Microservices Security in Action

Book description

Unlike traditional enterprise applications, Microservices applications are collections of independent components that function as a system. Securing the messages, queues, and API endpoints requires new approaches to security both in the infrastructure and the code. Microservices Security in Action teaches you how to address microservices-specific security challenges throughout the system. This practical guide includes plentiful hands-on exercises using industry-leading open-source tools and examples using Java and Spring Boot.

About the Technology
Integrating independent services into a single system presents special security challenges in a microservices deployment. With proper planning, however, you can build in security from the start. Learn to create secure services and protect application data throughout development and deployment. As microservices continue to change enterprise application systems, developers and architects must learn to integrate security into their design and implementation. Because microservices are created as a system of independent components, each a possible point of failure, they can multiply the security risk. With proper planning, design, and implementation, you can reap the benefits of microservices while keeping your application data—and your company's reputation—safe!

About the Book
Microservices Security in Action is filled with solutions, teaching best practices for throttling and monitoring, access control, and microservice-to-microservice communications. Detailed code samples, exercises, and real-world use cases help you put what you've learned into production. Along the way, authors and software security experts Prabath Siriwardena and Nuwan Dias shine a light on important concepts like throttling, analytics gathering, access control at the API gateway, and microservice-to-microservice communication. You'll also discover how to securely deploy microservices using state-of-the-art technologies including Kubernetes, Docker, and the Istio service mesh. Lots of hands-on exercises secure your learning as you go, and this straightforward guide wraps up with a security process review and best practices. When you're finished reading, you'll be planning, designing, and implementing microservices applications with the priceless confidence that comes with knowing they're secure!

What's Inside
  • Microservice security concepts
  • Edge services with an API gateway
  • Deployments with Docker, Kubernetes, and Istio
  • Security testing at the code level
  • Communications with HTTP, gRPC, and Kafka


About the Reader
For experienced microservices developers with intermediate Java skills.

About the Authors
Prabath Siriwardena is the vice president of security architecture at WSO2. Nuwan Dias is the director of API architecture at WSO2. They have designed secure systems for many Fortune 500 companies.

Quotes
A complete guide to the challenges and solutions in securing microservices architectures.
- Massimo Siani, FinDynamic

An indispensable roadmap... Touches on all the right topics in an order that makes sense.
- Andrew Bovill, Next Century

Full of code examples and detailed explanations regarding security that can help anyone secure services connected to the internet.
- Gustavo Gomes, Brightcove

A book that should adorn the desk of every developer and architect developing software using the microservices architectural pattern.
- Srihari Sridharan, athenahealth

