Security in Microservices - Slides
SLIDE DECK: MODULE 07 (NEW) - SECURITY IN MICROSERVICES - V2.0 (FRESHER-OPTIMIZED)
Total Duration: 120 minutes (Concept/Lecture/Demo) Audience: Fresher/Employee (Completed Modules 01-06)
Slide 1: Title Page
- Content:
- (Company / Training Unit Logo)
- MODULE 07: SECURITY IN MICROSERVICES
- Perimeter Security, Service Trust & Secrets Management
- Tools: Kong (AuthN/AuthZ), mTLS, Secrets Management
- Trainer: (Your Name)
- Date: (Training Date)
- Visualization: *
[Image of a castle with multiple layers of defense]
* Key visual: A "castle" (the system) protected by multiple layers:
1. **Main Gate:** `[Kong Gateway (AuthN/AuthZ)]`
2. **Guards (Service Trust):** `[Service A] <--(mTLS/JWT)--> [Service B]`
3. **Treasury (Secrets):** `[Docker/K8s Secrets]` (holding DB passwords)
- Instructor Script:
- "Welcome to Module 07. This is the 'final piece' and the most important one. We have built a 'castle' (system) that is 'Safe' (SAGA), 'Fast' (Cache), and 'Visible' (O11y)."
- "But we haven't 'locked the gate.' Anyone can walk right into our API. Our services are 'talking' to each other without 'verifying' identities. DB passwords are 'left out' in
.envfiles." - "Today, we learn how to 'Secure' our microservice system. We'll learn to 'lock the gate' (Kong Auth), 'verify the guards' (S2S Trust), and 'secure the treasury' (Secrets Management)."
Slide 2: Session Agenda (Updated V2.0)
- Content:
- AGENDA (120 MINUTES)
- P1. The Problem: AuthN/AuthZ in Monoliths (FastAPI) vs. Microservices
- P2. Layer #1: Perimeter Security (Gateway)
- (Demo) Kong OSS:
JWT Plugin(AuthN) +ACL Plugin(AuthZ)
- (Demo) Kong OSS:
- P3. Layer #2: Service-to-Service (S2S) Trust
- Concepts: mTLS (via Service Mesh) vs. Internal JWT (S2S Accounts)
- "Zero Trust" & Safe Token Propagation.
- P4. Layer #3: Secrets Management
- Why
.envis "bad". - Solution:
Docker Secrets&K8s Secrets(Base64 != Encrypt) - Concept: Rotation.
- Why
- P5. Layer #4: Secure Observability & Hardening [Upgraded]
- (Connect M05) Secure Logging: Mask PII, don't log tokens.
- (Connect M03/06) Hardening: RabbitMQ/Redis TLS & ACLs.
- P6. Summary: The New Security Rubric for the Final Project.
- Visualization:
- A 6-step timeline, designed like the 4 "layers" of an onion. P2 (Gateway) and P3 (S2S) are the focus.
- Instructor Script:
- "Our agenda will move 'from the outside in'."
- "P1: We'll see why
Depends(get_current_user)(from FastAPI) is 'not enough' for microservices." - "P2: We 'lock the main gate' (Kong OSS) with
JWT(authentication) andACL(authorization). P3: We 'teach' services to 'trust' each other (Internal JWT). P4: We 'lock' our DB passwords inDocker Secrets." - "P5: We ensure our 'security cameras' (O11y) don't 'record' (log) 'passwords' (PII). Finally, the new Rubric for the Final Project."
Slide 3: Learning Objectives (Updated V2.0)
- Content:
- OBJECTIVES (AFTER THIS MODULE, YOU WILL BE ABLE TO...)
- 1. Explain: The distributed security risks (Gateway, S2S, Secrets, Logging).
