A
enforcing policies at API gateway with OPA 129-134
evaluating OPA policies 132-133
feeding OPA engine with access-control policies 131-132
feeding OPA engine with data 130-131
running OPA as Docker container 130
improvements to since Istio 1.4.0 331-333
testing end-to-end flow with 328-330
using JWT as data source for 172-173
how OAuth 2.0 fixes problem 368-369
access_token parameter 44, 76, 192, 313, 320, 330, 464
Access-Control-Allow-Credentials 92
Access-Control-Allow-Headers 92
Access-Control-Allow-Methods 92
Access-Control-Allow-Origin 92
Access-Control-Request-Headers 91-92
Access-Control-Request-Method 92
defining ACLs on Kafka 220-222
enabling ACLs on Kafka and identifying clients 219-220
allow.everyone.if.no.acl.found property 219
Alpine package manager (APK) 250
Amazon Elastic Compute Cloud (EC2) 8
building and running applications from source code 84-85
inspecting web application code 101-102
Apache Maven, downloading and installing 34
API contract security auditor 347
edge (entry point) security 64-67
consumer landscape of microservices 64
reasons not to use basic authentication 66
reasosn for using OAuth 2.0 67
enforcing access-control policies with OPA 129-134
feeding engine with access-control policies 131-132
feeding engine with data 130-131
running as Docker container 130
need for in microservices deployment 58-63
changes in security protocol 60-61
decoupling security from microservice 59-61
inherent complexities of deployments 62-63
proxying resource server with 93-95
role of in microservices deployment 19-20
securing communication between Zuul and microservice 79-80
throttling at gateway with 110-122
application_secret 373, 375-376
application.properties file 144, 268-269
applicationid 169, 176, 231, 266, 272, 282, 313, 330, 559, 566
applicationsecret 169, 176, 231, 266, 272, 282, 313, 330, 420, 559, 566
asset management, improper 348
aud attribute 163, 383, 389, 486
edge (entry point) security 20-21
certificate-based authentication 21
OAuth 2.0-based access delegation 21
building trust between domains 106-107
multiple trust domains 105-106
defining permissive authentication policy 310-311
enforcing JWT authentication 317-318
peer authentication and request authentication 321-323
testing end-to-end flow with JWT authentication 318-320
protection against spoofing 12-13
trust-the-network approach 23-24
See also JWT (JSON Web Token)
authentication See also JWT (JSON Web Token)
function-level authorization 346
object-level authorization 342-344
edge (entry point) security 22
authorization code grant type 377-380
authorization server setup 39-44
enforcing security at Zuul gateway 76-77
role of authorization server 371
service-level authorization with scopes 50-54
throttling token and authorize endpoints 121
service-to-service communication security 26-27
authorization code grant type 377-380
Authorization header 49, 66, 75
authorizer.class.name property 219
authserver.introspection.endpoint property 72
dynamic analysis with OWASP ZAP 359-366
passive scanning vs. active scanning 359-360
performing penetration tests with ZAP 360-366
security testing with Jenkins 352-358
setting up and running 353-355
setting up build pipeline 355-358
automountServiceAccountToken element 290
Azure Container Registry (ACR) 422
Azure Container Service (ACS) 422
B
Berkeley Software Distribution (BSD) 410
bidirectional streaming RPCs 498
BSD (Berkeley Software Distribution) 410
BUILD SUCCESS message 35, 42, 68-69, 85, 143, 168, 170, 182, 187, 192, 223, 244, 392, 395, 417
C
Cambridge Analytica/Facebook scandal 21
Cascading Style Sheets (CSS) 362, 398
Center for Internet Security (CIS) 251
certificate authority (CA) 79, 210, 213, 215, 258, 484
certificate revocation lists (CRLs) 154-155
certificate-signing request (CSR) 152, 336, 472
certificate-based authentication 21
creating certificate authority 140
generating keys for Inventory microservice 141
generating keys for Order Processing microservice 141
using single script to generate all keys 141-142
deploying TLS certificates to Istio ingress gateway 303-308
Ingress gateway with no SDS 303-305
Ingress gateway with SDS 306-308
east/west traffic security with 137-160
key management challenges 151-158
TLS, securing microservices with 142-149
generating for NGINX server and Docker client 256-257
certificate revocation lists 154-155
Online Certificate Status Protocol 155-156
Online Certificate Status Protocol stapling 156-157
short-lived certificates 157-158