Table of contents

  1. Microservices Security in Action
  2. Copyright
  3. dedication
  4. brief contents
  5. contents
  6. front matter
    1. preface
    2. acknowledgments
    3. about this book
      1. Who should read this book
      2. How this book is organized: A roadmap
      3. About the code
      4. liveBook discussion forum
      5. Other online resources
    4. about the authors
    5. about the cover illustration
  7. Part 1. Overview
  8. 1 Microservices security landscape
    1. 1.1 How security works in a monolithic application
    2. 1.2 Challenges of securing microservices
      1. 1.2.1 The broader the attack surface, the higher the risk of attack
      2. 1.2.2 Distributed security screening may result in poor performance
      3. 1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare
      4. 1.2.4 Requests spanning multiple microservices are harder to trace
      5. 1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies
      6. 1.2.6 The distributed nature of microservices makes sharing user context harder
      7. 1.2.7 Polyglot architecture demands more security expertise on each development team
    3. 1.3 Key security fundamentals
      1. 1.3.1 Authentication protects your system against spoofing
      2. 1.3.2 Integrity protects your system from data tampering
      3. 1.3.3 Nonrepudiation: Do it once, and you own it forever
      4. 1.3.4 Confidentiality protects your systems from unintended information disclosure
      5. 1.3.5 Availability: Keep the system running, no matter what
      6. 1.3.6 Authorization: Nothing more than you’re supposed to do
    4. 1.4 Edge security
      1. 1.4.1 The role of an API gateway in a microservices deployment
      2. 1.4.2 Authentication at the edge
      3. 1.4.3 Authorization at the edge
      4. 1.4.4 Passing client/end-user context to upstream microservices
    5. 1.5 Securing service-to-service communication
      1. 1.5.1 Service-to-service authentication
      2. 1.5.2 Service-level authorization
      3. 1.5.3 Propagating user context among microservices
      4. 1.5.4 Crossing trust boundaries
    6. Summary
  9. 2 First steps in securing microservices
    1. 2.1 Building your first microservice
      1. 2.1.1 Downloading and installing the required software
      2. 2.1.2 Clone samples repository
      3. 2.1.3 Compiling the Order Processing microservice
      4. 2.1.4 Accessing the Order Processing microservice
      5. 2.1.5 What is inside the source code directory?
      6. 2.1.6 Understanding the source code of the microservice
    2. 2.2 Setting up an OAuth 2.0 server
      1. 2.2.1 The interactions with an authorization server
      2. 2.2.2 Running the OAuth 2.0 authorization server
      3. 2.2.3 Getting an access token from the OAuth 2.0 authorization server
      4. 2.2.4 Understanding the access token response
    3. 2.3 Securing a microservice with OAuth 2.0
      1. 2.3.1 Security based on OAuth 2.0
      2. 2.3.2 Running the sample
    4. 2.4 Invoking a secured microservice from a client application
    5. 2.5 Performing service-level authorization with OAuth 2.0 scopes
      1. 2.5.1 Obtaining a scoped access token from the authorization server
      2. 2.5.2 Protecting access to a microservice with OAuth 2.0 scopes
    6. Summary
  10. Part 2. Edge security
  11. 3 Securing north/south traffic with an API gateway
    1. 3.1 The need for an API gateway in a microservices deployment
      1. 3.1.1 Decoupling security from the microservice
      2. 3.1.2 The inherent complexities of microservice deployments make them harder to consume
      3. 3.1.3 The rawness of microservices does not make them ideal for external exposure
    2. 3.2 Security at the edge
      1. 3.2.1 Understanding the consumer landscape of your microservices
      2. 3.2.2 Delegating access
      3. 3.2.3 Why not basic authentication to secure APIs?
      4. 3.2.4 Why not mutual TLS to secure APIs?
      5. 3.2.5 Why OAuth 2.0?
    3. 3.3 Setting up an API gateway with Zuul
      1. 3.3.1 Compiling and running the Order Processing microservice