- 2. Implement: Configure Kong OSS using the
JWT Plugin(AuthN) andACL Plugin(AuthZ by group). [Upgraded] - 3. Distinguish: S2S trust strategies (like mTLS vs. Internal JWT with JWKS/short TTL). [Upgraded]
- 4. Design: A "Secure Logging" process (mask PII, don't log tokens, do log
trace_id&subject). - 5. Identify: How to use
Docker/K8s Secretsand understand whyBase64 != Encryption. [Upgraded]
- Visualization:
- 5 icons: [Icon: Brain (Explain)], [Icon: Kong Logo + ACL (Implement)], [Icon: Fork/Split (Distinguish)], [Icon: Secure Log (Design)], [Icon: Docker/K8s Logo (Identify)].
- Instructor Script:
- "This is our commitment. After this module, you must be able to 'Explain' why microservice security is 'hard' (Objective 1)."
- "Most importantly, Objective 2: You must be able to 'configure' Kong OSS using JWT (for auth) and ACL (for group authorization). We will focus on the free version."
- "You must 'Distinguish' mTLS from Internal JWT (Objective 3), 'Design' a 'clean' log (Objective 4) and 'know' how to use Docker Secrets (Objective 5)."
Slide 4: P1 - Problem: AuthN/AuthZ in Monoliths vs. Microservices
- Content:
- P1: WHY ISN'T THE OLD AUTHN/AUTHZ "ENOUGH"?
- Monolith Scenario (FastAPI):
- Client sends JWT Token.
- API (FastAPI) receives Token.
- Middleware/Dependency (
Depends(get_current_user)) itself verifies the Token signature -> Getsuser_id. - Simple, works great.
- Microservice Scenario (The Black Box):
Client -> [Kong] -> [Order Svc] -> [Payment Svc]
- THE 5 "DEADLY" QUESTIONS:
- Who should 'verify' the JWT?
Kong? Or all 10 services (repeating code)? - Trust:
Order SvccallsPayment Svc. How doesPayment Svcknow (trust) it's theOrder Svc(a colleague) and not a Hacker? - Propagate:
Order Svcknowsuser_id="123". How doesPayment Svc(in step 2) know this transaction is foruser_id="123"? (Token Propagation). - Secrets: Where are the passwords for the 10 databases 'stored'?
- Logging: Does the log
trace_id="abc"also 'log' the full JWT Token? (Leakage).
- Who should 'verify' the JWT?
- Visualization: *
- Diagram 1 (Monolith):
[Client] -> [FastAPI (Verify JWT)] -> [DB]. (Simple). - Diagram 2 (Microservice):
[Client] -> [Kong] -> [Order] -> [Payment]. - 5 [Icon: Question Mark] are placed on 5 "blind spots" (locations) on Diagram 2, corresponding to the 5 questions.
- Diagram 1 (Monolith):
- Instructor Script:
- "In the FastAPI course, you learned
Depends(get_current_user). It's excellent... for a Monolith." - "But in a Microservice, [Point to Diagram 2] it creates 5 'deadly questions'."
- "1. Who 'checks' the token? Kong, or all 10 services?"
- "2. [EMPHASIZE]
Order ServicecallsPayment. DoesPayment'trust'Order? Or is it 'open' to the world?" - "3.
Orderknows theuser_id. How doesPaymentknow? (Token Propagation)." - "4. Where are the DB passwords? 5. Did you 'accidentally' log the JWT Token to Kibana?"
- "This module will answer all 5 questions."
- "In the FastAPI course, you learned
Slide 5: Section Introduction - Layer #1: Perimeter Security
- Content:
- 01. LAYER #1: PERIMETER SECURITY (GATEWAY)
- Locking the Main Gate
- Visualization:
- Section introduction slide with title and subtitle against background.
- Visual emphasis on "Gateway" and "Kong" as the entry point.
- Instructor Script:
- "We're now entering the first layer of our security castle: the Gateway."
- "This is where we 'lock the main gate' and control who gets in."
- "We'll use Kong OSS to implement Authentication and Authorization at the perimeter."
Slide 6: P2 - Layer #1: Perimeter Security (Kong OSS) (UPGRADED)
- Content:
- LAYER #1: PERIMETER SECURITY (GATEWAY)
- Philosophy: "Don't trust Clients. Authenticate (AuthN) and Authorize (AuthZ) AT THE GATE."