Citadel component 333-335, 548
client credentials grant type 372-374
client_credentials grant type 44, 46, 72, 76
Cloud Native Computing Foundation (CNCF) 127, 222, 406, 450
ClusterIP type 285, 309, 528, 553, 562
ClusterRbacConfig 327-328, 551
ClusterRoleBinding 290-292, 294, 331
common name (CN) 147, 219, 470, 472
Community Edition (CE) version, of Docker 413-414
Compiled successfully message 85
consuming from deployment and populating environment variables 533-534
consuming from deployment with volume mounts 534
creating for Order Processing microservice 280-281
Container Engine for Kubernetes 509
Container Network Model (CNM) 443
container orchestration framework 230, 499
container runtime interface (CRI) 528
containers 409, 416-417, 427, 442, 499
continuous integration/continuous delivery pipeline (CI/CD) 151, 229, 253, 353, 466
changes to Kubernetes cluster 551-552
CORS (cross-origin resource sharing) 89-95
proxying resource server with API gateways 93-95
cross-site scripting (XSS) 364-365, 400
curl command 36, 143, 145, 148, 168, 171, 174, 217, 236, 246-247, 266, 282, 285, 373-374, 376, 420, 439, 457-458, 460, 515, 522-523, 560
curl, downloading and installing 34
D
data element 268, 275, 277, 280
DCT (Docker Content Trust) 237-244
protecting client applications from replay attacks 243-244
signature verification with 241
default namespace 298, 310, 515, 557
Delivery microservice 166, 547
developing microservices 33-39
distributed denial-of-service (DDoS) 17-18, 112, 121, 345-346
behind scenes of docker run 437-438
Docker cloud platforms and registries 422
high-level architecture 415-416
inspecting traffic between Docker client and host 438-440
networking in Docker production deployment 447
publishing to Docker Hub 422-423
running on non-Linux operating systems 413
adding value to Linux containers 411
considering security beyond 260
container name and container ID 420
containerizing applications 416-420
building Docker images 418-419
running container from Docker images 419-420
containers prior to Docker 410-411
protecting client applications from replay attacks 243-244
signature verification with 241
create container from an image 428-429
pause running container 429-430
externalizing secrets from Docker images 233-235
managing secrets in Docker production deployment 237
passing secrets as environment variables 235-236
persisting runtime data of 431-433
using bind mounts to persist runtime data 433
using Docker volumes to persist runtime data 432-433
running Docker Bench for security 251-253
running with limited privileges 247-251
dropping capabilities from root user 250-251
running container with nonroot user 248-249
securing access to Docker host 253-260
enabling mTLS at NGINX server to secure access to Docker APIs 256-260
enabling remote access to Docker daemon 254-256
virtual machines vs. containers 411-413
externalizing secrets from 233-235
image name and image ID 423-426
Docker Hub official and unofficial images 425
Docker images with no tags (or latest tag) 423-424
pulling an image with image ID 426
working with third-party Docker registries 424
running containers from 419-420
protecting client applications from replay attacks 243-244
signature verification with DCT 241
types of keys used in DCT 241-243
docker pull tomcat command 424
docker run command 142, 211, 232, 235-236, 248, 251, 257, 268, 415, 419-420, 424, 428, 433, 437-438, 446, 471
docker service create command 442
docker trust key generate command 238
Docker Trusted Registry (DTR) 421
DOCKER_CONTENT_TRUST variable 241
docker-for-desktop-binding 292
dynamic analysis, with OWASP ZAP 359-366
E
east/west traffic security over gRPC 179-195
service-to-service communications over gRPC 180-185
east/west traffic security with certificates 137-160
creating certificate authority 140
generating keys for Inventory microservice 141
generating keys for Order Processing microservice 141
using single script to generate all keys 141-142
key management challenges 151-158
certificate revocation 153-158
key provisioning and bootstrapping trust 151-153
TLS, securing microservices with 142-149
running Inventory microservice over TLS 145-146
running Order Processing microservice over TLS 143-145
securing communication between two microservices with TLS 146-149
east/west traffic security with JSON Web Token (JWT) 161-178
exchanging JWT for new one with new audience 175-177
securing microservices with JWT 170-172
securing service-to-service communication with JWT 173-175
