CloudNativeApplications-Study

Contains the materials used for the blog post about Cloud Native Applications.

Blog post link

https://excellium-services.com/2023/06/21/discovery-of-cloud-native-applications-from-an-application-security-perspective/

Lab

Context

During this study, I take the opportunity to discover the following technology to apply any concepts learned:

• Kubernetes: I used Minikube for this.
• Istio

Environment

Note: A Ubuntu 22.04.2 LTS Server VM was used for the OS of the Kubernetes cluster single node.

Warning: 🚨 Do not edit the file poc-accessrules.yaml with Visual Studio Code because the formatter break the YAML structure!

💻 A Visual Studio Code workspace file is provided.

💬 Minikube and Istio were installed using their documentation.

📑 Once the VM is ready (Minikube and Istio are installed), the following script can be used:

• env-addtools.sh: Add tools used by the POC.
• env-start.sh: Start the Minikute instance and POC requirements (this script hang so open it in a dedicated shell)
• env-shutdown.sh: Stop the Minikute instance and shutdown the VM in a clean way.

📦 The lab content is stored in the poc folder.

📦 The image ealen/echo-server is used for the application of the POC.

🧪 The test folder contains learning content created/tried before the creation of the POC.

🔑 The keypair (RSA 2048 bits) used for the lab (JWT token signature) is defined in the following files:

• Private key.
• Public key.

Useful commands oftenly used

💻 See authentication/authorization policies in place:

kubectl exec $(kubectl get pods -l app=my-app1 -n my-poc -o jsonpath='{.items[0].metadata.name}') -n my-poc -c istio-proxy -- pilot-agent request GET config_dump

💻 Enable debug log

istioctl proxy-config log deployment/my-app1-deployment -n my-poc --level "rbac:debug"

💻 See log

kubectl logs deployment/my-app1-deployment --namespace=my-poc -c istio-proxy

References

• https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
• https://kubernetes.io/docs/concepts/services-networking/service/
• https://kubernetes.io/docs/concepts/services-networking/ingress/
• https://istio.io/latest/docs/ops/common-problems/security-issues/#ensure-istiod-distributes-policies-to-proxies-correctly
• https://istio.io/latest/docs/ops/common-problems/security-issues/#ensure-proxies-enforce-policies-correctly
• https://istio.io/latest/docs/reference/config/security/request_authentication/
• https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
• https://istio.io/latest/docs/reference/config/security/jwt/
• https://stackoverflow.com/a/62417272
• https://istiobyexample.dev/jwt/
• https://developers.redhat.com/blog/2020/04/08/why-kubernetes-native-instead-of-cloud-native

Tools

• https://connect2id.com/products/nimbus-jose-jwt/generator
• https://mkjwk.org/