Microservices Security in Action

Microservices Security in Action MEAP V07
Copyright
Welcome
Brief contents
1 Microservices security landscape
1.1 How security works in a monolithic application
1.2 Challenges of securing microservices
1.2.1 The broader the attack surface, the higher the risk of attack
1.2.2 Distributed security screening may result in poor performance
1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare
1.2.4 Requests which span across multiple microservices are harder to trace
1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies
1.2.6 The distributed nature of microservices makes sharing user context harder
1.2.7 Polyglot architecture demands more security expertise on each development
team
1.3 Key security fundamentals
1.3.1 Authentication protects your system against spoofing
1.3.2 Integrity protects your system from data tampering
1.3.3 Nonrepudiation: Do it once, and you own it forever
1.3.4 Confidentiality protects your systems from unintended information disclosure
Data in transit
Data at rest
1.3.5 Availability: Keep the system running, no matter what
1.3.6 Authorization: Nothing more than you’re supposed to do
1.4 Edge security
1.4.1 The role of an API gateway in a microservices deployment
1.4.2 Authentication at the edge
Certificate-based authentication
Oauth 2.0–based access delegation
1.4.3 Authorization at the edge
1.4.4 Passing client/end-user context to upstream microservices
1.5 Securing service-to-service communication
1.5.1 Service-to-service authentication
1.5.2 Service-level authorization
1.5.3 Propagating user context between microservices
1.5.4 Crossing trust boundaries
1.6 Summary
2 First steps in securing
microservices
2.1 Your first microservice
2.1.1 Downloading and installing the required software
Installing the JDK
Installing Apache Maven
Installing cURL
Installing the Git command-line tool
2.1.2 Clone samples repository
2.1.3 Compiling the Order Processing microservice
2.1.4 Accessing the Order Processing microservice
2.1.5 What is inside the source code directory?
2.1.6 Understanding the source code of the microservice
2.2 Setting up an OAuth 2.0 server
2.2.1 The interactions with an authorization server
2.2.2 Running the OAuth 2.0 authorization server
2.2.3 Getting an access token from the OAuth 2.0 authorization server
2.2.4 Understanding the access token response
2.3 Securing a microservice with OAuth2.0
2.3.1 Security based on OAuth2.0
2.3.2 Running the sample
2.4 Invoking a secured microservice from a client application
2.5 Service-level authorization with OAuth 2.0 scopes
2.5.1 Obtaining a scoped access token from the authorization server
2.5.2 Protecting access to a microservice with OAuth 2.0 scopes
2.6 Summary
3 Securing north/south traffic with an
API gateway
3.1 The need for an API gateway in a microservices deployment
3.1.1 Decoupling security from the microservice
Changes in the security protocol requires changes in the microservice
Scaling up the microservice results in more connections to the authorization server
