book

Microservices Security in Action

by Prabath Siriwardena, Wajjakkara Kankanamge Anthony Nuwan Dias

August 2020

Intermediate to advanced

616 pages

18h 7m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookWho should read this bookHow this book is organized: A roadmapAbout the codeliveBook discussion forumOther online resourcesabout the authorsabout the cover illustration
1.1 How security works in a monolithic application1.2 Challenges of securing microservices1.2.1 The broader the attack surface, the higher the risk of attack1.2.2 Distributed security screening may result in poor performance1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare1.2.4 Requests spanning multiple microservices are harder to trace1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies1.2.6 The distributed nature of microservices makes sharing user context harder1.2.7 Polyglot architecture demands more security expertise on each development team1.3 Key security fundamentals1.3.1 Authentication protects your system against spoofing1.3.2 Integrity protects your system from data tampering1.3.3 Nonrepudiation: Do it once, and you own it forever1.3.4 Confidentiality protects your systems from unintended information disclosure1.3.5 Availability: Keep the system running, no matter what1.3.6 Authorization: Nothing more than you’re supposed to do1.4 Edge security1.4.1 The role of an API gateway in a microservices deployment1.4.2 Authentication at the edge1.4.3 Authorization at the edge1.4.4 Passing client/end-user context to upstream microservices1.5 Securing service-to-service communication1.5.1 Service-to-service authentication1.5.2 Service-level authorization1.5.3 Propagating user context among microservices1.5.4 Crossing trust boundariesSummary
2.1 Building your first microservice2.1.1 Downloading and installing the required software2.1.2 Clone samples repository2.1.3 Compiling the Order Processing microservice2.1.4 Accessing the Order Processing microservice2.1.5 What is inside the source code directory?2.1.6 Understanding the source code of the microservice2.2 Setting up an OAuth 2.0 server2.2.1 The interactions with an authorization server2.2.2 Running the OAuth 2.0 authorization server2.2.3 Getting an access token from the OAuth 2.0 authorization server2.2.4 Understanding the access token response2.3 Securing a microservice with OAuth 2.02.3.1 Security based on OAuth 2.02.3.2 Running the sample2.4 Invoking a secured microservice from a client application2.5 Performing service-level authorization with OAuth 2.0 scopes2.5.1 Obtaining a scoped access token from the authorization server2.5.2 Protecting access to a microservice with OAuth 2.0 scopesSummary