sharing user context between microservices in different trust domains 165-166
sharing user context between microservices with shared JWT 162-163
sharing user context with new JWT for each service-to-service interaction 163-165
using JWT as data source for access control 172-173
edge (entry point) security 18-22, 64-67
OAuth 2.0-based access delegation 21
consumer landscape of microservices 64
passing user context to upstream microservices 22
reasons not to use basic authentication 66
role of API gateway in deployment 19-20
Elastic Container Registry (ECR), Amazon 422
Elastic Container Service (ECS), Amazon 422
Elastic Container Service for Kubernetes (EKS) 508
@EnableWebSecurity annotation 47
Enterprise Edition (EE) version, of Docker 413-414
F
Fast Identity Online (FIDO) 13
federated authentication 104-107
building trust between domains 106-107
G
setting up default setting for 510
GET method 37, 52, 63, 98, 133, 301, 347, 352
getSslContextBuilder method 188
GIT command-line tool, downloading and installing 34
GKE (Google Kubernetes Engine) 509-511
setting up default setting for gcloud 510
switching between multiple clusters 511
Google Cloud Platform (GCP) 509
Google Container Registry (GCR) 422
monitoring Order Processing microservice 123-127
scraping data from microservices 127
east/west traffic security over 179-195
binary framing and streams 495-497
request/response multiplexing 492-495
H
head-of-line blocking problem 493
HOSTNAME environment variable 293
HTTP Authorization Bearer header 283, 560
binary framing and streams 495-497
request/response multiplexing 492-495
I
IBM Cloud Container Registry 422
IBM Cloud Kubernetes Service 422, 509
deploying TLS certificates to 303-308
enabling TLS termination at 302-314
defining permissive authentication policy 310-311
deploying certificates 303-308
deploying VirtualServices 308-310
testing end-to-end flow 311-314
INGRESS_HOST variable 312, 318, 565
INGRESS_HTTPS_PORT variable 312, 318, 329, 565
insecure-sts container 248, 250, 267
Install Suggested Plugins option 354
installationName parameter 357
Internet Assigned Numbers Authority (IANA) 389
changes introduced since 1.5.0 release 548-549
changes to Kubernetes cluster 550-555
control plane components 551-552
custom resource definitions 551
istio-ingressgateway Pod 554-555
istio-ingressgateway service 553-554
enabling TLS termination at ingress gateway 302-314
defining permissive authentication policy 310-311
deploying certificates 303-308
deploying VirtualServices 308-310
testing end-to-end flow 311-314
engaging to STS and Order Processing microservices 556-557
sidecar auto injection 557-558
key provisioning and rotation 333-337
role-based access control 324-333
improvements to since Istio 1.4.0 331-333
testing end-to-end flow with 328-330
running end-to-end sample 559-561
securing service-to-service communications with JWT 317-325
enforcing JWT authentication 317-318
peer authentication and request authentication 321-323
testing end-to-end flow with JWT authentication 318-320
using JWT in service-to-service communications 323-324
securing service-to-service communications with mTLS 314-317
setting up Kubernetes deployment 297-302, 555-556
cleaning up any previous work 299
deploying microservices 299-300
enabling Istio autoinjection 298-299
testing end-to-end flow 301-302
setting up on Kubernetes 549-550
limitations of Istio on GKE 550
setting up Istio on Docker Desktop 549
setting up Istio on GKE 549-550
Istio Ingress gateway 546, 561
istio-ingressgateway 318, 552, 554, 563
istio-ingressgateway Pod 554-555
istio-ingressgateway service 553-554
istio-ingressgateway-certs 303-304
J
Java Database Connectivity (JDBC) 140
Java Development Kit (JDK), downloading and installing 34
Java Platform, Enterprise Edition (Java EE) 5
JavaScript Object Notation (JSON) 398
javax.net.ssl.trustStore property 147, 149
JDBC (Java Database Connectivity) 140
setting up and running 353-355
setting up build pipeline 355-358
JSON Object Signing and Encryption (JOSE) 388
JSON Web Encryption (JWE) 393-396
JSON Web Signature (JWS) 77, 383, 388, 390-392, 485
JWT (JSON Web Token) 11, 153, 225, 247, 276, 301, 386-396, 416, 560
east/west traffic security with 161-178
exchanging JWT for new one with new audience 175-177
securing microservices with JWT 170-172
securing service-to-service communications with JWT 173-175
using JWT as data source for access control 172-173
nbf (not before) attribute 390
securing service-to-service communications with 317-324