3.1.2 The inherent complexities of microservice deployments make them harder to consume
3.1.3 The rawness of the microservices does not make them ideal for external exposure
3.2 Security at the edge
3.2.1 Understanding the consumer landscape of your microservices
3.2.2 Delegating access
3.2.3 Why not basic authentication to secure APIs?
3.2.4 Why not Mutual TLS to secure APIs?
3.2.5 Why OAuth 2.0?
3.3 Setting up an API gateway with Zuul
3.3.1 Compiling and running the Order Processing microservice
3.3.2 Compiling and running the Zuul proxy
3.3.3 Enabling OAuth 2.0-based security at the Zuul gateway
Enforcing validation of tokens at the Zuul gateway
OAuth2.0 Token Introspection profile
Self-validation of tokens without integrating with an authorization server
Pitfalls of self-validating tokens and how to avoid them
3.4 Securing communication between Zuul and the microservice
3.4.1 Preventing access through the firewall
3.4.2 Securing the communication between the API gateway and microservices by using mutual TLS
3.5 Summary
4 Accessing a secured microservice
via a single-page application
4.1 Running a single-page application with Angular
4.1.1 Building and running an Angular application from the source code
4.1.2 Behind the scenes of a single-page application
4.2 Introducing an API gateway, and setting up cross-origin resource sharing (CORS)
4.2.1 Running the sample
4.2.2 The same-origin policy
4.2.3 Cross-origin resource sharing (CORS)
4.2.4 Inspecting the source that allows cross-origin requests
4.2.5 Proxying the resource server with an API gateway
4.3 Securing an SPA with OpenID Connect
4.3.1 Where does OpenID Connect fit in?
4.4 Federated authentication
4.4.1 Multiple trust domains
4.4.2 Building trust between domains
4.5 Summary
5 Engaging throttling, monitoring,
and access control
5.1 Throttling at the API gateway with Zuul
5.1.1 Quota based throttling for applications
5.1.2 Fair usage policy for users
5.1.3 Running the sample to apply quota based throttling
5.1.4 Maximum handling capacity of a microservice
5.1.5 Operation level throttling
5.1.6 Throttling the OAuth 2.0 token and authorize endpoints
5.1.7 Privilege based throttling
5.2 Monitoring and analytics with Prometheus and Grafana
5.2.1 Monitoring the Order Processing microservice
5.2.2 Behind the scenes of using Prometheus for monitoring
Scraping data from microservices to monitor
what is time series data?
Defining a metric in prometheus
5.3 Enforcing access control policies at the API gateway with Open Policy Agent (OPA)
5.3.1 Running Open Policy Agent (OPA) as a Docker container
5.3.2 Feeding OPA engine with data
5.3.3 Feeding OPA engine with access control policies
5.3.4 Evaluating OPA policies
5.3.5 Next steps in using OPA
5.4 Summary
6 Securing east/west traffic with
certificates
6.1 Why use mTLS?
6.1.1 Building trust between a client and a server with a certificate authority
6.1.2 Mutual TLS helps the client and the server to identify each other
6.1.3 HTTPS is, HTTP over TLS
6.2 Creating certificates to secure access to microservices
6.2.1 Creating a certificate authority (CA)
6.2.2 Generating keys for the Order Processing microservice
6.2.3 Generating keys for the Inventory microservice
6.2.4 A single script to generate all the keys
6.3 Securing microservices with TLS
6.3.1 Running the Order Processing microservice over TLS
6.3.2 Running the Inventory microservice over TLS
6.3.3 Securing communication between two microservices with TLS
6.4 Engaging mTLS
6.5 Challenges in key management
6.5.1 Key provisioning and trust bootstrap
Typical key provisioning process at an enterprise
Key provisioning at Netflix
Generating long-lived credentials
Secure Production Identity Framework For Everyone (SPIFFE)
6.5.2 Certificate revocation
Certificate revocation lists (CRLs)
Online Certificate Status Protocol (OCSP)
