Cncf microservices security
0 likes150 views
The document discusses microservices security focusing on Open Policy Agent (OPA) and service mesh architecture, emphasizing the importance of policies for access control and service communication in a cloud-native environment. It outlines the IAAA framework and introduces key concepts such as mutual TLS, identity propagation, and compliance requirements for Kubernetes resources. Key takeaways include the growing adoption of OPA for policy as code, specifically for user authorization, service mesh governance, and organizational compliance.
![© 2018 Cloud Native Computing Foundation23
Example: JWT Validation
package istio.authz
import input.attributes.request.http as http_request
import input.attributes.source.address as source_address
certificate = `-----BEGIN CERTIFICATE-----
MIICmzCC
-----END CERTIFICATE-----`
constraint = {
"cert": certificate,
"alg": "RS256",
"aud": "account"
}
jwt_string = jwt_token {
[jwt_token] := split(http_request.headers["x-access-token"], " ")
}
# Decode Token
parsed_token = token {
[jose, payload, sig] := io.jwt.decode(jwt_string)
token = {
"jose" : jose,
"payload" : payload,
"sig": sig
}
}
valid_token = payload {
[valid, header, payload] := io.jwt.decode(jwt_string)
}
valid_auds [valid_aud] {
valid_aud := parsed_token.payload.aud[_]
group := parsed_token.payload.groups[_]
required_roles[group]
io.jwt.verify_rs256(jwt_string, certificate)
}
required_roles[r] {
perm := role_perms[r][_]
perm.method = http_request.method
perm.path = http_request.path
}
role_perms = {
"/Normal": [
{"method": "GET", "path": "/"},
{"method": "GET", "path": "/productpage?u=normal"},
],
"/Moderators": [
{"method": "GET", "path": "/productpage?u=test"},
{"method": "GET", "path": "/"},
{"method": "GET", "path": "/api/v1/products"},
],
}
default allow = {
"allowed": false,
"headers": {"x-ext-auth-allow": "no"},
"body": "Unauthorized Request",
"http_status": 301
}
}
1
2
4
3](https://image.slidesharecdn.com/cncfmicroservicessecurity-200603234531/85/Cncf-microservices-security-23-320.jpg)
Cncf microservices security
- 1. Microservices Security with OPA and Service Mesh Leonardo G. Silva Solutions Architect
- 2. © 2018 Cloud Native Computing Foundation2 $whoami ● Certified Kubernetes Administrator ● AWS Certified Sysops Administrator ● 20 years of experience with Software Architecture ● Head of Solutions Architecture @ GrupoMult
- 3. © 2018 Cloud Native Computing Foundation3 Source: https://www.nginx.com/resources/library/app-dev-survey
- 4. © 2018 Cloud Native Computing Foundation4 Cybersecurity Source: Foundations of Cybersecurity, Springer
- 5. © 2018 Cloud Native Computing Foundation5 IAAA Framework ● Identification: suporte à múltiplas identidades e atributos (usuários finais, componentes de sistema, domínios) ● Authentication: suporte à múltiplos métodos de autenticação; ● Authorization: permissão ou negação de uma requisição baseado em atributos de uma requisição. ● Accountability: captura de informações relevantes de segurança à cada chamada de API.
- 7. © 2018 Cloud Native Computing Foundation7 Kubernetes ● Ambiente de gerenciamento de containers ● Alta taxa de adoção ● Extensível ● Em evolução ● Portabilidade ● Declarativo ● Resiliente ● Escalável ● Não é o suficiente...
- 8. © 2018 Cloud Native Computing Foundation8 Service Mesh
- 9. © 2018 Cloud Native Computing Foundation9 Arquitetura de APINorte-Sul Leste - Oeste
- 10. © 2018 Cloud Native Computing Foundation10 Service Mesh - Arquitetura de Segurança Source: Istio Documentation
- 11. © 2018 Cloud Native Computing Foundation11 Istio - Arquitetura alto-nível Source: Istio Documentation
- 12. © 2018 Cloud Native Computing Foundation12 Exemplo Source: Google Cloud
- 14. © 2018 Cloud Native Computing Foundation14 Security for EDGE: OIDC e Oauth2 ● Protocolos conhecidos: Openid Connect, Oauth2 ● Id Token ● Access Token ● Token Exchange ● Identity Propagation
- 15. © 2018 Cloud Native Computing Foundation15 Security for Service Communication ● Identity for Services ● SPIFFE: Secure Production Identity Framework for Everyone ● MUTUAL TLS
- 16. © 2018 Cloud Native Computing Foundation16 Workload Security
- 17. © 2018 Cloud Native Computing Foundation17 Compliance ● Which users can access which resources. ● Which subnets egress traffic is allowed to. ● Which clusters a workload must be deployed to. ● Which registries binaries can be downloaded from. ● Which OS capabilities a container can execute with. ● Which times of day the system can be accessed at.
