Monitor apps security
Duration: 5 min | Persona: Apps Operator
In this section, you will monitor security features such as Network Policies and Service requests of your apps in the Google Cloud console.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.shIn the Google Cloud console, navigate to Anthos > Security > Policy Audit and filter for example by onlineboutique Namespace to see that the 3 security features Kubernetes Network policy, Service access control and mTLS status are enabled in green:
Click on the link displayed by the command below:
echo -e "https://console.cloud.google.com/anthos/security/policy-summary?project=${TENANT_PROJECT_ID}"Select the onlineboutique Namespace on the Policy audit tab:
Select the frontend Workload to open a more detailed view:
From this view you could gain more visibility about Inbound denials or Outbound denials for both Network policy requests (NetworkPolicies) or Service requests (AuthorizationPolicies).
You could also leverage the gcloud commands below to get such insights.
Run this command to get the Service requests denied for the last hour for the onlineboutique Namespace:
filter="resource.type=\"k8s_container\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/server-accesslog-stackdriver\" "\
"(httpRequest.status=\"403\" OR labels.response_details=\"AuthzDenied\") "\
"labels.destination_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\""
gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"Run this command to get the Network policy requests denied for the last hour for the onlineboutique Namespace:
filter="resource.type=\"k8s_node\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/policy-action\" "\
"jsonPayload.disposition=\"deny\" "\
"jsonPayload.dest.pod_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\" "\
"resource.labels.cluster_name=\"${GKE_NAME}\""
gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"You could explore all of this for all the other Namespaces too.