Part 1. Overview
1 Microservices security landscape
How security works in a monolithic application
Challenges of securing microservices
The broader the attack surface, the higher the risk of attack
Distributed security screening may result in poor performance
Deployment complexities make bootstrapping trust among microservices a nightmare
Requests spanning multiple microservices are harder to trace
The distributed nature of microservices makes sharing user context harder
Polyglot architecture demands more security expertise on each development team
Authentication protects your system against spoofing
Integrity protects your system from data tampering
Nonrepudiation: Do it once, and you own it forever
Confidentiality protects your systems from unintended information disclosure
Availability: Keep the system running, no matter what
Authorization: Nothing more than you’re supposed to do
The role of an API gateway in a microservices deployment
Passing client/end-user context to upstream microservices
Securing service-to-service communication
Service-to-service authentication
Propagating user context among microservices
2 First steps in securing microservices
Building your first microservice
Downloading and installing the required software
Compiling the Order Processing microservice
Accessing the Order Processing microservice
What is inside the source code directory?
Understanding the source code of the microservice
Setting up an OAuth 2.0 server
The interactions with an authorization server
Running the OAuth 2.0 authorization server
Getting an access token from the OAuth 2.0 authorization server
Understanding the access token response
Securing a microservice with OAuth 2.0
Invoking a secured microservice from a client application
Performing service-level authorization with OAuth 2.0 scopes
Obtaining a scoped access token from the authorization server
Protecting access to a microservice with OAuth 2.0 scopes
Part 2. Edge security
3 Securing north/south traffic with an API gateway
The need for an API gateway in a microservices deployment
Decoupling security from the microservice
The inherent complexities of microservice deployments make them harder to consume
The rawness of microservices does not make them ideal for external exposure
Understanding the consumer landscape of your microservices
Why not basic authentication to secure APIs?
Why not mutual TLS to secure APIs?
Setting up an API gateway with Zuul
Compiling and running the Order Processing microservice
Compiling and running the Zuul proxy
Enforcing OAuth 2.0-based security at the Zuul gateway
Securing communication between Zuul and the microservice
Preventing access through the firewall
Securing the communication between the API gateway and microservices by using mutual TLS
4 Accessing a secured microservice via a single-page application
Running a single-page application with Angular
Building and running an Angular application from the source code
Looking behind the scenes of a single-page application
Setting up cross-origin resource sharing
Using cross-origin resource sharing
Inspecting the source that allows cross-origin requests
Proxying the resource server with an API gateway
Securing a SPA with OpenID Connect
Understanding the OpenID Connect login flow
Inspecting the code of the applications
Using federated authentication
Building trust between domains
5 Engaging throttling, monitoring, and access control
Throttling at the API gateway with Zuul
Quota-based throttling for applications
Applying quota-based throttling to the Order Processing microservice
Maximum handling capacity of a microservice
Throttling the OAuth 2.0 token and authorize endpoints
Monitoring and analytics with Prometheus and Grafana
Monitoring the Order Processing microservice
Behind the scenes of using Prometheus for monitoring
Enforcing access-control policies at the API gateway with Open Policy Agent
Running OPA as a Docker container
Feeding the OPA engine with data
Feeding the OPA engine with access-control policies
Evaluating OPA policies 132Next steps in using OPA
Part 3. Service-to-service communications
6 Securing east/west traffic with certificates
Building trust between a client and a server with a certificate authority
Mutual TLS helps the client and the server to identify each other
Creating certificates to secure access to microservices
Creating a certificate authority
Generating keys for the Order Processing microservice
Generating keys for the Inventory microservice
Using a single script to generate all the keys
Securing microservices with TLS
Running the Order Processing microservice over TLS
Running the Inventory microservice over TLS
Securing communications between two microservices with TLS
Key provisioning and bootstrapping trust
7 Securing east/west traffic with JWT
Use cases for securing microservices with JWT
Sharing user context between microservices with a shared JWT