enforcing JWT authentication 317-318
peer authentication and request authentication 321-323
testing end-to-end flow with JWT authentication 318-320
using JWT in service-to-service communications 323-324
service-to-service communication security 25
JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants 372
K
developing microservice to read events from topic 207-210
setting up as message broker 202-205
kernel-level permission checks 247
certificate revocation 153-158
generating for NGINX server and Docker client 256-257
generating with OpenSSL 472-473
in Docker Content Trust 238-239, 241-243
key provisioning and rotation via volume mounts 333-335
key provisioning and rotation with SDS 335-337
limitations in key provisioning and rotation via volume mounts 335
long-lived credential generation 153
bootstrapping trust and 151-153
using single script to generate all 141-142
kubectl apply command 264, 532
kubectl command 270, 272, 274, 281-282, 287, 502, 516-517, 553, 557
kubectl describe pod command 289
kubectl get deployments command 264
kubectl get events command 264
kubectl get service command 529
kubectl get services command 272
creating ConfigMap objects 270
internal communication 526-528
configuration management 530-534
hardcoding configuration data in deployment definition 531-532
Google Kubernetes Engine 509-511
setting up default setting for gcloud 510
switching between multiple clusters 511
high-level architecture 499-500
internal communication 526-530
routing requests from external clients to Pods 528-530
setting up Kubernetes deployment 555-556
Minikube and Docker Desktop 508
declarative object configurations 521
imperative object configurations 520-521
role-based access control in 290-294
associating service account with ClusterRole 293-294
talking to Kubernetes API server from STS 292-293
running Inventory microservice in 284-286
running Order Processing microservice in 278-283
creating ConfigMaps/Secrets for Order Processing microservice 280-281
creating deployment for Order Processing microservice 281
creating Service for Order Processing microservice 282
testing end-to-end flow 282-283
creating STS deployment 263-264
defining deployment for STS in YAML 263
exposing STS outside Kubernetes cluster 265-267
troubleshooting deployment 264-265
benefits of running Pod under custom service account 289-290
creating service account and associating it with Pod 288-289
setting up deployment for Istio 297-302
cleaning up any previous work 299
deploying microservices 299-300
enabling Istio autoinjection 298-299
redeploying Order Processing and STS as NodePort Services 300
testing end-to-end flow 301-302
Kubernetes LoadBalancer Service 506
consuming from deployment 271-272
creating by using kubectl client 270
defining for application.properties file 268-269
defining for keystore credentials 270
defining for keystore.jks and jwt.jks files 269
using to externalize configurations 268
creating for Order Processing microservice 280-281
exploring default token secret in every container 275-276
loading keystores with init containers 272-274
L
Linux Containers (LXC) 410, 434
LoadBalancer Service 265, 506-507
M
Mixer component 467-468, 544, 546, 548
monolithic application security 5-7
mTLS (mutual Transport Layer Security)
enabling at NGINX server to secure access to Docker APIs 256-260
configuring Docker client to talk to secured Docker daemon 259-260
generating keys and certificates for NGINX server and Docker client 256-257
protecting NGINX server with mTLS 257-259
protecting and deploying OPA servers with 453-455
building trust between client and server 138
mTLS (mutual Transport Layer Security) (continued)
helping client and server identify each other 138-140
reasons not to use for edge (entry point) security 66-67
securing reactive microservices 214-217
service-to-service communication security 24-25, 314-317
between API gateway and microservices 80
multifactor authentication (MFA) 13
N
short-lived certificates and 157-158
Netflix’s Security Monkey 347
Network Information Service (NIS) 436
network-accessible functions 37
NGINX servers, enabling mTLS at 256-260
configuring Docker client to talk to secured Docker daemon 259-260
generating keys and certificates for NGINX server and Docker client 256-257
protecting NGINX server with mTLS 257-259
no credential-sharing model 367-368
north/south traffic security 57-82
edge (entry point) security 64-67
consumer landscape of microservices 64
