Introduction

Microservices are small, self-contained, ready to run applications. Each will have a specific well-defined task. All of them are grouped together to deliver all the functionalities of the big application.

Java microservice is a software application written in the Java programming language and typically makes use of  Java tools and frameworks.

With Accuknox you can protect your Java microservices running on the cloud environment within a few clicks. You can also make use of open-source AccuKnox tools.

Prerequisites

Install open-source AccuKnox tools to your cloud environment.

Run the following script to install Daemonsets and Services

curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash
script to install Daemonsets and Services

For more details, see  Quick Start - AccuKnox

or

Use Enterprise tier of the Accuknox product. For more details, see Agent Installation - AccuKnox

Deploy Sample Java/MySQL Web application in Kubernetes

Here we are using a Java-MySQL demo application; Online Book Store as a workload. Online Book store consists of 2-tier microservices. The application is for selling books online, maintaining books selling history, adding and managing books, etc.

This application uses Java for Back-End and the database used is MySQL.

MySQL diagram

For more information see, the Deployment of the Sample OnlineBookStore application in GKE

Check the status of the pod and service.

$ kubectl get po,svc -n bookstore --show-labels
NAME                                     READY   STATUS    RESTARTS   AGE   LABELS
pod/mysql-68579b78bb-gmn8z               1/1     Running   0          32m   app=mysql,pod-template-hash=68579b78bb
pod/online-book-store-74b96f565f-qb88p   1/1     Running   0          29m   app=bookstore,pod-template-hash=74b96f565f

NAME                        TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)          AGE   LABELS
service/mysql               ClusterIP      None          <none>          3306/TCP         32m   <none>
service/online-book-store   LoadBalancer   10.56.15.33   34.66.242.135   8080:32607/TCP   28m   <none>
Pod and service template

Working with open-source AccuKnox tools

Auto-Discovered Policies

Auto-discovered policies are only available for K8s environments right now. For VM workloads it will be available soon. Accuknox policy auto-discovery engine leverages the pod visibility provided by KubeArmor and Cilium to auto-generate network and system policies.

Run the below script in the Kubernetes cluster to get Auto-Discovered Policies

curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash		
Script-1
Downloading discovered policies from pod=knoxautopolicy-74f5b5d65b-hdp6j
{
  "res": "ok"
}
Got 47 cilium policies in file cilium_policies.yaml
{
  "res": "ok"
}
Got 640 kubearmor policies in file kubearmor_policies.yaml
Got 38 kubearmor policies in file kubearmor_policies_ext.yaml	
Script -2

cilium_policies.yaml contains all the auto-discovered cilium policies. cilium_policies.yaml

kubearmor_policies.yaml and kubearmor_policies_ext.yaml contains all the auto-discovered kubearmor policies. kubearmor_policies_ext.yaml kubearmor_policies.yaml

Let's see all of the auto-discovered cilium policies we got related to the namespace: bookstore

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-egress-oxwxdwghbmehmho
  namespace: default
spec:
  endpointSelector:
    matchLabels:
      run: mysql-client1
  egress:
  - toEndpoints:
    - matchLabels:
        app: mysql
        k8s:io.kubernetes.pod.namespace: bookstore
    toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-ingress-bsqkdukhqlbdtdj
  namespace: bookstore
spec:
  endpointSelector:
    matchLabels:
      app: mysql
  ingress:
  - fromEndpoints:
    - matchLabels:
        k8s:io.kubernetes.pod.namespace: default
        run: mysql-client1
    toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-egress-ikmllexdjpawkzg
  namespace: bookstore
spec:
  endpointSelector:
    matchLabels:
      app: bookstore
  egress:
  - toEndpoints:
    - matchLabels:
        k8s-app: kube-dns
        k8s:io.kubernetes.pod.namespace: kube-system
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-egress-xwstlqapycuxnig
  namespace: bookstore
spec:
  endpointSelector:
    matchLabels:
      app: bookstore
  egress:
  - toEndpoints:
    - matchLabels:
        app: mysql
        k8s:io.kubernetes.pod.namespace: bookstore
    toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-ingress-dakwrpebhlozfyb
  namespace: bookstore
spec:
  endpointSelector:
    matchLabels:
      app: mysql
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: bookstore
        k8s:io.kubernetes.pod.namespace: bookstore
    toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: autopol-egress-oxwxdwghbmehmho
  namespace: default
spec:
  endpointSelector:
    matchLabels:
      run: mysql-client1
  egress:
  - toEndpoints:
    - matchLabels:
        app: mysql
        k8s:io.kubernetes.pod.namespace: bookstore
    toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
---
Code block

Auto-discovered policies are generated based on the network flow of the application. By applying auto-discovered policies you can allow only minimum traffic that is necessary for its legitimate purpose. In that way, applications work with minimum attack surface.

Apply Auto-discovered Cilium Policies  in Kubernetes:

kubectl apply -f cilium_policies.yaml

Apply Policies from Policy-templates Repo

Accuknox's policy templates is an open-source repo that also contains a wide range of attack prevention techniques as well as hardening techniques for your workloads.

The Policy-templates provides policies based on KubeArmor and Cilium policies for known CVEs and attack vectors, compliance frameworks such as PCI-DSS, MITRE, STIG, etc,

Repository link:

GitHub - kubearmor/policy-templates: Community curated list of System and Network policy templates for the KubeArmor and Cilium

Within a few clicks, you can secure cloud workloads with policies.

Go to Policy templates Github repository and selects any policy. Then copy policy raw contents and change namespace and matchLabels to the application pods namespace and labels

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit: 
# https://www.accuknox.com/kubearmor/ 

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:    
  name: ksp-block-mysql-dump-in-pods
  namespace: default        # Change your namespace
spec:
  tags: ["mysql","system","K8s"]
  message: "Warning! MySQLdump is blocked"
  selector:      
    matchLabels:        
      app: testpod    #change with your own label    
  process:      
    matchPaths:      
    - path: /usr/bin/mysqldump    
    action: Block    
    severity: 6
Policy templates Github

After changing namespace and matchLabels.

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit: 
# https://www.accuknox.com/kubearmor/ 

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:    
  name: ksp-block-mysql-dump-in-pods
  namespace: bookstore        # Change your namespace
spec:
  tags: ["mysql","system","K8s"]
  message: "Warning! MySQLdump is blocked"
  selector:      
    matchLabels:        
      app: mysql     #change with your own label    
  process:      
    matchPaths:      
    - path: /usr/bin/mysqldump    
    action: Block    
    severity: 6
Code block2

Note: Run kubectl get po -n bookstore --show-labels in the terminal to get the labels of the pods.

Conclusion

Using AccuKnox open-source tools, an organization can achieve cloud run-time security.  With Accuknox policy enforcement engines, you can enforce policies to your cloud workloads while they are running.


Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your cloud security program.

Read more blogs from Cloud Security Category here.