      2. 3.3.2 Compiling and running the Zuul proxy
      3. 3.3.3 Enforcing OAuth 2.0-based security at the Zuul gateway
    4. 3.4 Securing communication between Zuul and the microservice
      1. 3.4.1 Preventing access through the firewall
      2. 3.4.2 Securing the communication between the API gateway and microservices by using mutual TLS
    5. Summary
  12. 4 Accessing a secured microservice via a single-page application
    1. 4.1 Running a single-page application with Angular
      1. 4.1.1 Building and running an Angular application from the source code
      2. 4.1.2 Looking behind the scenes of a single-page application
    2. 4.2 Setting up cross-origin resource sharing
      1. 4.2.1 Using the same-origin policy
      2. 4.2.2 Using cross-origin resource sharing
      3. 4.2.3 Inspecting the source that allows cross-origin requests
      4. 4.2.4 Proxying the resource server with an API gateway
    3. 4.3 Securing a SPA with OpenID Connect
      1. 4.3.1 Understanding the OpenID Connect login flow
      2. 4.3.2 Inspecting the code of the applications
    4. 4.4 Using federated authentication
      1. 4.4.1 Multiple trust domains
      2. 4.4.2 Building trust between domains
    5. Summary
  13. 5 Engaging throttling, monitoring, and access control
    1. 5.1 Throttling at the API gateway with Zuul
      1. 5.1.1 Quota-based throttling for applications
      2. 5.1.2 Fair usage policy for users
      3. 5.1.3 Applying quota-based throttling to the Order Processing microservice
      4. 5.1.4 Maximum handling capacity of a microservice
      5. 5.1.5 Operation-level throttling
      6. 5.1.6 Throttling the OAuth 2.0 token and authorize endpoints
      7. 5.1.7 Privilege-based throttling
    2. 5.2 Monitoring and analytics with Prometheus and Grafana
      1. 5.2.1 Monitoring the Order Processing microservice
      2. 5.2.2 Behind the scenes of using Prometheus for monitoring
    3. 5.3 Enforcing access-control policies at the API gateway with Open Policy Agent
      1. 5.3.1 Running OPA as a Docker container
      2. 5.3.2 Feeding the OPA engine with data
      3. 5.3.3 Feeding the OPA engine with access-control policies
      4. 5.3.4 Evaluating OPA policies
      5. 5.3.5 Next steps in using OPA
    4. Summary
  14. Part 3. Service-to-service communications
  15. 6 Securing east/west traffic with certificates
    1. 6.1 Why use mTLS?
      1. 6.1.1 Building trust between a client and a server with a certificate authority
      2. 6.1.2 Mutual TLS helps the client and the server to identify each other
      3. 6.1.3 HTTPS is HTTP over TLS
    2. 6.2 Creating certificates to secure access to microservices
      1. 6.2.1 Creating a certificate authority
      2. 6.2.2 Generating keys for the Order Processing microservice
      3. 6.2.3 Generating keys for the Inventory microservice
      4. 6.2.4 Using a single script to generate all the keys
    3. 6.3 Securing microservices with TLS
      1. 6.3.1 Running the Order Processing microservice over TLS
      2. 6.3.2 Running the Inventory microservice over TLS
      3. 6.3.3 Securing communications between two microservices with TLS
    4. 6.4 Engaging mTLS
    5. 6.5 Challenges in key management
      1. 6.5.1 Key provisioning and bootstrapping trust
      2. 6.5.2 Certificate revocation
    6. 6.6 Key rotation
    7. 6.7 Monitoring key usage
    8. Summary
  16. 7 Securing east/west traffic with JWT
    1. 7.1 Use cases for securing microservices with JWT
      1. 7.1.1 Sharing user context between microservices with a shared JWT
      2. 7.1.2 Sharing user context with a new JWT for each service-to-service interaction
      3. 7.1.3 Sharing user context between microservices in different trust domains
      4. 7.1.4 Self-issued JWTs
      5. 7.1.5 Nested JWTs
    2. 7.2 Setting up an STS to issue a JWT
    3. 7.3 Securing microservices with JWT
    4. 7.4 Using JWT as a data source for access control
    5. 7.5 Securing service-to-service communications with JWT
    6. 7.6 Exchanging a JWT for a new one with a new audience