reasons not to use basic authentication 66
reasosn for using OAuth 2.0 67
need for API gateways in microservices deployment 58-63
decoupling security from microservice 59-61
inherent complexities of microservice deployments 62-63
securing communication between Zuul and microservice 79-80
preventing access through firewall 79-80
securing communication between API gateway and microservices using mutual TLS 80
setting up API gateways with Zuul 68-79
compiling and running Order Processing microservice 68-69
compiling and running Zuul proxy 69-70
O
how OAuth 2.0 fixes problem 368-369
role of authorization server 371
role of client application 371
role of resource owner (or end user) 371
role of resource server 370-371
authorization server setup 39-44
interactions with server 39-41
edge (entry point) security 67
enforcing security at Zuul gateway 71-79
enforcing token validation 74-75
OAuth2.0 token introspection profile 76
pitfalls of self-validating tokens 78-79
self-validation of tokens without integrating with an authorization server 76-77
authorization code grant type 377-380
client credentials grant type 372-374
refresh token grant type 376-377
resource owner password grant type 374-375
invoking secured microservice from client application 48-50
self-contained access tokens 382-383
service-level authorization with scopes 50-54
obtaining scoped access token 50-51
protecting access to microservice 52-54
throttling token and authorize endpoints 121
OAuth 2.0 Security Best Current Practice document 344
OAuth 2.0 Threat Model and Security Considerations document 344
object-level authorization, broken 342-344
observability (monitoring and analytics) 401-408
with Prometheus and Grafana 122-129
defining metric in Prometheus 128-129
monitoring Order Processing microservice 123-127
scraping data from microservices 127
OCSP (Online Certificate Status Protocol)
OPA (Open Policy Agent) 448-469
deploying as Docker container 452
enforcing access-control policies at API gateways with 129-134
feeding engine with access-control policies 131-132
feeding engine with data 130-131
running as Docker container 130
loading data from filesystem 461-462
pull data during evaluation 466
high-level architecture 450-451
Kubernetes admission controller 468-469
key components in access control systems 448-450
protecting and deploying OPA servers with mTLS 453-455
Open Container Initiative (OCI) 435
Open Web Application Security Project (OWASP) 342, 359-360
inspecting Angular web application code 101-102
inspecting authorization server code 103
inspecting resource server code 103
OpenShift Container Platform (OCP) 422, 509
OpenShift Container Registry (OCR) 422
OpenSSL 140, 210-211, 256, 303
creating certificate authority 470-472
generating keys for an application 472-473
operation-level throttling 120
Organization for the Advancement of Structured Information Standards (OASIS) 469
out-of-process service mesh 297, 537
OWASP API Security vulnerabilities 342-349
broken function-level authorization 346
broken object-level authorization 342-344
insufficient logging and monitoring 348-349
OWASP API Security vulnerabilities (continued)
lack of resources and rate limiting 345-346
security misconfigurations 347
P
partitioned process ID (PID) namespace 435
PeerAUthentication CRD 321-322
PKS (Pivotal Container Service) 422, 509
benefits of running under custom service account 289-290
creating service accounts and associating them with 288-289
routing requests from external clients to 528-530
policy administration point (PAP) 26, 448, 540
policy decision point (PDP) 26, 449, 548
policy enforcement point (PEP) 448, 539
policy information point (PIP) 449
POST method 38, 63, 151, 286, 301, 347, 352
PreparedStatement construct 348
privilege-based throttling 121-122
process_start_time_seconds 124
Products microservice 403, 405
monitoring Order Processing microservice 123-127
scraping data from microservices 127
Protobuf (Protocol Buffers) 490-492, 543
R
RBAC (role-based access control)
improvements to since Istio 1.4.0 331-333
associating service account with ClusterRole 293-294
talking to Kubernetes API server from STS 292-293
testing end-to-end flow with 328-330
reactive microservices 196-225
Kafka as message broker 202-205
developing microservice to read events from topic 207-210
mTLS for authentication 214-217
NATS as message broker 222-225
TLS to protect data in transit 210-214
configuring TLS on Kafka server 212
configuring TLS on microservices 212-214