- Tools (Kong OSS):
- 1. AuthN (Authentication):
JWT Plugin- Job: 'Verify' the JWT signature.
- Flow: Client (User
Alice) -> Send JWT -> Kong (Verify OK) ->X-Consumer-Username: Alice(Header) ->Order Svc.
- 2. AuthZ (Authorization):
ACL Plugin(Access Control List)- Job: Authorize based on 'Groups'.
- Flow (Setup):
- Create Consumer
Alice. - Create a "Group" for Alice:
POST /consumers/Alice/acls(Body:group=billing-admin) - "Lock" a Route (e.g.,
POST /refund): Require 'Group'billing-admin.
- Create Consumer
- Flow (Runtime):
Alice(inbilling-admin) callsPOST /refund-> OK (200).Bob(inuser) callsPOST /refund-> FAILED (403 Forbidden).
- 1. AuthN (Authentication):
- Note (Advanced):
- Fine-grained authorization (by
scope) often requires Kong Enterprise (OIDC Plugin) or Custom Plugins.
- Fine-grained authorization (by
- Visualization: *
- A 3-step diagram (OSS Version):
[Client (No JWT)] -> [Kong (JWT Plugin)] -> [STOP (401 Unauthorized)][User Bob (Group='user')] -> [Kong (ACL Plugin 'billing-admin')] -> [STOP (403 Forbidden)][User Alice (Group='billing-admin')] -> [Kong (ACL Plugin 'billing-admin')] -> [PASS] -> [Refund Service]
- A 3-step diagram (OSS Version):
- Instructor Script:
- "Answering question 1: 'Who verifies?' The answer: Kong."
- "With Kong OSS (free), we use 2 plugins."
- "One:
JWT Pluginfor 'Authentication' (AuthN). [Point to step 1] No JWT, Kong 'blocks' with 401." - "Two:
ACL Pluginfor 'Authorization' (AuthZ). [Point to steps 2, 3] We create 'Groups' (e.g.,billing-admin). We 'lock' the/refundAPI to only this group. UserBob(in groupuser) calls -> 403. UserAlice(in groupbilling-admin) calls -> 200." - "This method is simple and effective for Freshers. Fine-grained 'scope' (OIDC) authorization usually requires the Enterprise version or custom plugins."
Slide 7: P2 (Continued) - Token Propagation (UPGRADED)
- Content:
- THE PROBLEM: PROPAGATING USER CONTEXT
- Bad Solution (Anti-Pattern): Propagate the entire User JWT everywhere.
- Risk:
Inventory Service'accidentally' logs the JWT -> Hacker 'steals' the token.
- Risk:
- Good Solution (Fresher-Friendly):
- Kong (Gateway): 'Verifies' JWT (JWT Plugin) -> 'Injects'
X-Consumer-Username: "alice"Header. (Kong OSS can do this) Order Service(Edge Service): ReceivesX-Consumer-Username: "alice".Order Service(Async): When sending a RabbitMQ Message:- Do not propagate the JWT.
- Pass the
user_id(orusername) in the Message Body (or a safe header). body = {"order_id": 1, "total": 100, "user_id": "alice"}
Payment Service(Internal): Receives the Message, trusts theuser_idin the message (because it came fromOrder Service- which was S2S trusted).
- Kong (Gateway): 'Verifies' JWT (JWT Plugin) -> 'Injects'
- Visualization: *
- Diagram 1 (Bad):
[JWT (Alice)] -> [Kong] -> [Order (JWT)] -> [Payment (JWT)] -> [Inventory (JWT)](Token is everywhere - X mark). - Diagram 2 (Good):
[JWT (Alice)] -> [Kong (Verify)](JWT is 'stripped').[Kong] -> (Header: X-Consumer-Username: "alice") -> [Order]->(Message: {..., user_id: "alice"}) -> [Payment].
- Diagram 1 (Bad):
- Instructor Script:
- "This is question 3. How does
Payment Service(at the end of the SAGA) know who placed the order?" - "Bad Way: [Point to Diagram 1] 'Throw' the original User JWT (Alice's) all over the system. This is a 'security nightmare'."
