Monitor application security
Google Cloud has powerful security features built in at every level that work separately and together to protect you from security issues, including both platform and application security. However, with defence in depth like this, it's not always easy to choose which features might benefit your particular application, or to assess how your security policies are working at runtime. To help you with this, the Anthos Security dashboard provides an at-a-glance view of your applications' current security features, as well as a more detailed policy audit view to show you where you can modify security configurations or workloads to improve your security posture.
This document gives platform and application operators an overview of Anthos application security monitoring. To find out more about each security feature and its monitoring, follow the links to the feature docs in What's next?
The Anthos Security dashboard currently monitors clusters on Google Cloud, VMware, and bare metal.
Required roles
To get the permissions that you need to view and audit application security, ask your administrator to grant you the following IAM roles on the project:
-
roles/monitoring.viewer
(Monitoring Viewer
) -
roles/logging.viewer
(Logs Viewer
) -
roles/serviceusage.serviceUsageViewer
(Service Usage Viewer
) -
roles/servicesecurityinsights.securityInsightsViewer
(Security Insights Viewer
)
For more information about granting roles, see Manage access.
These predefined roles contain the permissions required to view and audit application security. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to view and audit application security:
-
resourcemanager.projects.get
-
opsconfigmonitoring.resourceMetadata.list
-
serviceusage.services.list
-
servicesecurityinsights.projectStates.get
-
To view your application security overview:
-
logging.logEntries.list
-
servicesecurityinsights.clusterSecurityInfo.list
-
-
To audit the current status for all monitored security features:
-
servicesecurityinsights.clusterSecurityInfo.list
-
servicesecurityinsights.securityViews.get
-
servicesecurityinsights.securityInfo.list
-
servicesecurityinsights.workloadPolicies.list
-
-
To view workload security details:
-
monitoring.timeSeries.list
-
logging.logEntries.list
-
servicesecurityinsights.clusterSecurityInfo.get
-
servicesecurityinsights.workloadSecurityInfo.get
-
servicesecurityinsights.securityViews.get
-
servicesecurityinsights.workloadPolicies.list
-
You might also be able to get these permissions with custom roles or other predefined roles.
Supported clusters
The following cluster types are supported in the Anthos Security dashboard:
- GKE clusters on Google Cloud
- GKE on VMware
- GKE on Bare Metal
To monitor security across Vmware and bare metal clusters you need to enable application logging and monitoring. Follow the instructions in the GKE on VMware and GKE on Bare Metal documentation to do this.
View your application security overview
To view the Anthos Security dashboard in the Google Cloud console:
In the project you want to monitor, select Anthos - Security from the Google Cloud console menu.
By default, the Policy Summary tab is displayed, showing the status of Anthos application security features in your project, including links to find out more and enable features. Features are listed under two headings: Access control and Authentication.
Access control
This section shows the status of selected Anthos authorization features. These are:
- Binary Authorization, which lets you ensure that only trusted images are deployed on your clusters.
- Kubernetes network policy, which lets you specify which pods are allowed to communicate with each other and other network endpoints.
- Anthos Service Mesh service access control, which lets you configure fine-grained access control for your mesh services based on service accounts and request contexts.
For any feature that isn't enabled in your project, you can click to enable (or find out how to enable) the feature.
For features that are enabled, you can see the feature's current status, and click to see more details over your selected Time span, including any actions that have been denied based on your access control policies and other interesting events. For example, in this project three deployments have been blocked on one cluster in the previous hour as a result of Binary Authorization policies:
Authentication
This section shows the status of Anthos authentication features. Currently this view shows you whether you have created a policy to enforce mutual TLS (mTLS) in each cluster where you're using Anthos Service Mesh. mTLS is a security protocol that ensures that traffic is secure and trusted in both directions between two services.
Note this only shows whether your service mesh has an mTLS policy - to see whether the policy is effectively securing your traffic and if unencrypted traffic is permitted in your mesh at runtime, you need to visit the more detailed Policy audit view, as described in the next section.
Audit application security
The audit view provides a more detailed runtime assessment of your current application security posture, cluster by cluster. To switch to the audit view:
- Select the Policy Audit tab.
- Select the Cluster and (optionally) the Namespace that you want to monitor from the drop-downs.
As in the summary view, you can see the current status for all monitored security features. For mTLS, you also see if your policies currently allow unencrypted traffic in your service mesh on this cluster. This can happen if you have enabled mTLS anywhere in permissive mode, which lets services receive both mTLS and plaintext traffic. This is useful to prevent unexpected service outages while you are migrating to strict mTLS, but should be updated if you want end-to-end encryption throughout your mesh.
The Workloads list then lets you see how your security features are operating at the workload level. For each workload, you can see:
- If they have Kubernetes network policies enforced
- The Anthos Service Mesh service access control policies that apply to the workload
- The Anthos Service Mesh mTLS policy that applies to the workload - Permissive (the default if you haven't created any explicit policies that apply to the workload), Disable, or Strict
View workload security details
Select individual workloads in the audit view Workloads list to see more details about their security in the workload view. For each workload, you can see the following information:
- Where applicable, a link to view the specific policy definition for each application security feature that applies to the workload.
- General workload details, including name, cluster, and related service.
- Service requests to and from this workload, including whether any requests were denied by your policies. If a request is denied, you can drill down to view the relevant logs in Cloud Logging, helping you troubleshoot specific denials and find more useful information about the request.
- Network policy requests to and from this workload if Dataplane V2 network policy logging is enabled on your cluster. You can find out more about how to view network policy information and understand how it impacts your workload in the next section.
- The running pods managed by this workload.
View workload connectivity with Dataplane V2
If the cluster containing your workload has Dataplane V2 enabled, the Network policy requests section is displayed as part of the workload view. If network policy logging is configured to log allowed and denied connections, inbound and outbound traffic for your workload is also shown, as in the following example.
The table also provides additional information about the connections logged by Dataplane V2 network policy logging. To see this information for a specific workload:
- Click the more actions menu
in the table row for the workload you're interested in.
- From the menu, select the additional information you'd like to view:
- Select View in GKE to navigate to the GKE UI for more information about the workload.
- Select View denial logs to navigate to Cloud Logging filtered to the relevant log entries.
- Select View network policy connectivity to see a connectivity diagram that shows the observed security posture for each direction of the connection (Egress and Ingress). An example diagram is shown below.
Simulate connection between workloads based on deployed network policies
If the cluster containing your workload has Network policy enforcement enabled, the Simulate Network Policy button is displayed at the top of the workload view page. This feature lets you simulate whether the workload being viewed can send or receive traffic based on a configuration analysis of the currently deployed network policies.
To simulate the connection between your workloads:
- Click the Simulate Network Policy button for the workload to test traffic for.
- Select the direction of traffic (inbound or outbound) for the workload.
- Select the namespace and workload that you want to test traffic to or from.
- Click Simulate. A connectivity diagram will appear showing the status of Egress and Ingress for the connection. The diagram shown is similar to the one used when viewing workload connectivity with Dataplane V2.
An example of the form for simulating network policy connection is shown below:
What's next?
- Learn more about Binary Authorization
- Learn more about configuring Kubernetes network policies
- Learn more about application security in Anthos Service Mesh:
- Learn about service access control in the Authorization policy overview
- Learn about using mTLS in Configuring transport security
- Find out more about using the Security dashboard to monitor and improve your Anthos Service Mesh security posture in Monitoring mesh security