Red Hat OpenShift Service Mesh 541
redirect_uri parameter 378, 380-381
refresh token grant type 376-377
replay attacks, protecting client applications from 243-244
Report URI Decode PEM Data tool 334
RequestAuthentication CRD 322-323
--resolve parameter 259, 313, 319, 330, 566-567
resource owner password grant type 374-375
resource server 84, 95, 105, 368
ResourceServerTokenServices 47
response_type parameter 98, 378, 381
RPCs (remote procedure calls) 497-498
bidirectional streaming RPCs 498
See also gRPC
S
same-origin policy vs. CORS 89-91
SAML Profile for OAuth 2.0 Client Authentication and Authorization Grants 372
SAN (Subject Alternate Name) 483
binding capabilities to OAuth 2.0 access tokens 382
obtaining scoped access token 50-51
protecting access to microservice 52-54
SDS (Secret Discovery Service)
deploying TLS certificates to Istio Ingress gateway
key provisioning and rotation with 335-337
broader attack surface and higher risk of attack 7-8
deployment complexities and bootstrapping trust 8-9
distributed nature and sharing user context 11
distributed security screening and poor performance 8
immutability of containers and maintainance of service credentials and access-control policies 10-11
polyglot architecture and development team expertise 11
requests spanning multiple microservices and tracing difficulty 9-10
developing microservices 33-39
edge (entry point) security 18-22
passing user context to upstream microservices 22
role of API gateway in deployment 19-20
securing microservices (continued)
north/south traffic security with API gateways 57-82
authentication server setup 39-44
invoking secured microservice from client application 48-50
service-level authorization with scopes 50-54
reactive microservices 196-225
Kafka as message broker 202-210
mTLS for authentication 214-217
NATS as message broker 222-225
TLS to protect data in transit 210-214
service-to-service communication security 22-31
crossing trust boundaries 28-31
propagating user context between microservices 27-28
single-page applications for invoking secured microservices 83-108
securing microservices on Kubernetes 262-295
exploring default token secret in every container 275-276
how Kubernetes stores Secrets 278
managing secrets in Kubernetes environment 267-274
consuming ConfigMaps from deployment 271-272
creating ConfigMaps by using kubectl client 270
defining ConfigMap for application.properties file 268-269
defining ConfigMap for keystore credentials 270
defining ConfigMaps for keystore.jks and jwt.jks files 269
loading keystores with init containers 272-274
using ConfigMap to externalize configurations in Kubernetes 268
role-based access control 290-294
associating service account with ClusterRole 293-294
talking to Kubernetes API server from STS 292-293
running Inventory microservice 284-286
running Order Processing microservice 278-283
creating ConfigMaps/Secrets 280-281
testing end-to-end flow 282-283
running STS on Kubernetes 263-267
creating STS deployment in Kubernetes 263-264
defining deployment for STS in YAML 263
exposing STS outside Kubernetes cluster 265-267
troubleshooting deployment 264-265
benefits of running Pod under custom service account 289-290
creating and associating with Pod 288-289
securing microservices with Istio 296-338
enabling TLS termination at Istio Ingress gateway 302-314
defining permissive authentication policy 310-311
deploying certificates 303-308
deploying VirtualServices 308-310
testing end-to-end flow 311-314
key provisioning and rotation via volume mounts 333-335
key provisioning and rotation with SDS 335-337
role-based access control 324-333
improvements to since Istio 1.4.0 331-333
testing end-to-end flow with 328-330
securing service-to-service communications with JWT 317-325
enforcing JWT authentication 317-318
peer authentication and request authentication 321-323
testing end-to-end flow with JWT authentication 318-320
using JWT in service-to-service communications 323-324
securing service-to-service communications with mTLS 314-317
setting up Kubernetes deployment 297-302
cleaning up any previous work 299
deploying microservices 299-300
enabling Istio autoinjection 298-299
redeploying Order Processing and STS as NodePort Services 300
testing end-to-end flow 301-302
server-start-successful message 69
server.port property 36, 43, 144-145
server.ssl.key-store property 213
server.ssl.key-store-password property 213
Service 265, 442, 503-505, 530
See also Istio
