Securing Microservices at API Gateway using Cloud Native Solutions

Transcript

1. Securing Microservices
   at API Gateway
   Using Cloud Native Solutions
   Abhisek Datta
   Head, Security Products
   Appsecco
   

   View Slide

2. Nullcon Webinars
   

   View Slide

3. About Me – Abhisek Datta
   • Head, Security Products (appsecco.com)
   • Application & Cloud Security
   • Kubernetes Cluster Security Assessments
   • TechWing @ null0x00 (null.co.in)
   • An Open Security Community
   • Security Researcher
   • Discovered vulnerabilities in enterprise software
   and credited with CVE
   • Open Source Contributor
   • https://github.com/abhisek
   @abh1sek
   

   View Slide

4. 1. The need for centralized Authentication and Authorization
   2. Understand the role of API Gateway as a Security Gate
   3. Proof of Concept Implementation using Traefik as API Gateway
   and Open Policy Agent (OPA) for policy management and
   evaluation
   Key Take Away
   

   View Slide

5. This is not an
   introduction to
   Microservices
   We will look at an approach for securing
   Microservices using API Gateway as a Security
   Gate
   Learn more about Microservices
   https://microservices.io/
   

   View Slide

6. AuthN & AuthZ in Microservices
   Identity Provider
   Client
   Oauth2 + OIDC
   Reverse Proxy
   Identity (JWT) Services
   Authentication &
   Authorization
   Established
   Trust
   

   View Slide

7. API Gateway
   How do the clients of
   a Microservices-
   based application
   access the individual
   services?
   

   View Slide

8. 1. Authenticate a request
   2. Authorize a request
   3. Route the request to
   backend microservice
   AuthN and AuthZ in API Gateway
   

   View Slide

9. • API Gateway
   • Traefik
   https://containo.us/traefik/
   • Policy Management and Enforcement
   • Open Policy Agent
   https://www.openpolicyagent.org/
   Our Choice of Technology
   

   View Slide

10. What we want to achieve
    

    View Slide

11. Demo
    • This is a minimal proof of concept implementation for demonstration
    • It should not be considered for production use as is.
    

    View Slide

12. Let's look inside the code
    

    View Slide

13. • Use as a reverse proxy
    • Use dynamic configuration discovery
    • Routing and Load Balancing
    • Middlewares
    • https://docs.traefik.io/
    Learning Traefik API Gateway
    

    View Slide

14. • Introduction to Open Policy Agent
    • https://www.openpolicyagent.org/docs/latest/
    • Rego Playground
    • https://play.openpolicyagent.org/
    • Running Open Policy Agent (Lib/Server/Interactive)
    • https://www.openpolicyagent.org/docs/latest/#running-opa
    • Open Policy Agent for Kubernetes Admission Control
    • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/
    Learning Open Policy Agent
    

    View Slide

15. • Proof of Concept Implementation
    • https://github.com/appsecco/opa-traefik-microservice-authz
    • Microservices Authorization using Open Policy Agent
    and Traefik (API Gateway)
    • https://blog.appsecco.com/microservices-authorization-using-
    open-policy-agent-and-traefik-api-gateway-ae30f3bf2846
    Resources
    

    View Slide

16. Questions?
    [email protected]
    That’s all for now..
    https://appsecco.com
    @abh1sek
    github.com/abhisek
    

    View Slide