- 19. © 2018 Cloud Native Computing Foundation19 Open Policy Agent ● Policy as Code ● hosted by CNCF as incubating-level project ● custom language: REGO ● ultra fast ● decouples policy definition from policy execution
- 20. © 2018 Cloud Native Computing Foundation20
- 21. © 2018 Cloud Native Computing Foundation21 Why decoupling matters decoupling results in policy implementations that are easier to understand, flexible enough to handle future requirements, and less expensive to maintain
- 22. © 2018 Cloud Native Computing Foundation22 Execution Mode: Library Fonte: https://github.com/open-policy-agent/opa
- 23. © 2018 Cloud Native Computing Foundation23 Example: JWT Validation package istio.authz import input.attributes.request.http as http_request import input.attributes.source.address as source_address certificate = `-----BEGIN CERTIFICATE----- MIICmzCC -----END CERTIFICATE-----` constraint = { "cert": certificate, "alg": "RS256", "aud": "account" } jwt_string = jwt_token { [jwt_token] := split(http_request.headers["x-access-token"], " ") } # Decode Token parsed_token = token { [jose, payload, sig] := io.jwt.decode(jwt_string) token = { "jose" : jose, "payload" : payload, "sig": sig } } valid_token = payload { [valid, header, payload] := io.jwt.decode(jwt_string) } valid_auds [valid_aud] { valid_aud := parsed_token.payload.aud[_] group := parsed_token.payload.groups[_] required_roles[group] io.jwt.verify_rs256(jwt_string, certificate) } required_roles[r] { perm := role_perms[r][_] perm.method = http_request.method perm.path = http_request.path } role_perms = { "/Normal": [ {"method": "GET", "path": "/"}, {"method": "GET", "path": "/productpage?u=normal"}, ], "/Moderators": [ {"method": "GET", "path": "/productpage?u=test"}, {"method": "GET", "path": "/"}, {"method": "GET", "path": "/api/v1/products"}, ], } default allow = { "allowed": false, "headers": {"x-ext-auth-allow": "no"}, "body": "Unauthorized Request", "http_status": 301 } } 1 2 4 3
- 24. © 2018 Cloud Native Computing Foundation24 Policy for Service Communication
- 25. © 2018 Cloud Native Computing Foundation25 Execution mode: Daemon Fonte: OPA Istio Plugin Project
- 26. © 2018 Cloud Native Computing Foundation26 Kubernetes: Admission Controller ■ authentication, authorization webhooks ■ admission, mutating webhooks
- 27. © 2018 Cloud Native Computing Foundation27 OPA Gatekeeper - hosted by CNCF as incubating-level project. - Allow kubernetes administrators to detect and reject non-compliant modifications to kubernetes resources
- 28. © 2018 Cloud Native Computing Foundation28 Gatekeeper architecture
- 29. © 2018 Cloud Native Computing Foundation29 Policy Template A ConstraintTemplate defines the policy code.
- 30. © 2018 Cloud Native Computing Foundation30 Policy Constraint A ConstraintTemplate is instantiated
- 31. © 2018 Cloud Native Computing Foundation31 Audit non-compliance The gatekeeper can display all violations in a given context
- 32. © 2018 Cloud Native Computing Foundation32 Key Takeaways Your Infrastructure MUST be: - OPA is becoming THE standard for policy as code - Policy for user authz - Policy for service mesh governance - Policy for Organizational compliance
- 33. Please follow up with Leonardo Gonçalves https://www.linkedin.com/in/leogsilva on Linkedin