How to Apply Fine-Grained Security Control to a Container Platform Using Container Firewall

By Victor Mak, Lead Solutions Architect, Alibaba Cloud Intelligence International Macau

Background Information

During the pandemic, more enterprises strengthened their beliefs and quickened their paces in cloud migration and digital transformation. They actively explored the implementation of cloud-native architecture transformation. Container technologies represented by Kubernetes became a new interface for cloud computing. However, container security encountered several challenges:

Fine-Grained Access Control: How to define security control policies in a container environment to grant or deny access to those microservices within a single cluster
Visualization: How to visualize and manage thousands of microservices traffic in a single graphical user interface, discover malicious traffic, and apply security policies
Operation: How to simplify the container security operation without maintaining complex container security suites, such as Istio or other solutions built on top of Kubernetes

Alibaba Cloud Container Security Solution

Alibaba Cloud Security Center container security modules allow you to detect and prevent intrusions. The modules cover the whole container lifecycles. It ensures the security of container images during container creation. It checks container configurations during container deployment by using a baseline check. It detects and prevents intrusions during the running of containers. Please refer to the Container Security Alibaba Cloud documentation for more information.

This article focuses on two container security modules:

Container Firewall allows you to apply fine-grained security control to your container environment.
Container Visualization allows you to visualize a container network and centralized management of container assets.

Best Practice for Container Fine-Grained Security Control

The section below describes how to build fine-grained security control on your container platform based on Alibaba Cloud best practices step by step:

Enable the Container Firewall feature in Alibaba Cloud Security Center
Define the fine-grained security policies in Container Firewall
Enable the Container visualization feature to visualize the container network

Microservices Architecture Diagram

The following figure illustrates the microservices architecture to demonstrate the container security features:

Three services were deployed in Alibaba Cloud Container Services (ACK) in this demonstration:

Hello is a core service with response simple http response
Frontend is an NGINX proxy service that proxies Hello services response
DMZ is a Linux-based container with a curl command to simulate HTTP requests.

Microservices Deployment Details

1. Hello service YAML file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
  labels:
    app: hello
spec:
  selector:
    matchLabels:
      app: hello
  replicas: 3
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
        - name: hello
          image: "gcr.io/google-samples/hello-go-gke:1.0"
          ports:
            - name: http
              containerPort: 80

2. Frontend service YAML file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
  labels:
    app: frontend
spec:
  selector:
    matchLabels:
      app: frontend
  replicas: 1
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
        - name: frontend
          image: "gcr.io/google-samples/hello-frontend:1.0"
          lifecycle:
            preStop:
              exec:
                command: ["/usr/sbin/nginx","-s","quit"]

3. DMZ service YAML file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dmz
  labels:
    app: dmz
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dmz
  template:
    metadata:
      labels:
        app: dmz
    spec:
      containers:
        - name: dmz
          image: "bitnami/nginx"

Prerequisites

Before you begin, make sure:

You have an Alibaba Cloud account. If you do not have an account, sign up with Alibaba Cloud and add a payment method
You have an existing Alibaba Cloud Container Service (ACK) environment and have deployed the three services YAML file listed above

Step 1: Enable the Container Firewall Feature in Alibaba Cloud Security Center

Since Container Security is only available in Alibaba Cloud Security Center Ultimate Edition, customers need to upgrade/purchase this edition to protect their container environment:

1. Log on to the Security Center console

2. On the Overview page, click Immediate Purchase:

3. Select the Ultimate (Container Security) and the number of CPU Cores (vCore) and then click Buy Now:

4. After enabling Security Center Ultimate Edition, make sure your Alibaba Cloud Container Service (ACK) worker nodes have already installed Security Center Agent with Ultimate Edition:

5. If you have not completed Step 4, you can follow the installation guide listed on the Agent page under Settings:

Step 2: Define Fine-Grained Security Policies in Container Firewall

1. Add a protection object on the Container Firewall Object page under Defense:

2. Configure the parameters on the Add Network Object panel. (Remark: The AppName is the tag whose tag is an app in the cluster. Fuzzy matching is supported. Example: a):

3. We added three network objects in this demonstration:

4. After you have added a protection object, you must create a defense rule to filter the traffic destined for container images. Then, click Rule Management under Protection Management:

5. Click Create Rule:

6. Define Rule name and select the source network object we created before:

7. Select destination network object and then fill in Port, Action, Rule Status, and Priority:

8. According to the demonstration diagram, we need to define four rules:

Frontend can access with hello
DMZ can access with Frontend
DMZ can access hello with alerts (with higher priority)
DMZ cannot directly access hello (with lower priority)

9. After configuring the security rules, enable container cluster level protection by toggling defensive status on the Protection management page:

Step 3: Enable the Container Visualization Feature to Visualize the Container Network

1. Navigate to the Radar page under Overview and double-check the container cluster:

2. Select Activate Now to activate the network visualization feature:

3. After activation, you can browse container network topology in a single graphical user interface:

Verify the Result

1. Log in to the DMZ container using the kubectl exec command and use curl to trigger the HTTP request:

2. According to the policies we defined above, DMZ should be able to access hello. Security Center should address any related alarms.

3. Change alert rule status to Disabled:

4. The DMZ container should not be able to access hello directly:

5. The alarm shows the Container Firewall should change from Alert to Intercept:

6. You can also view the container network flow between the three services on the Radar page:

Community

How to Apply Fine-Grained Security Control to a Container Platform Using Container Firewall

Background Information

Alibaba Cloud Container Security Solution

Best Practice for Container Fine-Grained Security Control

Microservices Architecture Diagram

Microservices Deployment Details

Prerequisites

Step 1: Enable the Container Firewall Feature in Alibaba Cloud Security Center

Step 2: Define Fine-Grained Security Policies in Container Firewall

Step 3: Enable the Container Visualization Feature to Visualize the Container Network

Verify the Result

Read previous post:

Read next post:

Alibaba Cloud Community

You may also like

Comments

Alibaba Cloud Community

Related Products

Microservices Engine (MSE)

ACK One

Security Solution

Security Overview