3.1 The need for an API gateway in a microservices deployment3.1.1 Decoupling security from the microservice3.1.2 The inherent complexities of microservice deployments make them harder to consume3.1.3 The rawness of microservices does not make them ideal for external exposure3.2 Security at the edge3.2.1 Understanding the consumer landscape of your microservices3.2.2 Delegating access3.2.3 Why not basic authentication to secure APIs?3.2.4 Why not mutual TLS to secure APIs?3.2.5 Why OAuth 2.0?3.3 Setting up an API gateway with Zuul3.3.1 Compiling and running the Order Processing microservice3.3.2 Compiling and running the Zuul proxy3.3.3 Enforcing OAuth 2.0-based security at the Zuul gateway3.4 Securing communication between Zuul and the microservice3.4.1 Preventing access through the firewall3.4.2 Securing the communication between the API gateway and microservices by using mutual TLSSummary
4.1 Running a single-page application with Angular4.1.1 Building and running an Angular application from the source code4.1.2 Looking behind the scenes of a single-page application4.2 Setting up cross-origin resource sharing4.2.1 Using the same-origin policy4.2.2 Using cross-origin resource sharing4.2.3 Inspecting the source that allows cross-origin requests4.2.4 Proxying the resource server with an API gateway4.3 Securing a SPA with OpenID Connect4.3.1 Understanding the OpenID Connect login flow4.3.2 Inspecting the code of the applications4.4 Using federated authentication4.4.1 Multiple trust domains4.4.2 Building trust between domainsSummary
5.1 Throttling at the API gateway with Zuul5.1.1 Quota-based throttling for applications5.1.2 Fair usage policy for users5.1.3 Applying quota-based throttling to the Order Processing microservice5.1.4 Maximum handling capacity of a microservice5.1.5 Operation-level throttling5.1.6 Throttling the OAuth 2.0 token and authorize endpoints5.1.7 Privilege-based throttling5.2 Monitoring and analytics with Prometheus and Grafana5.2.1 Monitoring the Order Processing microservice5.2.2 Behind the scenes of using Prometheus for monitoring5.3 Enforcing access-control policies at the API gateway with Open Policy Agent5.3.1 Running OPA as a Docker container5.3.2 Feeding the OPA engine with data5.3.3 Feeding the OPA engine with access-control policies5.3.4 Evaluating OPA policies5.3.5 Next steps in using OPASummary
6.1 Why use mTLS?6.1.1 Building trust between a client and a server with a certificate authority6.1.2 Mutual TLS helps the client and the server to identify each other6.1.3 HTTPS is HTTP over TLS6.2 Creating certificates to secure access to microservices6.2.1 Creating a certificate authority6.2.2 Generating keys for the Order Processing microservice6.2.3 Generating keys for the Inventory microservice6.2.4 Using a single script to generate all the keys6.3 Securing microservices with TLS6.3.1 Running the Order Processing microservice over TLS6.3.2 Running the Inventory microservice over TLS6.3.3 Securing communications between two microservices with TLS6.4 Engaging mTLS6.5 Challenges in key management6.5.1 Key provisioning and bootstrapping trust6.5.2 Certificate revocation6.6 Key rotation6.7 Monitoring key usageSummary
7.1 Use cases for securing microservices with JWT7.1.1 Sharing user context between microservices with a shared JWT7.1.2 Sharing user context with a new JWT for each service-to-service interaction7.1.3 Sharing user context between microservices in different trust domains7.1.4 Self-issued JWTs7.1.5 Nested JWTs7.2 Setting up an STS to issue a JWT7.3 Securing microservices with JWT7.4 Using JWT as a data source for access control7.5 Securing service-to-service communications with JWT7.6 Exchanging a JWT for a new one with a new audienceSummary
8.1 Service-to-service communications over gRPC8.2 Securing gRPC service-to-service communications with mTLS8.3 Securing gRPC service-to-service communications with JWTSummary