- "Good Way (for Kong OSS): [Point to Diagram 2]
Kong(the gate) 'verifies' the JWT, then 'throws it away.' But, it 'injects' a safe headerX-Consumer-Username: "alice"(this is a feature of the JWT Plugin)." - "
Order Service(the 'edge' service) 'reads' this header. When it 'sends' the async RabbitMQ message, it 'copies' thatuser_idinto the message 'body.' NowPaymentknows theuser_idwithout ever seeing the original JWT."
- "This is question 3. How does
Slide 8: Section Introduction - Layer #2: Service-to-Service Trust
- Content:
- 02. LAYER #2: SERVICE-TO-SERVICE TRUST
- Zero Trust Between Internal Services
- Visualization:
- Section introduction slide with title and subtitle.
- Visual emphasis on "S2S Trust" and "Zero Trust" concepts.
- Instructor Script:
- "Moving deeper into our castle, we reach the second layer: Service-to-Service Trust."
- "Here, we ensure that services verify each other's identity before communicating."
- "We'll explore mTLS and Internal JWT strategies for building trust."
Slide 9: P3 - Layer #2: Service-to-Service (S2S) Trust (UPGRADED)
- Content:
- LAYER #2: SERVICE-TO-SERVICE TRUST (ZERO TRUST)
- Problem:
Payment Servicecannot tell the difference betweenOrder Serviceand aHacker. - "Zero Trust" Philosophy: "Trust no one, not even colleagues. Always verify."
- Solution 1: mTLS (Mutual TLS) - "Show me your ID card"
- How: Both services (Client A and Server B) must present a valid Certificate to each other.
- When: Extremely secure. Often automated by a Service Mesh (Istio/Linkerd).
- Solution 2: Internal JWT (Service Accounts) - "Tell me the password"
- How:
Order Service(using its Service Account) 'creates' a JWT (5 min TTL) -> Signs it. Payment Service'receives' the JWT -> 'Verifies' the signature (using Order Svc's Public Key).- Best Practice:
- Use JWKS (JSON Web Key Set):
Paymentauto-fetches the Public Key from a/.well-known/jwks.jsonendpoint. - Short TTL (<= 5 min) + Key Rotation
- Use JWKS (JSON Web Key Set):
- How:
- Visualization: *
- Diagram 1 (mTLS):
[Order Svc] <-> [Service Mesh Proxy (Istio)] <--(Encrypted)--> [Service Mesh Proxy (Istio)] <-> [Payment Svc]. (Visualizes the 'automation'). - Diagram 2 (JWT):
[Order Svc (Sign JWT, TTL=5m)] -> [Payment Svc (Verify via JWKS)].
- Diagram 1 (mTLS):
- Instructor Script:
- "Okay, we've 'locked the gate' (Kong) for users. Now for 'internal' traffic."
- "[Point to Problem] The problem is: A Hacker 'gets inside' your network, pretends to be
Order Service, and 'calls'Payment Servicedirectly.Payment Servicewill 'obey' (because it 'trusts' all internal calls)." - "The 'Zero Trust' philosophy says: 'No.'
Payment Servicemust ask: 'Are you really theOrder Service?'" - "Way 1: mTLS (Mutual TLS). [Point to Diagram 1] Both sides 'show their ID cards' (Certificates) to 'check' each other. Very secure, very fast, but 'very hard' to set up manually. Usually, you let a 'Service Mesh' like Istio do it 'automatically'."
- "Way 2 (More practical for labs): Internal JWT. [Point to Diagram 2]
Order'signs' a 'secret password' (a 5-min JWT),Payment'checks' the password (via JWKS). In the Final Project, you'll choose one of these."
Slide 10: P3 (Continued) - Additional S2S Considerations
- Content:
- 03. LAYER #3: SECRETS MANAGEMENT
- Protecting the Treasury
- Visualization:
- Section introduction slide with title and subtitle.
- Visual emphasis on "Secrets" and "Vault" concepts.
- Instructor Script:
- "The third layer protects our most valuable assets: the secrets."
