Haft

GCP Serverless and Managed Compute

This note groups Cloud Build, Cloud Functions, Cloud Run and App Engine together. They all sit on the same spectrum of delegating more responsibility to Google, from “give us your code, we handle the rest” to CI/CD pipelines that build and deploy for you.

Cloud Build

A DevOps solution for CI/CD, entirely within a cloud environment.

The goal is usually to assign the cloudbuild.builds.editor role to developers using the tool. The Cloud Build service account is the one that actually performs the build for a project.

Checkout RhinoSecurityLabs article on Cloud Build Privesc.

Cloud Functions

Same general idea as Cloud Run, but even simpler. You just provide the code, no container, nothing else. Usage might be (slightly) more limited in scope though.

Triggered by Cloud Events, used to perform simple, discrete actions.

Cloud Run

You need an image!

In order for your service or job to be deployable to Cloud Run, you must package it in a container image.

A “compute platform” that runs containers.

Allows running App Engine-style apps in a more modern fashion. The model is more contemporary and offers fairly similar features.

Two possible Cloud Run workflows :

  1. Container based
    • Write your source code
    • Build your image
    • Deploy to Cloud Run
  2. Source based
    • Write your source code
    • Deploy to Cloud Run
    • Cloud Run builds it into a container and deploys it (uses Buildpacks)

For listening to events tied to Cloud Pub/Sub, Cloud Storage, etc., Eventarc is used.

App Engine

https://cloud.google.com/appengine/docs/standard

https://cloud.google.com/appengine/docs/standard/quotas#Instances

The product that delegates the most to Google. You write code, they handle :

  • Image deployment
  • Clustering
  • Resource allocation (VM types used)

Worth checking the permissions granted to users on resource access (to verify) in a given configuration. If the app is modifiable and accessible by an unintended entity, it can compromise the resource (impact to define depending on the hosted service), but also the client’s bill if it gets abused to allocate large amounts of resources and hit Google Quotas.

Analyzing the content of an App Engine service moves outside the GCP theme proper, into application or code audit territory.

Recent Notes