9.1 Why reactive microservices?9.2 Setting up Kafka as a message broker9.3 Developing a microservice to push events to a Kafka topic9.4 Developing a microservice to read events from a Kafka topic9.5 Using TLS to protect data in transit9.5.1 Creating and signing the TLS keys and certificates for Kafka9.5.2 Configuring TLS on the Kafka server9.5.3 Configuring TLS on the microservices9.6 Using mTLS for authentication9.7 Controlling access to Kafka topics with ACLs9.7.1 Enabling ACLs on Kafka and identifying the clients9.7.2 Defining ACLs on Kafka9.8 Setting up NATS as a message brokerSummary
10.1 Running the security token service on Docker10.2 Managing secrets in a Docker container10.2.1 Externalizing secrets from Docker images10.2.2 Passing secrets as environment variables10.2.3 Managing secrets in a Docker production deployment10.3 Using Docker Content Trust to sign and verify Docker images10.3.1 The Update Framework10.3.2 Docker Content Trust10.3.3 Generating keys10.3.4 Signing with DCT10.3.5 Signature verification with DCT10.3.6 Types of keys used in DCT10.3.7 How DCT protects the client application from replay attacks10.4 Running the Order Processing microservice on Docker10.5 Running containers with limited privileges10.5.1 Running a container with a nonroot user10.5.2 Dropping capabilities from the root user10.6 Running Docker Bench for security10.7 Securing access to the Docker host10.7.1 Enabling remote access to the Docker daemon10.7.2 Enabling mTLS at the NGINX server to secure access to Docker APIs10.8 Considering security beyond containersSummary
11.1 Running an STS on Kubernetes11.1.1 Defining a Kubernetes Deployment for the STS in YAML11.1.2 Creating the STS Deployment in Kubernetes11.1.3 Troubleshooting the Deployment11.1.4 Exposing the STS outside the Kubernetes cluster11.2 Managing secrets in a Kubernetes environment11.2.1 Using ConfigMap to externalize configurations in Kubernetes11.2.2 Defining a ConfigMap for application.properties file11.2.3 Defining ConfigMaps for keystore.jks and jwt.jks files11.2.4 Defining a ConfigMap for keystore credentials11.2.5 Creating ConfigMaps by using the kubectl client11.2.6 Consuming ConfigMaps from a Kubernetes Deployment11.2.7 Loading keystores with an init container11.3 Using Kubernetes Secrets11.3.1 Exploring the default token secret in every container11.3.2 Updating the STS to use Secrets11.3.3 Understanding how Kubernetes stores Secrets11.4 Running the Order Processing microservice in Kubernetes11.4.1 Creating ConfigMaps/Secrets for the Order Processing microservice11.4.2 Creating a Deployment for the Order Processing microservice11.4.3 Creating a Service for the Order Processing microservice11.4.4 Testing the end-to-end flow11.5 Running the Inventory microservice in Kubernetes11.6 Using Kubernetes service accounts11.6.1 Creating a service account and associating it with a Pod11.6.2 Benefits of running a Pod under a custom service account11.7 Using role-based access control in Kubernetes11.7.1 Talking to the Kubernetes API server from the STS11.7.2 Associating a service account with a ClusterRoleSummary
12.1 Setting up the Kubernetes deployment12.1.1 Enabling Istio autoinjection12.1.2 Clean up any previous work12.1.3 Deploying microservices12.1.4 Redeploying Order Processing and STS as NodePort Services12.1.5 Testing end-to-end flow12.2 Enabling TLS termination at the Istio Ingress gateway12.2.1 Deploying TLS certificates to the Istio Ingress gateway12.2.2 Deploying VirtualServices12.2.3 Defining a permissive authentication policy12.2.4 Testing end-to-end flow12.3 Securing service-to-service communications with mTLS12.4 Securing service-to-service communications with JWT12.4.1 Enforcing JWT authentication12.4.2 Testing end-to-end flow with JWT authentication12.4.3 Peer authentication and request authentication12.4.4 How to use JWT in service-to-service communications12.4.5 A closer look at JSON Web Key12.5 Enforcing authorization12.5.1 A closer look at the JWT12.5.2 Enforcing role-based access control12.5.3 Testing end-to-end flow with RBAC12.5.4 Improvements to role-based access control since Istio 1.4.012.6 Managing keys in Istio12.6.1 Key provisioning and rotation via volume mounts12.6.2 Limitations in key provisioning and rotation via volume mounts12.6.3 Key provisioning and rotation with SDSSummary