Sharing user context with a new JWT for each service-to-service interaction
Sharing user context between microservices in different trust domains
Setting up an STS to issue a JWT
Securing microservices with JWT
Using JWT as a data source for access control
Securing service-to-service communications with JWT
Exchanging a JWT for a new one with a new audience
8 Securing east/west traffic over gRPC
Service-to-service communications over gRPC
Securing gRPC service-to-service communications with mTLS
Securing gRPC service-to-service communications with JWT
9 Securing reactive microservices
Setting up Kafka as a message broker
Developing a microservice to push events to a Kafka topic
Developing a microservice to read events from a Kafka topic
Using TLS to protect data in transit
Creating and signing the TLS keys and certificates for Kafka
Configuring TLS on the Kafka server
Configuring TLS on the microservices
Controlling access to Kafka topics with ACLs
Enabling ACLs on Kafka and identifying the clients
Setting up NATS as a message broker
Part 4. Secure deployment
10 Conquering container security with Docker
Running the security token service on Docker
Managing secrets in a Docker container
Externalizing secrets from Docker images
Passing secrets as environment variables
Managing secrets in a Docker production deployment
Using Docker Content Trust to sign and verify Docker images
Signature verification with DCT
How DCT protects the client application from replay attacks
Running the Order Processing microservice on Docker
Running containers with limited privileges
Running a container with a nonroot user
Dropping capabilities from the root user
Running Docker Bench for security
Securing access to the Docker host
Enabling remote access to the Docker daemon
Enabling mTLS at the NGINX server to secure access to Docker APIs
Considering security beyond containers
11 Securing microservices on Kubernetes
Defining a Kubernetes Deployment for the STS in YAML
Creating the STS Deployment in Kubernetes
Troubleshooting the Deployment
Exposing the STS outside the Kubernetes cluster
Managing secrets in a Kubernetes environment
Using ConfigMap to externalize configurations in Kubernetes
Defining a ConfigMap for application.properties file
Defining ConfigMaps for keystore.jks and jwt.jks files
Defining a ConfigMap for keystore credentials
Creating ConfigMaps by using the kubectl client
Consuming ConfigMaps from a Kubernetes Deployment
Loading keystores with an init container
Exploring the default token secret in every container
Updating the STS to use Secrets
Understanding how Kubernetes stores Secrets
Running the Order Processing microservice in Kubernetes
Creating ConfigMaps/Secrets for the Order Processing microservice
Creating a Deployment for the Order Processing microservice
Creating a Service for the Order Processing microservice
Running the Inventory microservice in Kubernetes
Using Kubernetes service accounts
Creating a service account and associating it with a Pod
Benefits of running a Pod under a custom service account
Using role-based access control in Kubernetes
Talking to the Kubernetes API server from the STS
Associating a service account with a ClusterRole
12 Securing microservices with Istio service mesh
Setting up the Kubernetes deployment
Redeploying Order Processing and STS as NodePort Services
Enabling TLS termination at the Istio Ingress gateway
Deploying TLS certificates to the Istio Ingress gateway
Defining a permissive authentication policy
Securing service-to-service communications with mTLS
Securing service-to-service communications with JWT
Testing end-to-end flow with JWT authentication
Peer authentication and request authentication
How to use JWT in service-to-service communications
Enforcing role-based access control
Testing end-to-end flow with RBAC
Improvements to role-based access control since Istio 1.4.0
Key provisioning and rotation via volume mounts
Limitations in key provisioning and rotation via volume mounts
Key provisioning and rotation with SDS
Part 5. Secure development
13 Secure coding practices and automation
Broken object-level authorization
Lack of resources and rate limiting
Broken function-level authorization
Insufficient logging and monitoring
Integrating security testing with Jenkins
Setting up and running Jenkins
Setting up a build pipeline with Jenkins
Running dynamic analysis with OWASP ZAP
Passive scanning vs. active scanning
Performing penetration tests with ZAP
Appendixes
Appendix A. OAuth 2.0 and OpenID Connect
Appendix B. JSON Web Token
Appendix C. Single-page application architecture
Appendix D. Observability in a microservices deployment
Appendix E. Docker fundamentals
Appendix F. Open Policy Agent
Appendix G. Creating a certificate authority and related keys with OpenSSL
Appendix H. Secure Production Identity Framework for Everyone
Appendix I. gRPC fundamentals
Appendix J. Kubernetes fundamentals
Appendix K. Service mesh and Istio fundamentals