- "This is where we secure database passwords, API keys, and other sensitive data."
- "We'll learn why .env files are dangerous and how to properly manage secrets."
Slide 12: P4 - Layer #3: Secrets Management (UPGRADED)
- Content:
- LAYER #3: SECRETS MANAGEMENT
- Problem:
.envand Hard-coding (Risk)db_pass = "my-secret-password-123"(Hard-code) -> Disaster.DB_PASSWORD=...(In.env/docker-compose.yml) -> Better, but:- 'Checked-in' to Git (Disaster).
- Hard to 'Rotate'.
- Solution (Fresher):
Docker Secrets- How (Docker Compose):
- Create file
db_password.txt. docker-compose.ymldeclares the 'secret':secrets:
db_pass_secret:
file: ./db_password.txt
services:
order-service:
secrets: [db_pass_secret]- App (Python) reads the password from a file:
/run/secrets/db_pass_secret.
- Create file
- How (Docker Compose):
- Solution (Production):
K8s Secrets/Vault- K8s Secrets: Mounts the secret into the container.
- Warning: K8s Secrets (by default) are just
Base64(to 'hide'), not Encryption. You needSealed SecretsorVault Injectorfor true security.
- Visualization: *
- Diagram 1 (Bad):
[Git Repo (.env)] -> [Developer (Sees Pass)]. (X mark). - Diagram 2 (Good - Docker):
[db_password.txt (Local)] -> [Docker Engine] -> (Mount as File) -> [App (/run/secrets/db_pass)]. (The.envfile has no password).
- Diagram 1 (Bad):
- Instructor Script:
- "Question 4: Where is the DB password?"
- "If you are 'hard-coding' or 'checking in'
.envfiles to Git, that is a 'disaster'." - "The 'minimum' solution for our Lab is
Docker Secrets. [Point to Diagram 2] You 'declare' the secret indocker-compose.yml. Docker 'mounts' that password into a file at/run/secrets/...inside the container. Your code 'reads' from that file. This way, the password is not in thedocker-compose.yml(which can be checked into Git)." - "[EMPHASIZE] In production (K8s), you'll use 'K8s Secrets.' But remember: K8s Secrets are just 'hidden' (Base64), they are not 'encrypted'. For 'super security,' you need Vault."
Slide 14: Section Introduction - Layer #4: Secure Observability & Hardening
- Content:
- 04. LAYER #4: SECURE OBSERVABILITY & HARDENING
- Protecting the Security Cameras
- Visualization:
- Section introduction slide with title and subtitle.
- Visual emphasis on "O11y Security" and "Hardening" concepts.
- Instructor Script:
- "The final layer ensures that our monitoring tools don't become security vulnerabilities."
- "We'll learn how to log safely without exposing sensitive data."
- "And we'll harden our infrastructure tools like Redis and RabbitMQ."
Slide 15: P5 - Layer #4: Secure Observability & Hardening (UPGRADED)
- Content:
- LAYER #4: SECURE OBSERVABILITY & HARDENING
- Risk 1: Leaking PII/Tokens via Logs
ERROR: Failed. UserToken: "eyJhbG..." Password: "123"('Dirty' log).- Solution (M05): Structured Logging (JSON) + Masking (Logstash)
- Must log
trace_id+subject(userid), _NEVER logtoken.
- Risk 2: Leaking PII via Message Queue (DLQ)
- Failed message (with PII) -> 'pushed' to Dead-Letter-Queue (DLQ).
- Admin 'views' DLQ in RabbitMQ UI -> Sees all customer PII.
- Solution: Do not log the full body of a DLQ message. Must 'redact' PII before logging the error.
- Risk 3: Tool Hardening
- Redis:
- Problem: Default is 'open' (no password).
- Fix: Enable
requirepass(ACL) andTLS.
- RabbitMQ:
- Problem: Using user/pass
guest/guest(only for localhost). - Fix: Create separate user/vhost/permissions for each Producer/Consumer (Principle of 'Least Privilege').
