Monitor apps security
Duration: 5 min | Persona: Apps Operator
In this section, you will monitor security features such as Network Policies and Service requests of your apps in the Google Cloud console.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
In the Google Cloud console, navigate to Anthos > Security > Policy Audit and filter for example by onlineboutique
Namespace
to see that the 3 security features Kubernetes Network policy, Service access control and mTLS status are enabled in green:
Click on the link displayed by the command below:
echo -e "https://console.cloud.google.com/anthos/security/policy-summary?project=${TENANT_PROJECT_ID}"
Select the onlineboutique
Namespace
on the Policy audit tab:
Select the frontend
Workload to open a more detailed view:
From this view you could gain more visibility about Inbound denials or Outbound denials for both Network policy requests (NetworkPolicies
) or Service requests (AuthorizationPolicies
).
You could also leverage the gcloud
commands below to get such insights.
Run this command to get the Service requests denied for the last hour for the onlineboutique
Namespace
:
filter="resource.type=\"k8s_container\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/server-accesslog-stackdriver\" "\
"(httpRequest.status=\"403\" OR labels.response_details=\"AuthzDenied\") "\
"labels.destination_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\""
gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"
Run this command to get the Network policy requests denied for the last hour for the onlineboutique
Namespace
:
filter="resource.type=\"k8s_node\" "\
"logName=\"projects/${TENANT_PROJECT_ID}/logs/policy-action\" "\
"jsonPayload.disposition=\"deny\" "\
"jsonPayload.dest.pod_namespace=\"${ONLINEBOUTIQUE_NAMESPACE}\" "\
"resource.labels.cluster_name=\"${GKE_NAME}\""
gcloud logging read --project $TENANT_PROJECT_ID --freshness 1h "$filter"
You could explore all of this for all the other Namespaces
too.