Online Certificate Status Protocol (OCSP) stapling
Online Certificate Status Protocol (OCSP) stapling required
Short-lived certificates
Netflix and short-lived certificates
6.6 Key rotation
6.7 Monitoring key usage
6.8 Summary
7 Securing east/west traffic with
JWT
7.1 Use cases for securing microservices with JWT
7.1.1 Sharing user context between microservices with a shared JWT
7.1.2 Sharing user context with a new JWT for each service to service interaction
7.1.3 Sharing user context between microservices in different trust domains
7.1.4 Self-issued JWTs
7.1.5 Nested JWTs
7.2 Setting up an STS to issue a JWT
7.3 Securing microservices with JWT
7.4 Using JWT as a data source to do access control
7.5 Securing service-to-service communication with JWT
7.6 Exchanging a JWT for a new one with a new audience
7.7 Summary
8 Securing east/west traffic over
gRPC
8.1 Service to service communication over gRPC
8.2 Securing gRPC service-to-service communication with mTLS
8.2.1 Running the example with mTLS
8.3 Securing gRPC service-to service communications with JWT
Running the sample
Understanding the code
8.4 Summary
9 Securing reactive microservices
9.1 Why reactive microservices?
9.2 Setting up Kafka as a message broker
9.3 Developing a microservice to push events to a topic in Kafka
9.4 Developing a microservice to read events from a Kafka topic
9.5 Using Transport Layer Security (TLS) to protect data in transit
9.5.1 Creating and signing the TLS keys and certificates for Kafka
9.5.2 Configuring TLS on the Kafka server
9.5.3 Configuring TLS on the microservices
9.6 Using mutual Transport Layer Security (mTLS) for authentication
9.7 Controlling access to Kafka topics with ACLs
9.7.1 Enabling ACLs on Kafka and identifying the clients
9.7.2 Defining ACLs on Kafka
9.8 Summary
10 Conquering container security with
Docker
10.1 Running Security Token Service on Docker
10.2 Managing secrets in a Docker container
10.2.1 Externalizing secrets from Docker images
10.2.2 Passing secrets as environment variables
10.2.3 Managing secrets in a Docker production deployment
10.3 Using Docker Content Trust (DCT) to sign and verify Docker images
10.3.1 The Update Framework (TUF)
10.3.2 Docker Content Trust
10.3.3 Generating keys
10.3.4 Signing with Docker Content Trust
10.3.5 Signature verification with Docker Content Trust
10.3.6 Type of keys used in Docker Content Trust
10.4 Running the Order Processing microservice on Docker
10.5 Running containers with limited privileges
10.5.1 Running a container with a non-root user
10.5.2 Dropping capabilities from the root user
10.6 Running Docker Bench for security
10.7 Securing access to Docker host
10.7.1 Enabling remote access to Docker daemon
10.7.2 Enabling mTLS at the Nginx server to secure access to Docker APIs
Generating keys and certficiates for the Nginx server and the Docker client
Protecting Nginx server with mTLS
Configuring Docker client to talk to the secured Docker daemon
10.8 Security beyond containers
10.9 Summary
11 Securing microservices on Kubernetes
11.1 Running security token services (STSs) on Kubernetes
11.1.1 Defining a Kubernetes deployment for the STS in yaml
11.1.2 Creating the STS deployment in Kubernetes
11.1.3 Troubleshooting the deployment
11.1.4 Exposing the STS outside the Kubernetes cluster
11.2 Managing secrets in a Kubernetes environment
11.2.1 Using ConfigMap to externalize configurations in Kubernetes
11.2.2 Defining a ConfigMap for application.properties
11.2.3 Defining ConfigMaps for keystore.jks and jwt.jks files
11.2.4 Defining a ConfigMap for keystore credentials
11.2.5 Creating ConfigMaps using the kubectl client
11.2.6 Consuming ConfigMaps from a Kubernetes deployment
11.2.7 Loading keystores with an init container
11.3 Kubernetes secrets
11.3.1 The default token secret in every container
11.3.2 Updating the STS to use Secrets
11.3.3 How does Kubernetes store Secrets?
11.4 Running the Order Processing microservice in Kubernetes
11.4.1 Creating ConfigMaps/Secrets for the Order Processing microservice
11.4.2 Creating a deployment for the Order Processing microservice
11.4.3 Creating a service for the Order Processing microservice
11.4.4 Testing the end-to-end flow
11.5 Running the Inventory microservice in Kubernetes
11.6 Using Kubernetes service accounts
11.6.1 Creating a service account and associating it with a pod
11.6.2 Benefits of running a pod under a custom service account
11.7 Role-based access control (RBAC) in Kubernetes
11.7.1 Talking to the Kubernetes API server from the STS
11.7.2 Associating a service account with a ClusterRole
11.8 Summary
12 Securing microservices with Istio
service mesh
12.1 Setting up the Kubernetes deployment
12.1.1 Enabling Istio auto injection
12.1.2 Clean up any previous work
12.1.3 Deploying microservices
12.1.4 Testing end-to-end flow
12.2 Enabling TLS termination at the Istio ingress gateway
12.2.1 Deploying TLS certificates to the Istio ingress gateway
12.2.2 Deploying VirtualServices
12.2.3 Defining a permissive authentication policy
12.2.4 Testing end-to-end flow
12.3 Securing service-to-service communication with mTLS
12.4 Securing service-to-service communication with JWT
12.4.1 Enforcing JWT authentication
12.4.2 How to use JWT in service-to-service communication
12.4.3 A closer look at JSON Web Key (JWK)
12.5 Enforcing authorization
12.5.1 A closer look at the JWT
12.5.2 Enforcing Role-base Access Control
12.6 Managing keys in Istio
12.6.1 Key rotation via volume mounts
12.6.2 Limitations in key rotation via volume mounts
12.6.3 Key provisioning and rotation with SDS
12.7 Summary
13 Secure coding practices and
automation
13.1 OWASP API security top 10
13.1.1 Broken Object Level Authorization
13.1.2 Broken Authentication
13.1.3 Excessive data exposure
13.1.4 Lack of resources and rate-limiting
13.1.5 Broken Function Level Authorization
13.1.6 Mass Assignment
13.1.7 Security misconfigurations
13.1.8 Injection
13.1.9 Improper asset management
13.1.10 Insufficient logging and monitoring
13.2 Running static code analysis
13.3 Integrating security testing with Jenkins
13.3.1 Setting up and running Jenkins with a build pipeline
13.4 Running dynamic analysis with OWASP ZAP
13.4.1 Passive Scanning versus Active Scanning
13.4.2 Performing penetration tests with ZAP
13.5 Summary
A Docker fundamentals
A.1 Docker overview
A.1.1 Containers prior to Docker
A.1.2 Docker adding value to Linux containers (LXC)
A.1.3 Virtual machines vs. containers
A.1.4 Running Docker on non-Linux operating systems
A.2 Installing Docker
A.3 Docker high-level architecture
A.4 Containerizing an application
A.4.1 What is a Docker image?