Service Mesh pattern 58, 80, 230
service-to-service communication security 22-31
trust-the-network approach 23-24
crossing trust boundaries 28-31
propagating user context between microservices 27-28
enforcing authentication 317-318
peer authentication and request authentication 321-323
testing end-to-end flow 318-320
using in service-to-service communications 323-324
serviceAccountName element 289
ServiceRoleBinding 326, 328, 331, 551
setCheckTokenEndpointUrl method 48
setEnvironment method 147, 149-150
short-lived certificates 157-158
Simple Mail Transfer Protocol (SMTP) 140
single responsibility principle (SRP) 59, 536
Software Guard Extensions (SGX) 157
software-defined networking (SDN) 260
SonarQube 349-351, 354, 357-358
SPAs (single-page applications) 84-108, 397
cross-origin resource sharing 89-95
proxying resource server with API gateways 93-95
federated authentication 104-107
building trust between domains 106-107
multiple trust domains 105-106
securing with OpenID Connect 95-103
inspecting Angular web application code 101-102
inspecting authorization server code 103
inspecting resource server code 103
SPIFFE (Secure Production Identity Framework for Everyone) 153, 474-487
SPIFFE Runtime Environment 478-483
SPIFFE Verifiable Identity Document 483-486
SPIRE (SPIFFE Runtime Environment) 153, 475, 478-483
SPRING_CONFIG_LOCATION variable 234, 267
@SpringBootApplication annotation 39
SQL (Structured Query Language) 347, 360
SRP (single responsibility principle) 59, 536
ssl_client_certificate parameter 258
ssl.endpoint.identification.algorithm property 213
ssl.principal.mapping.rules property 219-220
ssl.truststore.location property 216
Structured Query Language (SQL) 347, 360
STSs (security token services)
sidecar auto injection 557-558
redeploying as NodePort Services 300
creating STS deployment 263-264
defining deployment for STS in YAML 263
exposing STS outside Kubernetes cluster 265-267
talking to Kubernetes API server from STS 292-293
troubleshooting deployment 264-265
updating microservice with Istio configurations
creating VirtualService resource 564
updating to use Kubernetes Secrets 276-278
Subject Alternate Name (SAN) 483
Subject Alternative Names attribute 334-335, 337
subject_token_type argument 177
T
telemetry subcomponent, Mixer 548
The Update Framework (TUF) 237
throttling, at API gateway with Zuul 110-122
maximum handling capacity 118-119
operation-level throttling 120
privilege-based throttling 121-122
throttling OAuth 2.0 token and authorize endpoints 121
TLS (Transport Layer Security) 142-149
enabling termination at Ingress gateway 302-314
defining permissive authentication policy 310-311
deploying certificates 303-308
deploying VirtualServices 308-310
testing end-to-end flow 311-314
reactive microservices 210-214
configuring TLS on Kafka server 212
configuring TLS on microservices 212-214
securing communication between two micro- services with TLS 146-149
OAuth2.0 token introspection profile 76
without integrating with authorization server 76-77
TOKEN variable 171, 174, 177, 283, 293, 313, 320, 330, 567
token-based authentication 455
crossing trust boundaries in service-to-service communication security 28-31
building trust between domains 106-107
multiple trust domains 105-106
sharing user context between microservices in different trust domains 165-166
trust-the-network approach 23-24
trustCertCollectionFilePath 190
U
universally unique identifier (UUID) 420
UNIX sockets 254, 256, 336, 415
UNIX Time Sharing (UTS) namespace 436
UpdateInventory method 181-185
passing to upstream microservices 22
propagating among microservices 27-28
sharing among microservices in different trust domains 165-166
sharing among microservices with shared JWT 162-163
sharing with new JWT for each service-to-service interaction 163-165
V
VMs (virtual machines) vs. containers 411-413
consuming ConfigMap objects from deployment with 534
key provisioning and rotation via 333-335
W
WAF (web application firewall) 121
WebAssembly (WASM) filters 548
Z
securing communication between microservice and 79-80
preventing access through firewall 79-80
securing communication between API gateway and microservices by using mutual TLS 80
compiling and running Order Processing microservice 68-69
compiling and running Zuul proxy 69-70
enforcing OAuth 2.0-based security at Zuul gateway 71-79
throttling at API gateways with 110-122
maximum handling capacity 118-119
operation-level throttling 120
privilege-based throttling 121-122