Jelle Bens: April 2021

Thursday, April 22, 2021

Fix Warning ResponseCookies - The cookie '.AspNetCore.OpenIdConnect.Nonce.xyz' has set 'SameSite=None' and must also set 'Secure'

In Startup.cs add the following snippet in Configure

 public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            //...

            app.UseCookiePolicy(new CookiePolicyOptions
            {
                Secure = CookieSecurePolicy.Always,
                MinimumSameSitePolicy = SameSiteMode.None
            });

            //...
        }

Saturday, April 17, 2021

DevSecOps: Runing ASP .NET Core Applications with minimal privileges in Kubernetes

Configure podSecurityContext

Configure the pod to run as nobody/nogroup user as follows:

podSecurityContext: 
  runAsUser: 65534
  fsGroup: 65534

Configure SecurityContext

Configure security context to run with minimal possible privileges:

securityContext: 
  capabilities:
    drop:
    - ALL
    add: 
    - "NET_ADMIN"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 65534 # run as the nobody/nogroup user

Run on non standard port

Since we do not have permission to run ports lower tan 1024 (normally assigned by adding capability NET_BIND_SERVICE but this requires root privileges) we have to configure ASP .Net Core to listen to a port above 1024.

env:
  - name: ASPNETCORE_URLS
    value: http://+:8080

Tuesday, April 13, 2021

Zero trust architecture with Istio

Disabling access to services outside the mesh

The following command will restrict all outbound traffic to services defined in the service registry as well as those defined through ServiceEntries:

istioctl install --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY.

Enabling access to an URL outside the mesh

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: moneta-egress
spec:
  hosts:
  - '*.microsoft.com'
  - '*.microsoftonline.com'
  - '*.windows.net'
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  resolution: NONE

Set up the namespace to be secure by default

Enable mTLS in strict mode for a specific namespace

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT

Apply ALLOW NOTHING policy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-nothing
spec:
  {}

Creating allow rules for the different components

Create allow rule for the frontend

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: frontend
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "web.name" . }}
  action: ALLOW
  rules:
   - {}

Create allow rule for accounts service

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ include "accounts.name" . }}
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "accounts.name" . }}
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/moneta/sa/frontend-web"]
    to:
    - operation:
        paths: ["/accounts/*"]

check policies applied

istioctl x authz check $(kubectl get pods -l app=mssql -n moneta -o jsonpath="{.items[0].metadata.name}").moneta