Monitor apps security

Apps Operator Apps Operator Duration: 5 min | Persona: Apps Operator

In this section, you will monitor security features such as Network Policies and Service requests of your apps in the Google Cloud console.

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh

In the Google Cloud console, navigate to Anthos > Security > Policy Audit and filter for example by onlineboutique Namespace to see that the 3 security features Kubernetes Network policy, Service access control and mTLS status are enabled in green:

Click on the link displayed by the command below:

echo -e "https://console.cloud.google.com/anthos/security/policy-summary?project=${TENANT_PROJECT_ID}"

Select the onlineboutique Namespace on the Policy audit tab: Anthos Security overview for Online Boutique Anthos Security overview for Online Boutique

Select the frontend Workload to open a more detailed view: Anthos Security details for Online Boutique Anthos Security details for Online Boutique

From this view you could gain more visibility about Inbound denials or Outbound denials for both Network policy requests (NetworkPolicies) or Service requests (AuthorizationPolicies).

You could also leverage the gcloud commands below to get such insights.

Run this command to get the Service requests denied for the last hour for the onlineboutique Namespace:

filter="resource.type=\"k8s_container\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/server-accesslog-stackdriver\" "\
"(httpRequest.status=\"403\" OR labels.response_details=\"AuthzDenied\") "\
"labels.destination_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\""

gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"

Run this command to get the Network policy requests denied for the last hour for the onlineboutique Namespace:

filter="resource.type=\"k8s_node\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/policy-action\" "\
"jsonPayload.disposition=\"deny\" "\
"jsonPayload.dest.pod_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\" "\
"resource.labels.cluster_name=\"${GKE_NAME}\""

gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"

You could explore all of this for all the other Namespaces too.