    7. Summary
  17. 8 Securing east/west traffic over gRPC
    1. 8.1 Service-to-service communications over gRPC
    2. 8.2 Securing gRPC service-to-service communications with mTLS
    3. 8.3 Securing gRPC service-to-service communications with JWT
    4. Summary
  18. 9 Securing reactive microservices
    1. 9.1 Why reactive microservices?
    2. 9.2 Setting up Kafka as a message broker
    3. 9.3 Developing a microservice to push events to a Kafka topic
    4. 9.4 Developing a microservice to read events from a Kafka topic
    5. 9.5 Using TLS to protect data in transit
      1. 9.5.1 Creating and signing the TLS keys and certificates for Kafka
      2. 9.5.2 Configuring TLS on the Kafka server
      3. 9.5.3 Configuring TLS on the microservices
    6. 9.6 Using mTLS for authentication
    7. 9.7 Controlling access to Kafka topics with ACLs
      1. 9.7.1 Enabling ACLs on Kafka and identifying the clients
      2. 9.7.2 Defining ACLs on Kafka
    8. 9.8 Setting up NATS as a message broker
    9. Summary
  19. Part 4. Secure deployment
  20. 10 Conquering container security with Docker
    1. 10.1 Running the security token service on Docker
    2. 10.2 Managing secrets in a Docker container
      1. 10.2.1 Externalizing secrets from Docker images
      2. 10.2.2 Passing secrets as environment variables
      3. 10.2.3 Managing secrets in a Docker production deployment
    3. 10.3 Using Docker Content Trust to sign and verify Docker images
      1. 10.3.1 The Update Framework
      2. 10.3.2 Docker Content Trust
      3. 10.3.3 Generating keys
      4. 10.3.4 Signing with DCT
      5. 10.3.5 Signature verification with DCT
      6. 10.3.6 Types of keys used in DCT
      7. 10.3.7 How DCT protects the client application from replay attacks
    4. 10.4 Running the Order Processing microservice on Docker
    5. 10.5 Running containers with limited privileges
      1. 10.5.1 Running a container with a nonroot user
      2. 10.5.2 Dropping capabilities from the root user
    6. 10.6 Running Docker Bench for security
    7. 10.7 Securing access to the Docker host
      1. 10.7.1 Enabling remote access to the Docker daemon
      2. 10.7.2 Enabling mTLS at the NGINX server to secure access to Docker APIs
    8. 10.8 Considering security beyond containers
    9. Summary
  21. 11 Securing microservices on Kubernetes
    1. 11.1 Running an STS on Kubernetes
      1. 11.1.1 Defining a Kubernetes Deployment for the STS in YAML
      2. 11.1.2 Creating the STS Deployment in Kubernetes
      3. 11.1.3 Troubleshooting the Deployment
      4. 11.1.4 Exposing the STS outside the Kubernetes cluster
    2. 11.2 Managing secrets in a Kubernetes environment
      1. 11.2.1 Using ConfigMap to externalize configurations in Kubernetes
      2. 11.2.2 Defining a ConfigMap for application.properties file
      3. 11.2.3 Defining ConfigMaps for keystore.jks and jwt.jks files
      4. 11.2.4 Defining a ConfigMap for keystore credentials
      5. 11.2.5 Creating ConfigMaps by using the kubectl client
      6. 11.2.6 Consuming ConfigMaps from a Kubernetes Deployment
      7. 11.2.7 Loading keystores with an init container
    3. 11.3 Using Kubernetes Secrets
      1. 11.3.1 Exploring the default token secret in every container
      2. 11.3.2 Updating the STS to use Secrets
      3. 11.3.3 Understanding how Kubernetes stores Secrets
    4. 11.4 Running the Order Processing microservice in Kubernetes
      1. 11.4.1 Creating ConfigMaps/Secrets for the Order Processing microservice
      2. 11.4.2 Creating a Deployment for the Order Processing microservice
      3. 11.4.3 Creating a Service for the Order Processing microservice
      4. 11.4.4 Testing the end-to-end flow
    5. 11.5 Running the Inventory microservice in Kubernetes
    6. 11.6 Using Kubernetes service accounts
      1. 11.6.1 Creating a service account and associating it with a Pod
      2. 11.6.2 Benefits of running a Pod under a custom service account
    7. 11.7 Using role-based access control in Kubernetes