13.1 OWASP API security top 1013.1.1 Broken object-level authorization13.1.2 Broken authentication13.1.3 Excessive data exposure13.1.4 Lack of resources and rate limiting13.1.5 Broken function-level authorization13.1.6 Mass assignment13.1.7 Security misconfiguration13.1.8 Injection13.1.9 Improper asset management13.1.10 Insufficient logging and monitoring13.2 Running static code analysis13.3 Integrating security testing with Jenkins13.3.1 Setting up and running Jenkins13.3.2 Setting up a build pipeline with Jenkins13.4 Running dynamic analysis with OWASP ZAP13.4.1 Passive scanning vs. active scanning13.4.2 Performing penetration tests with ZAPSummary
A.1 The access delegation problemA.2 How does OAuth 2.0 fix the access delegation problem?A.3 Actors of an OAuth 2.0 flowA.3.1 The role of the resource serverA.3.2 The role of the client applicationA.3.3 The role of the resource ownerA.3.4 The role of the authorization serverA.4 Grant typesA.4.1 Client credentials grant typeA.4.2 Resource owner password grant typeA.4.3 Refresh token grant typeA.4.4 Authorization code grant typeA.4.5 Implicit grant typeA.5 Scopes bind capabilities to an OAuth 2.0 access tokenA.6 Self-contained access tokensA.7 What is OpenID Connect?A.8 More information about OpenID Connect and OAuth 2.0
B.1 What is a JSON Web Token?B.2 What does a JWT look like?B.2.1 The issuer of a JWTB.2.2 The subject of a JWTB.2.3 The audience of a JWTB.2.4 JWT expiration, not before and issued timeB.2.5 The JWT identifierB.3 JSON Web SignatureB.4 JSON Web Encryption
C.1 What is single-page application architecture?C.2 Benefits of a SPA over an MPAC.3 Drawbacks of a SPA compared with an MPA
D.1 The need for observabilityD.2 The four pillars of observabilityD.2.1 The importance of metrics in observabilityD.2.2 The importance of tracing in observabilityD.2.3 The importance of logging in observabilityD.2.4 The importance of visualization in observability
E.1 Docker overviewE.1.1 Containers prior to DockerE.1.2 Docker adding value to Linux containersE.1.3 Virtual machines vs. containersE.1.4 Running Docker on non-Linux operating systemsE.2 Installing DockerE.3 Docker high-level architectureE.4 Containerizing an applicationE.4.1 What is a Docker image?E.4.2 Building the applicationE.4.3 Creating a DockerfileE.4.4 Building a Docker imageE.4.5 Running a container from a Docker imageE.5 Container name and container IDE.6 Docker registryE.6.1 Docker HubE.6.2 HarborE.6.3 Docker cloud platforms and registriesE.7 Publishing to Docker HubE.8 Image name and image IDE.8.1 Docker images with no tags (or the latest tag)E.8.2 Docker images with a tagE.8.3 Working with third-party Docker registriesE.8.4 Docker Hub official and unofficial imagesE.8.5 Image IDE.8.6 Pulling an image with the image IDE.9 Image layersE.10 Container life cycleE.10.1 Creating a container from an imageE.10.2 Starting a containerE.10.3 Pausing a running containerE.10.4 Stopping a running containerE.10.5 Killing a containerE.10.6 Destroying a containerE.11 Deleting an imageE.12 Persisting runtime data of a containerE.12.1 Using Docker volumes to persist runtime dataE.12.2 Using bind mounts to persist runtime dataE.13 Docker internal architectureE.13.1 ContainerdE.13.2 Containerd-shimE.13.3 RuncE.13.4 Linux namespacesE.13.5 Linux cgroupsE.14 What is happening behind the scenes of docker run?E.15 Inspecting traffic between Docker client and hostE.16 Docker ComposeE.17 Docker SwarmE.18 Docker networkingE.18.1 Bridge networkingE.18.2 Host networkingE.18.3 No networkingE.18.4 Networking in a Docker production deploymentE.19 Moby project
F.1 Key components in an access-control systemF.2 What is an Open Policy Agent?F.3 OPA high-level architectureF.4 Deploying OPA as a Docker containerF.5 Protecting an OPA server with mTLSF.6 OPA policiesF.7 External dataF.7.1 Push dataF.7.2 Loading data from the filesystemF.7.3 OverloadF.7.4 JSON Web TokenF.7.5 Bundle APIF.7.6 Pull data during evaluationF.8 OPA integrationsF.8.1 IstioF.8.2 Kubernetes admission controllerF.8.3 Apache KafkaF.9 OPA alternatives
G.1 Creating a certificate authorityG.2 Generating keys for an application
H.1 What is SPIFFE?H.2 The inspiration behind SPIFFEH.3 SPIFFE IDH.4 How SPIRE worksH.5 SPIFFE Verifiable Identity DocumentH.5.1 X.509-SVIDH.5.2 JWT-SVIDH.6 A trust bundle