- Problem: Using user/pass
- Redis:
- Visualization: *
- 3 risk diagrams:
[Log (Token)] -> [Kibana (Leaked)](X mark).[Message (PII)] -> [DLQ (Leaked)](X mark).[Redis (Default)]/[RabbitMQ (guest/guest)](X mark).
- (Next to them are solutions: Masking, ACL, TLS).
- 3 risk diagrams:
- Instructor Script:
- "Finally, question 5: Are your 'security cameras' (O11y) 'spying' on you?"
- "Risk 1: [Point to Diagram 1] You 'accidentally' log a JWT Token or Password to Kibana. Disaster. Solution: Use JSON log + Masking (from Module 05)."
- "Risk 2: [Point to Diagram 2] A failed message (with PII) 'lands' in the DLQ. An admin 'views' the DLQ and 'sees' all the PII. Solution: 'Redact' PII before you log the DLQ error."
- "Risk 3: [Point to Diagram 3] Your 'tools' (Redis, RabbitMQ) are 'wide open' (no password, or using
guest/guest). You must enable ACL (passwords) and create separate users for each service."
Slide 16: P6 - Summary: New Security Rubric (For Final Project)
- Content:
- P6: NEW RUBRIC FOR FINAL PROJECT (SECTION E)
- (Module 07/old -> 09/new) Will now include E. Security (15%)
- Checklist (Mandatory):
- 1. Gateway Policies:
[ ](M02) Kong 'protects' at least 1 service with JWT Plugin.[ ](M02) (Bonus) Authorization with ACL Plugin (OSS) (by 'group').
- 2. Service-to-Service Trust:
[ ](M08) At least 1 pair of services (e.g., Order -> Payment) must authenticate each other (mTLS or Internal JWT).
- 3. Secure Observability:
[ ](M05) Log JSON +trace_id+subject(user_id).[ ](M05) Prove NO Tokens or PII (Credit Card, Password) are logged.
- 4. Secrets Management:
[ ](M08) NO hard-coded passwords/secrets in code/.env/docker-compose.yml.[ ](M08) UseDocker Secrets(orK8s Secrets) to 'inject' secrets at runtime.
- 5. Hardening:
[ ](M06) Redis has a 'password' (ACL) (notdefault).[ ](M03) RabbitMQ has a 'user/password' (notguest/guest).
- Visualization: *
- A 5-item checklist (Gateway, S2S, O11y, Secrets, Hardening) with [Icon: Checkbox] for each.
- Instructor Script:
- "To 'graduate,' your Final Project (now Module 09) will have a new 'Section E: Security' (15%)."
- "This is the checklist. [Point to Checklist] I will be 'checking' 5 things:"
- "1. Is Kong 'locking' with JWT and ACL (OSS)?"
- "2. Do your services 'authenticate' each other (mTLS/Internal JWT)?"
- "3. Are your logs 'clean' (have
trace_id, notoken)?" - "4. Where is your DB password 'stored' (Docker Secrets)?"
- "5. Did you 'change' the
defaultpassword for Redis/RabbitMQ?" - "This is the 'minimum' requirement to pass Security."
Slide 17: Q&A
- Content:
- Q & A
- Questions about Security
- Visualization:
- A clean, minimal slide. Just the large letters "Q&A".
- Instructor Script:
- "Thank you. This is a 'dry' but 'vital' topic. Please, any questions about Security."
Slide 18: Thank You & Next Module
- Content:
- THANK YOU!
- (Your Contact Info: Email, LinkedIn, etc.)
- COMING UP NEXT...
- Module 09: E2E Debugging & Final Project
- We will "hunt" bugs and "submit" the Final Project (with the new Security Rubric)!
- Visualization:
- "Teaser" for Module 09 (the old Module 07).
- An image of the 'SRE Detective' (debugging) and the 'Security Checklist' (Rubric).
- Instructor Script:
- "Thank you. You now have the 'final piece' of the puzzle: Security."
- "In Module 09 (the E2E Review Module), we will 'summarize' everything, 'live debug' (hunt bugs), and 'assign' the Final Project with the full rubric (including the Security section)."
- "See you then!"