chapter eleven

11 Securing microservices on Kubernetes

 

This chapter covers

  • Securing service-to-service communication of a microservice deployment
  • Managing secrets in a deployment
  • Creating service accounts and associating those with pods
  • Protecting access to the Kubernetes API server with role-based access control (RBAC)

In chapter 10 we discussed how to deploy and secure microservices on Docker containers. In a real production deployment, you don’t have only containers; containers are used within a container orchestration framework. As a container is an abstraction over the physical machine, the container orchestration framework is an abstraction over the network. Kubernetes is the most popular container orchestration framework to date.

Understanding the fundamentals of Kubernetes and its security features is essential to any microservices developer. We cover basic constructs of Kubernetes in appendix B, so if you’re new to Kubernetes, read appendix B first. Even if you’re familiar with Kubernetes, we still recommend you at least skim through appendix B. The rest of the chapter assumes you have the knowledge contained in appendix B.

11.1   Running security token services (STSs) on Kubernetes

11.1.1   Defining a Kubernetes deployment for the STS in yaml

11.1.2   Creating the STS deployment in Kubernetes

11.1.3   Troubleshooting the deployment

11.1.4   Exposing the STS outside the Kubernetes cluster

11.2   Managing secrets in a Kubernetes environment

11.2.1   Using ConfigMap to externalize configurations in Kubernetes

11.2.2   Defining a ConfigMap for application.properties

11.2.3   Defining ConfigMaps for keystore.jks and jwt.jks files

11.2.4   Defining a ConfigMap for keystore credentials

11.2.5   Creating ConfigMaps using the kubectl client

11.2.6   Consuming ConfigMaps from a Kubernetes deployment

11.2.7   Loading keystores with an init container

11.3   Kubernetes secrets

11.3.1   The default token secret in every container

11.3.2   Updating the STS to use Secrets

11.3.3   How does Kubernetes store Secrets?

11.4   Running the Order Processing microservice in Kubernetes

11.4.1   Creating ConfigMaps/Secrets for the Order Processing microservice

11.4.2   Creating a deployment for the Order Processing microservice

11.4.3   Creating a service for the Order Processing microservice

11.4.4   Testing the end-to-end flow

11.5   Running the Inventory microservice in Kubernetes

11.6   Using Kubernetes service accounts

11.6.1   Creating a service account and associating it with a pod

11.6.2   Benefits of running a pod under a custom service account

11.7   Role-based access control (RBAC) in Kubernetes

11.8   Summary