I.1 What is gRPC?I.2 Understanding Protocol BuffersI.3 Understanding HTTP/2 and its benefits over HTTP/1.xI.3.1 Request/response multiplexing and its performance benefitsI.3.2 Understanding binary framing and streams in HTTP/2I.4 The different types of RPC available in gRPCI.4.1 Understanding channelsI.4.2 Understanding request metadataI.4.3 What is unary RPC?I.4.4 What is server streaming RPC?I.4.5 What is client streaming RPC?I.4.6 What is bidirectional streaming RPC?
J.1 Kubernetes high-level architectureJ.1.1 Master nodesJ.1.2 Worker nodesJ.2 Basic constructsJ.2.1 A Pod: The smallest deployment unit in KubernetesJ.2.2 A node: A VM or physical machine in a Kubernetes clusterJ.2.3 A Service: an abstraction over Kubernetes PodsJ.2.4 Deployments: Representing your application in KubernetesJ.2.5 A namespace: Your home within a Kubernetes clusterJ.3 Getting started with Minikube and Docker DesktopJ.4 Kubernetes as a serviceJ.5 Getting started with Google Kubernetes EngineJ.5.1 Installing gcloudJ.5.2 Installing kubectlJ.5.3 Setting up the default setting for gcloudJ.5.4 Creating a Kubernetes clusterJ.5.5 Deleting a Kubernetes clusterJ.5.6 Switching between multiple Kubernetes clustersJ.6 Creating a Kubernetes DeploymentJ.7 Behind the scenes of a DeploymentJ.8 Creating a Kubernetes ServiceJ.9 Behind the scenes of a ServiceJ.10 Scaling a Kubernetes DeploymentJ.11 Creating a Kubernetes namespaceJ.12 Switching Kubernetes namespacesJ.13 Using Kubernetes objectsJ.13.1 Managing Kubernetes objectsJ.14 Exploring the Kubernetes API serverJ.15 Kubernetes resourcesJ.16 Kubernetes controllersJ.17 IngressJ.18 Kubernetes internal communicationJ.18.1 How kubectl run worksJ.18.2 How Kubernetes routes a request from an external client to a PodJ.19 Managing configurationsJ.19.1 Hardcoding configuration data in the Deployment definitionJ.19.2 Introducing ConfigMapsJ.19.3 Consuming ConfigMaps from a Kubernetes Deployment and populating environment variablesJ.19.4 Consuming ConfigMaps from a Kubernetes Deployment with volume mounts
K.1 Why a service mesh?K.1 The evolution of microservice deploymentsK.2.1 The Service Mesh architectureK.2.2 Service mesh implementationsK.2.3 Service mesh vs. API gatewayK.3 Istio service meshK.4 Istio architectureK.4.1 Istio data planeK.4.2 Istio control planeK.4.3 Changes introduced to Istio architecture since Istio 1.5.0 releaseK.5 Setting up Istio service mesh on KubernetesK.5.1 Setting up Istio on Docker DesktopK.5.2 Setting up Istio on GKEK.5.3 Limitations of Istio on GKEK.6 What Istio brings to a Kubernetes clusterK.6.1 Kubernetes custom resource definitionsK.6.2 The istio-system namespaceK.6.3 Control plane componentsK.6.4 The istio-ingressgateway ServiceK.6.5 The istio-ingressgateway podK.6.6 Istio’s MeshPolicyK.7 Setting up the Kubernetes deploymentK8 Engaging Istio to STS and the Order Processing microservicesK.8.1 Sidecar auto injectionK.8.2 Setting up iptables rulesK.8.3 Envoy sidecar proxyK.9 Running the end-to-end sampleK.10 Updating the Order Processing microservice with Istio configurationsK.10.1 Redeploying STS and the Order Processing microservicesK.10.2 Creating a Gateway resourceK.10.3 Creating a VirtualService resource for the Order Processing and STS microservicesK.10.4 Running the end-to-end flowK.10.5 Debugging the Envoy proxy

Content preview from Microservices Security in Action

Appendix F. Open Policy Agent

In a typical microservices deployment, we can enforce access-control policies in either of the following two locations or both:

The edge of the deployment--Typically, with an API gateway (which we discuss in chapter 5)
The edge of the service--Typically, with a service mesh or with a set of embedded libraries (which we discuss in chapter 7 and chapter 12)

Authorization at the service level enables each service to enforce access-control policies in the way it wants. Typically, you apply coarse-grained access-control policies at the API gateway (at the edge), and more fine-grained access-control policies at the service level. Also, it’s common to do data-level entitlements at the service level. For example, ...