      1. 11.7.1 Talking to the Kubernetes API server from the STS
      2. 11.7.2 Associating a service account with a ClusterRole
    8. Summary
  22. 12 Securing microservices with Istio service mesh
    1. 12.1 Setting up the Kubernetes deployment
      1. 12.1.1 Enabling Istio autoinjection
      2. 12.1.2 Clean up any previous work
      3. 12.1.3 Deploying microservices
      4. 12.1.4 Redeploying Order Processing and STS as NodePort Services
      5. 12.1.5 Testing end-to-end flow
    2. 12.2 Enabling TLS termination at the Istio Ingress gateway
      1. 12.2.1 Deploying TLS certificates to the Istio Ingress gateway
      2. 12.2.2 Deploying VirtualServices
      3. 12.2.3 Defining a permissive authentication policy
      4. 12.2.4 Testing end-to-end flow
    3. 12.3 Securing service-to-service communications with mTLS
    4. 12.4 Securing service-to-service communications with JWT
      1. 12.4.1 Enforcing JWT authentication
      2. 12.4.2 Testing end-to-end flow with JWT authentication
      3. 12.4.3 Peer authentication and request authentication
      4. 12.4.4 How to use JWT in service-to-service communications
      5. 12.4.5 A closer look at JSON Web Key
    5. 12.5 Enforcing authorization
      1. 12.5.1 A closer look at the JWT
      2. 12.5.2 Enforcing role-based access control
      3. 12.5.3 Testing end-to-end flow with RBAC
      4. 12.5.4 Improvements to role-based access control since Istio 1.4.0
    6. 12.6 Managing keys in Istio
      1. 12.6.1 Key provisioning and rotation via volume mounts
      2. 12.6.2 Limitations in key provisioning and rotation via volume mounts
      3. 12.6.3 Key provisioning and rotation with SDS
    7. Summary
  23. Part 5. Secure development
  24. 13 Secure coding practices and automation
    1. 13.1 OWASP API security top 10
      1. 13.1.1 Broken object-level authorization
      2. 13.1.2 Broken authentication
      3. 13.1.3 Excessive data exposure
      4. 13.1.4 Lack of resources and rate limiting
      5. 13.1.5 Broken function-level authorization
      6. 13.1.6 Mass assignment
      7. 13.1.7 Security misconfiguration
      8. 13.1.8 Injection
      9. 13.1.9 Improper asset management
      10. 13.1.10 Insufficient logging and monitoring
    2. 13.2 Running static code analysis
    3. 13.3 Integrating security testing with Jenkins
      1. 13.3.1 Setting up and running Jenkins
      2. 13.3.2 Setting up a build pipeline with Jenkins
    4. 13.4 Running dynamic analysis with OWASP ZAP
      1. 13.4.1 Passive scanning vs. active scanning
      2. 13.4.2 Performing penetration tests with ZAP
    5. Summary
  25. Appendix A. OAuth 2.0 and OpenID Connect
    1. A.1 The access delegation problem
    2. A.2 How does OAuth 2.0 fix the access delegation problem?
    3. A.3 Actors of an OAuth 2.0 flow
      1. A.3.1 The role of the resource server
      2. A.3.2 The role of the client application
      3. A.3.3 The role of the resource owner
      4. A.3.4 The role of the authorization server
    4. A.4 Grant types
      1. A.4.1 Client credentials grant type
      2. A.4.2 Resource owner password grant type
      3. A.4.3 Refresh token grant type
      4. A.4.4 Authorization code grant type
      5. A.4.5 Implicit grant type
    5. A.5 Scopes bind capabilities to an OAuth 2.0 access token
    6. A.6 Self-contained access tokens
    7. A.7 What is OpenID Connect?
    8. A.8 More information about OpenID Connect and OAuth 2.0
  26. Appendix B. JSON Web Token
    1. B.1 What is a JSON Web Token?
    2. B.2 What does a JWT look like?
      1. B.2.1 The issuer of a JWT
      2. B.2.2 The subject of a JWT
      3. B.2.3 The audience of a JWT
      4. B.2.4 JWT expiration, not before and issued time
      5. B.2.5 The JWT identifier
    3. B.3 JSON Web Signature
    4. B.4 JSON Web Encryption
  27. Appendix C. Single-page application architecture
    1. C.1 What is single-page application architecture?
    2. C.2 Benefits of a SPA over an MPA
    3. C.3 Drawbacks of a SPA compared with an MPA
  28. Appendix D. Observability in a microservices deployment
    1. D.1 The need for observability
