10 Securing microservice-to-microservice communication

 

This chapter covers

  • Where to perform user authentication and authorization in a microservice system
  • Deciding on the level of trust in your microservice system
  • Limiting microservice-to-microservice requests
  • Using an API Gateway to authenticate users
  • Using Kubernetes network policies to limit microservice-to-microservice requests

Up to this point in the book, we’ve ignored security; but for most systems, security is an important concern that needs careful attention. This chapter discusses how to address security concerns in a microservice system. In a monolith, the monolith completes user authentication and authorization—there is, after all, only the monolith to do those things. In a microservice system, several microservices are involved in answering most user requests; the question is this: which ones are responsible for authentication, and which ones are responsible for authorization? You must also ask how much the microservices can trust each other:

  • If one microservice authenticates a user, can other microservices trust that user?
  • Are all microservices allowed to call each other?

The answers vary from system to system. The first part of this chapter discusses how to address these questions. The second part of the chapter outlines an implementation of one possible answer to the first question and shows a full implementation of an answer to the second question.

10.1 Microservice security concerns

10.1.1 Authenticating users at the edge

10.1.2 Authorizing users in microservices

10.1.3 How much should microservices trust each other?

10.2 Implementing secure microservice-to-microservice communication

10.2.1 Accessing the user identity in the loyalty program

10.2.2 Limiting which microservices can communicate

Summary