latest copy of Jenkins, you can find it. In any case, using Google-managed images will make sure that your containers start off with a clean, secure slate.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.