A.4.2 Building the application
A.4.3 Creating a Dockerfile
A.4.4 Building a Docker image
A.4.5 Running a container from a Docker image
A.5 Container name and container id
A.6 Docker registry
A.6.1 Docker Hub
A.6.2 Harbor
A.6.3 Docker cloud platforms and registries
A.7 Publishing to Docker Hub
A.8 Image name and image id
A.8.1 Docker images with no tags (or the latest tag)
A.8.2 Docker images with a tag
A.8.3 Working with 3rd party Docker registries
A.8.4 Docker Hub official and unofficial images
A.8.5 Image id
A.8.6 Pulling an image with the image id
A.9 Image layers
A.10 Container lifecycle
A.10.1 Create a container from an image
A.10.2 Start a container
A.10.3 Pause a running container
A.10.4 Stop a running container
A.10.5 Kill a container
A.10.6 Destroy a container
A.11 Deleting an image
A.12 Docker volumes
A.13 Docker internal architecture
A.13.1 Containerd
A.13.2 Containerd-Shim
A.13.3 Runc
A.13.4 Linux namespaces
A.13.5 Linux cgroups
A.14 What is happening behind the scenes of docker run?
A.15 Inspecting traffic between Docker client and host
A.16 Docker compose
A.17 Docker Swarm
A.18 Docker networking
A.18.1 Bridge networking
A.18.2 Host networking
A.18.3 No networking
A.18.4 Networking in a Docker production deployment
A.19 Moby project
B Kubernetes fundamentals
B.1 Kubernetes high-level architecture
B.1.1 Master node
B.1.2 Worker node
B.2 Basic constructs
B.2.1 A Pod, the smallest deployment unit in Kubernetes
B.2.2 A Node, a worker machine in Kubernetes
B.2.3 A Service, an abstraction over Kubernetes pods
B.2.4 A Deployment, represents your application in Kubernetes
B.2.5 A namespace, your home within a Kubernetes cluster
B.3 Getting started with Minikube
B.4 Kubernetes as a service
B.5 Getting started with Google Kubernetes Engine (GKE)
B.5.1 Installing gcloud
B.5.2 Installing kubectl
B.5.3 Setting up default setting for gcloud
B.5.4 Creating a Kubernetes cluster
B.5.5 Deleting a Kubernetes cluster
B.6 Creating a Kubernetes deployment
B.7 Behind the scenes of a deployment
B.8 Creating a Kubernetes Service
B.9 Behind the scenes of a Service
B.10 Scaling a Kubernetes deployment
B.11 Creating a Kubernetes namespace
B.12 Switching Kubernetes namespaces
B.13 Kubernetes objects
B.13.1 Managing Kubernetes ob
B.14 Exploring Kubernetes API server
B.15 Kubernetes resources
B.16 Kubernetes controllers
B.17 Ingress
B.18 Kubernetes internal communication
B.18.1 How kubectl run works?
B.18.2 How Kubernetes routes a request from an external client to a pod?
B.19 Managing configurations
B.19.1 Hard-coding configuration data into the Deployment definition
B.19.2 Introducing ConfigMaps
B.19.3 Consuming ConfigMaps from a Kubernetes Deployment and populateenvironment variables
B.19.4 Consuming ConfigMaps from a Kubernetes Deployment with volume mounts
C Service Mesh and Istio
fundamentals
C.1 Why services mesh?
