Lab 2 - Deploy the NAP in AKS

It is time to expose and protect Sentence Application. To do so, the NAP will be deployed in your AKS and will route traffic to the right services.

As a reminder (kubectl get services), the FrontEnd service is called sentence-frontend-nginx and listening on port 80

In your Github repo, check the files

  • nginx-nap/etc/nginx/upstream.d/http-sentence.conf -> this is the upstream (the sentence-frontend-nginx service)
  • nginx-nap/etc/nginx/vhosts.d/http-sentence.conf -> this is the vhosts (choose any fqdn for your lab)

We will have a look later on the NAP policy tree


Deploy the NAP in your AKS via Terraform

In order to be immutable, we will use Terraform for Config as Code, and Infra as Code.

Immutable : An application or service is effectively redeployed each time any change occurs

In this module, we will not use any CI tool. You will be the CI tool and run the command manually. So that you understand all the steps equired to do DevSecOps.

First, adapt the Terraform with your environment information

  • Modify the plan accordingly so that the image is pulled from your private repository (line 36)
  • and also point to your kubeconfig context (line 3)

Go to the terraform folder and execute the terraform plan

terraform init
terraform plan
terraform apply -auto-approve

Check and test your NAP

  • First of all, check the pod and the services

    ❯ kubectl get pods -n sentence
    NAME                                       READY   STATUS    RESTARTS   AGE
    nginx-nap-56f9594df4-67q74                 1/1     Running   0          4h45m
    sentence-adjectives-5558f7d7d9-dkj58       1/1     Running   0          6d5h
    sentence-animals-6496766bc8-x5f4n          1/1     Running   0          6d5h
    sentence-backgrounds-5f784ffd-vd6d6        1/1     Running   0          6d5h
    sentence-colors-5c4c4f8b89-785tb           1/1     Running   0          6d5h
    sentence-frontend-nginx-6fc654698c-ktgfc   1/1     Running   0          6d5h
    sentence-generator-54b5687b54-nrf7h        1/1     Running   0          6d5h
    sentence-locations-bd85f5b7-9bt4n          1/1     Running   0          6d5h
    
    ❯ kubectl get services -n sentence
    NAME                      TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)        AGE
    nginx-nap                 NodePort       10.0.50.62     <none>          80:31146/TCP   6h1m
    nginx-nap-external        LoadBalancer   10.0.248.90    20.67.132.103   80:30086/TCP   6h1m
    sentence-adjectives       ClusterIP      10.0.175.176   <none>          80/TCP         6d5h
    sentence-animals          ClusterIP      10.0.163.130   <none>          80/TCP         6d5h
    sentence-backgrounds      ClusterIP      10.0.71.153    <none>          80/TCP         6d5h
    sentence-colors           ClusterIP      10.0.160.97    <none>          80/TCP         6d5h
    sentence-frontend-nginx   ClusterIP      10.0.36.129    <none>          80/TCP         6d5h
    sentence-generator        ClusterIP      10.0.218.182   <none>          80/TCP         6d5h
    sentence-locations        ClusterIP      10.0.98.74     <none>          80/TCP         6d5h
    
  • As you can notice, an Azure LB with a public address has been created by the Terraform plan

  • Modify your host file in order to result the value set in the file nginx-nap/etc/nginx/vhosts.d/http-sentence.conf with this IP address

    example in nginx-nap/etc/nginx/vhosts.d/http-sentence.conf
    server {
        server_name my-sentence-matt.lab.nordics;
        listen 80;
    
    Change your host file to resolv my-sentence-matt.lab.nordics with 20.67.132.103
    
  • Test your deployment http://<your_fqdn>

    ../../../_images/app1.png
  • Send an attack http://<your_fqdn>?a=<script>

  • Attack is blocked