    2. D.2 The four pillars of observability
      1. D.2.1 The importance of metrics in observability
      2. D.2.2 The importance of tracing in observability
      3. D.2.3 The importance of logging in observability
      4. D.2.4 The importance of visualization in observability
  29. Appendix E. Docker fundamentals
    1. E.1 Docker overview
      1. E.1.1 Containers prior to Docker
      2. E.1.2 Docker adding value to Linux containers
      3. E.1.3 Virtual machines vs. containers
      4. E.1.4 Running Docker on non-Linux operating systems
    2. E.2 Installing Docker
    3. E.3 Docker high-level architecture
    4. E.4 Containerizing an application
      1. E.4.1 What is a Docker image?
      2. E.4.2 Building the application
      3. E.4.3 Creating a Dockerfile
      4. E.4.4 Building a Docker image
      5. E.4.5 Running a container from a Docker image
    5. E.5 Container name and container ID
    6. E.6 Docker registry
      1. E.6.1 Docker Hub
      2. E.6.2 Harbor
      3. E.6.3 Docker cloud platforms and registries
    7. E.7 Publishing to Docker Hub
    8. E.8 Image name and image ID
      1. E.8.1 Docker images with no tags (or the latest tag)
      2. E.8.2 Docker images with a tag
      3. E.8.3 Working with third-party Docker registries
      4. E.8.4 Docker Hub official and unofficial images
      5. E.8.5 Image ID
      6. E.8.6 Pulling an image with the image ID
    9. E.9 Image layers
    10. E.10 Container life cycle
      1. E.10.1 Creating a container from an image
      2. E.10.2 Starting a container
      3. E.10.3 Pausing a running container
      4. E.10.4 Stopping a running container
      5. E.10.5 Killing a container
      6. E.10.6 Destroying a container
    11. E.11 Deleting an image
    12. E.12 Persisting runtime data of a container
      1. E.12.1 Using Docker volumes to persist runtime data
      2. E.12.2 Using bind mounts to persist runtime data
    13. E.13 Docker internal architecture
      1. E.13.1 Containerd
      2. E.13.2 Containerd-shim
      3. E.13.3 Runc
      4. E.13.4 Linux namespaces
      5. E.13.5 Linux cgroups
    14. E.14 What is happening behind the scenes of docker run?
    15. E.15 Inspecting traffic between Docker client and host
    16. E.16 Docker Compose
    17. E.17 Docker Swarm
    18. E.18 Docker networking
      1. E.18.1 Bridge networking
      2. E.18.2 Host networking
      3. E.18.3 No networking
      4. E.18.4 Networking in a Docker production deployment
    19. E.19 Moby project
  30. Appendix F. Open Policy Agent
    1. F.1 Key components in an access-control system
    2. F.2 What is an Open Policy Agent?
    3. F.3 OPA high-level architecture
    4. F.4 Deploying OPA as a Docker container
    5. F.5 Protecting an OPA server with mTLS
    6. F.6 OPA policies
    7. F.7 External data
      1. F.7.1 Push data
      2. F.7.2 Loading data from the filesystem
      3. F.7.3 Overload
      4. F.7.4 JSON Web Token
      5. F.7.5 Bundle API
      6. F.7.6 Pull data during evaluation
    8. F.8 OPA integrations
      1. F.8.1 Istio
      2. F.8.2 Kubernetes admission controller
      3. F.8.3 Apache Kafka
    9. F.9 OPA alternatives
  31. Appendix G. Creating a certificate authority and related keys with OpenSSL
    1. G.1 Creating a certificate authority
    2. G.2 Generating keys for an application
  32. Appendix H. Secure Production Identity Framework for Everyone
    1. H.1 What is SPIFFE?
    2. H.2 The inspiration behind SPIFFE
    3. H.3 SPIFFE ID
    4. H.4 How SPIRE works
    5. H.5 SPIFFE Verifiable Identity Document
      1. H.5.1 X.509-SVID
      2. H.5.2 JWT-SVID
    6. H.6 A trust bundle
  33. Appendix I. gRPC fundamentals
    1. I.1 What is gRPC?
    2. I.2 Understanding Protocol Buffers
    3. I.3 Understanding HTTP/2 and its benefits over HTTP/1.x
      1. I.3.1 Request/response multiplexing and its performance benefits
      2. I.3.2 Understanding binary framing and streams in HTTP/2
    4. I.4 The different types of RPC available in gRPC
      1. I.4.1 Understanding channels