C.2 The natural evolution of microservices deployments
C.2.1 The service mesh architecture
Data plane
Control plane
C.2.2 Service mesh implementations
C.2.3 Service mesh vs. API gateway
C.3 Istio service mesh
C.4 Istio architecture
C.4.1 Istio data plane
Service proxy (Envoy)
Ingress gateway
Egress gateway
C.4.2 Istio control plane
Pilot
Galley
Mixer
Citadel
C.5 Setting up Istio in Google Kubernetes Engine (GKE)
C.6 What Istio brings into a Kubernetes cluster?
C.6.1 Kubernetes custom resource definitions (CRDs)
C.6.2 istio-system namespace
C.6.3 Control plane components
C.6.4 istio-ingressgateway service
C.6.5 istio-ingressgateway pod
C.6.6 Mesh policy
C.7 Setting up the Kubernetes deployment
C.8 Engaging Istio to STS and Order Processing microservice
C.8.1 Sidecar auto injection
C.8.2 Setting up iptables rules
C.8.3 Envoy sidecar proxy
C.9 Running the end-to-end sample
C.10 Updating Order Processing microservice with Istio configuration
C.10.1 Creating a Gateway resource
C.10.2 Creating a VirtualService resource for the Order Processing microservice and STS microservice
C.10.3 Running the end-to-end flow
C.10.4 Debugging Envoy proxy
D OAuth 2.0 and OpenID Connect
D.1 The access delegation problem
D.2 How does OAuth 2.0 fix the access delegation problem?
D.3 Actors of an OAuth 2.0 flow
D.3.1 The role of the resource server
D.3.2 The role of the client application
D.3.3 Who is the resource owner?
D.3.4 The role of the authorization server (AS)
D.4 Grant types
D.4.1 Client credentials grant type
D.4.2 Resource owner password grant type
D.4.3 Refresh token grant type
D.4.4 Authorization code grant type
D.4.5 Implicit grant type
D.5 Scopes bind capabilities to an OAuth 2.0 access token
D.6 Self-contained access tokens
D.7 What is OpenID Connect?
E Single-page application
architecture
E.1 What is single-page application (SPA) architecture?
E.2 Benefits of a SPA over an MPA
E.3 Drawbacks of a SPA compared with an MPA
F Observability in a microservices
deployment
F.1 The need for observability
F.2 The four pillars of observability
F.2.1 The importance of metrics in observability
F.2.2 The importance of tracing in observability
The importance of logging in observability
The importance visualization in observability
G Open Policy Agent
G.1 Key components in an access control system
G.2 What is Open Policy Agent (OPA)?
G.3 Open Policy Agent (OPA) high-level architecture
G.4 Deploying OPA as a Docker container
G.5 Protecting OPA server with Mutual Transport Layer Security (mTLS)
G.6 OPA policies
G.7 External data
G.7.1 Push data
G.7.2 Loading data from the file system
G.7.3 Overload
G.7.4 JSON Web Token (JWT)
G.7.5 Bundle API
G.7.6 Pull Data during Evaluation
G.8 OPA integrations
G.8.1 Istio mixer plugin
G.8.2 Kubernetes admission controller
G.8.3 Apache Kafka
G.9 OPA alternatives
H JSON Web Token (JWT)
H.1 What is a JSON Web Token (JWT)?
H.2 What does a JWT look like?
H.2.1 JWT expiration and issued time
H.2.2 An issuer of a JWT
H.2.3 The audience of a JWT
H.3 JSON Web Signature (JWS)
H.4 JSON Web Encryption (JWE)
I Secure Production Identity
Framework For Everyone
I.1 What is SPIFFE?
I.2 How SPIFFE/SPIRE works?
J gRPC fundamentals
J.1 What is gRPC?
J.2 Understanding Protocol Buffers
J.3 Understanding HTTP/2 and its benefits over HTTP/1.x
J.3.1 Request response multiplexing and its performance benefits
J.3.2 Understanding binary framing and streams in HTTP/2
J.4 The different types of RPC available in gRPC
J.4.1 Understanding channels
J.4.2 Understanding request metadata
J.4.3 What is unary RPC?
J.4.4 What is server streaming RPC?
J.4.5 What is client streaming RPC?
J.4.6 What is bidirectional streaming RPC?
K Creating a certificate authority and
related keys with OpenSSL
K.1 Creating a certificate authority (CA)
K.2 Generating keys for an application