Enforce TLS Policy on GKE cluster with Istio or Anthos
Enforce TLS Policy on GKE cluster with Istio or Anthos

Photo by Jon Moore on Unsplash

Google Cloud provides an easy way to enforce TLS policies such as allowed version(s) of SSL and TLS protocols and cipher suites allowed to be used with these versions. It can be configured at HTTP(S) External Load Balancer. If your workload runs on GKE clusters that expose services in a way that does not use Google Load Balancers or the workloads are exposed internally (e.g. using HTTP(S) Internal Load Balancer) then you need another way to enforce TLS policies. The following tutorial shows how to configure it using Anthos Service Mesh (ASM) service. It…

In Google Cloud it is possible to configure a VM with a startup script that will be launched each time the VM is started. Running the startup script is easy and there are plenty of blog posts describing how to do it including GCP public documentation. The startup script provides you a universal solution for the problem to define the commands to be run each time the VM boots. Like with anything there are few caveats.

One time startup script

AWS provides a functionality to distinguish between EC2 startup and launch events. This provides a functionality to run a script only the first time…

How many time to encrypt data in transit?

Spoiler alert: no code examples in this article 😊

Securing application traffic, also ref’ed as encrypting data in transit or application communication encryption, is a standard security practice and, almost always, a requirement for any multi-tier application. A common practice is to use SSL / TLS protocols. The implementation should declare the version(s) and cipher(s) of the supported protocol(s).

Cloud native applications are often deployed on Kubernetes, like GKE in Google Cloud (GCP). Although the idea of encrypting data in transit is simple the implementation and operation of it may require considerable investments. It may prove helpful to understand how…

For some time now Kubernetes supports ephemeral containers. Starting from Kubernetes version 1.18 the ephemeral pods can be used to debug running pods in addition to a large set of other troubleshooting methods. While GKE already supports Kubernetes 1.18 the kubectl debug command is still unavailable. Mainly because this feature is still marked as Alpha in Kubernetes API. So, what else can you do beside inspecting GKE application logs and traces?

It is possible to access to running pod’s containers from the hosting VM. In GKE most of clusters use COS to run worker nodes. When you SSH’ing to the…

A term label usually describes a key/value pair that is attached to some object. In Kubernetes, labels are key/value pairs that are attached to manifested resources, such as pods. The Kubernetes labels can be used to organize and to select subsets of objects. Google Cloud labels (further in the post referenced as Cloud labels) are mainly used to categorize resources in billing reports in order to simplify analysis of spending costs. When the term label is used with GKE service it sometimes creates an ambiguity and confusion. The GKE documentation that referencing them as “cluster labels” may contribute to the…

One of the requirements for secure access remote machines are an easy management of users to VMs access matrix and reduced solution and operational costs. For VM fleets hosted on Google Cloud it is easy to do. In this post I build an example of the working solution based on OS-Login and IAP Tunneling and review a few important focus points about the technology and best practices.

How it is usually done.

Majority of the existing solutions for Data Centers and Cloud providers use one of three constructs:

  • SSH / RDP encrypted connection to destination host
  • SSH / RDP encrypted connection to a Bastion host…


Cloud Engineer in PSO at Google, Specializing in Infrastructure, AppDev, Security and SRE. Horsemanship in a free time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store