      2. I.4.2 Understanding request metadata
      3. I.4.3 What is unary RPC?
      4. I.4.4 What is server streaming RPC?
      5. I.4.5 What is client streaming RPC?
      6. I.4.6 What is bidirectional streaming RPC?
  34. Appendix J. Kubernetes fundamentals
    1. J.1 Kubernetes high-level architecture
      1. J.1.1 Master nodes
      2. J.1.2 Worker nodes
    2. J.2 Basic constructs
      1. J.2.1 A Pod: The smallest deployment unit in Kubernetes
      2. J.2.2 A node: A VM or physical machine in a Kubernetes cluster
      3. J.2.3 A Service: an abstraction over Kubernetes Pods
      4. J.2.4 Deployments: Representing your application in Kubernetes
      5. J.2.5 A namespace: Your home within a Kubernetes cluster
    3. J.3 Getting started with Minikube and Docker Desktop
    4. J.4 Kubernetes as a service
    5. J.5 Getting started with Google Kubernetes Engine
      1. J.5.1 Installing gcloud
      2. J.5.2 Installing kubectl
      3. J.5.3 Setting up the default setting for gcloud
      4. J.5.4 Creating a Kubernetes cluster
      5. J.5.5 Deleting a Kubernetes cluster
      6. J.5.6 Switching between multiple Kubernetes clusters
    6. J.6 Creating a Kubernetes Deployment
    7. J.7 Behind the scenes of a Deployment
    8. J.8 Creating a Kubernetes Service
    9. J.9 Behind the scenes of a Service
    10. J.10 Scaling a Kubernetes Deployment
    11. J.11 Creating a Kubernetes namespace
    12. J.12 Switching Kubernetes namespaces
    13. J.13 Using Kubernetes objects
      1. J.13.1 Managing Kubernetes objects
    14. J.14 Exploring the Kubernetes API server
    15. J.15 Kubernetes resources
    16. J.16 Kubernetes controllers
    17. J.17 Ingress
    18. J.18 Kubernetes internal communication
      1. J.18.1 How kubectl run works
      2. J.18.2 How Kubernetes routes a request from an external client to a Pod
    19. J.19 Managing configurations
      1. J.19.1 Hardcoding configuration data in the Deployment definition
      2. J.19.2 Introducing ConfigMaps
      3. J.19.3 Consuming ConfigMaps from a Kubernetes Deployment and populating environment variables
      4. J.19.4 Consuming ConfigMaps from a Kubernetes Deployment with volume mounts
  35. Appendix K. Service mesh and Istio fundamentals
    1. K.1 Why a service mesh?
    2. K.1 The evolution of microservice deployments
      1. K.2.1 The Service Mesh architecture
      2. K.2.2 Service mesh implementations
      3. K.2.3 Service mesh vs. API gateway
    3. K.3 Istio service mesh
    4. K.4 Istio architecture
      1. K.4.1 Istio data plane
      2. K.4.2 Istio control plane
      3. K.4.3 Changes introduced to Istio architecture since Istio 1.5.0 release
    5. K.5 Setting up Istio service mesh on Kubernetes
      1. K.5.1 Setting up Istio on Docker Desktop
      2. K.5.2 Setting up Istio on GKE
      3. K.5.3 Limitations of Istio on GKE
    6. K.6 What Istio brings to a Kubernetes cluster
      1. K.6.1 Kubernetes custom resource definitions
      2. K.6.2 The istio-system namespace
      3. K.6.3 Control plane components
      4. K.6.4 The istio-ingressgateway Service
      5. K.6.5 The istio-ingressgateway pod
      6. K.6.6 Istio’s MeshPolicy
    7. K.7 Setting up the Kubernetes deployment
    8. K8 Engaging Istio to STS and the Order Processing microservices
      1. K.8.1 Sidecar auto injection
      2. K.8.2 Setting up iptables rules
      3. K.8.3 Envoy sidecar proxy
    9. K.9 Running the end-to-end sample
    10. K.10 Updating the Order Processing microservice with Istio configurations
      1. K.10.1 Redeploying STS and the Order Processing microservices
      2. K.10.2 Creating a Gateway resource
      3. K.10.3 Creating a VirtualService resource for the Order Processing and STS microservices
      4. K.10.4 Running the end-to-end flow
      5. K.10.5 Debugging the Envoy proxy
  36. index

Product information

  • Title: Microservices Security in Action
  • Author(s): Prabath Siriwardena, Wajjakkara Kankanamge Anthony Nuwan Dias
  • Release date: August 2020
  • Publisher(s): Manning Publications
  • ISBN: 9781617295959