11 Securing microservices on Kubernetes

 

This chapter covers

  • Securing service-to-service communications of a microservices deployment
  • Managing secrets in Kubernetes
  • Creating service accounts and associating them with Pods
  • Protecting access to the Kubernetes API server with RBAC

In chapter 10, we discussed how to deploy and secure microservices on Docker containers. In a real production deployment, you don’t have only containers; containers are used within a container orchestration framework. Just as a container is an abstraction over the physical machine, the container orchestration framework is an abstraction over the network. Kubernetes is the most popular container orchestration framework to date.

Understanding the fundamentals of Kubernetes and its security features is essential to any microservices developer. We cover basic constructs of Kubernetes in appendix J, so if you’re new to Kubernetes, read that appendix first. Even if you’re familiar with Kubernetes, we still recommend you at least skim through appendix J, because the rest of this chapter assumes you have the knowledge contained in it.

11.1 Running an STS on Kubernetes

11.1.1 Defining a Kubernetes Deployment for the STS in YAML

11.1.2 Creating the STS Deployment in Kubernetes

11.1.3 Troubleshooting the Deployment

11.1.4 Exposing the STS outside the Kubernetes cluster

11.2 Managing secrets in a Kubernetes environment

11.2.1 Using ConfigMap to externalize configurations in Kubernetes

11.2.2 Defining a ConfigMap for application.properties file

11.2.3 Defining ConfigMaps for keystore.jks and jwt.jks files

11.2.4 Defining a ConfigMap for keystore credentials

11.2.5 Creating ConfigMaps by using the kubectl client

11.2.6 Consuming ConfigMaps from a Kubernetes Deployment

11.2.7 Loading keystores with an init container

11.3 Using Kubernetes Secrets

11.3.1 Exploring the default token secret in every container

11.3.2 Updating the STS to use Secrets

11.3.3 Understanding how Kubernetes stores Secrets

11.4 Running the Order Processing microservice in Kubernetes