Installing the Invicti Network Traffic Analyzer
This feature is available with Invicti API Security Standalone or Bundle.
The Invicti Network Traffic Analyzer (NTA) is deployed to your Kubernetes cluster using a helm chart. Helm is an open-source packaging tool that helps you install and manage the lifecycle of Kubernetes applications.
This document explains how to install the Invicti NTA helm chart via CLI to detect API traffic in your Kubernetes cluster and reconstruct OpenAPI3 specification files. It also explains how to configure and enable the Istio Service Mesh Envoy to discover encrypted traffic, and how to update or reinstall the Invicti NTA.
PREREQUISITES:
MINIMUM SYSTEM REQUIREMENTS:
|
Overview
There are two ways to capture Kubernetes traffic with the Invicti NTA:
- Integrating with Istio Service Mesh (this captures both HTTP & HTTPS traffic)
- Integrating with a Kubernetes namespace interface natively (this captures HTTP traffic only)
The Invicti NTA helm chart contains three images: Reconstructor, Tap Plugin (traffic sensor), and Istio Service Mesh Envoy. These are the configuration files that you need to install into your Kubernetes cluster in order for the Invicti NTA to work.
How to install the Invicti Network Traffic Analyzer in your Kubernetes cluster
To install the Invicti Network Traffic Analyzer in your Kubernetes cluster, first, ensure you have established the prerequisites listed above. Then, follow the steps in this section to:
- Retrieve your registration token and password
- Prepare the installation command
- Log in to Invicti's public registry
- Deploy the Invicti NTA helm chart into your Kubernetes cluster
Step 1: Retrieve your registration token and password
In this step, you will retrieve two important access codes that must be used in the installation command. First, you will retrieve your registration token for the Invicti NTA. Second, you will retrieve your password for the Invicti public registry.
- Log in to Invicti Enterprise.
- Select APIs > Sources from the left-side menu.
- Click Add new source.
- Enter a name for the source configuration that will help you identify it later in your list of API sources.
- Select Invicti Network Traffic Analyzer as the Source type.
- Invicti Enterprise On-Premises only: In the NTA server url field, enter the URL of the server where the Invicti Enterprise web app is running. The default entry is the current host URL from the browser.
IMPORTANT: The Invicti NTA must be able to reach the URL you enter into this field. You cannot use 'localhost'. The NTA Server URL you provide will be embedded in the token you will generate in the next step. |
- Click Generate token.
- Click the copy icon next to the newly generated registration token.
- Select Save at the bottom of the page. Do not skip this step!
- Paste the copied registration token in a place where you will be able to retrieve it easily when you prepare the installation command in step 2.
- Select Agents > Manage Agents from the left-side menu.
- Click + Configure New Agent.
- In the Docker CLI & Openshift section, click the copy icon next to 2- When prompted, enter the password below. This is the password you will use to access Invicti's public registry.
- Paste the copied password in a place where you will be able to retrieve it easily in step 2 when you prepare the installation command.
Continue with the instructions below to use the registration token and password you just copied to prepare the installation command.
Step 2: Prepare the installation command
- Edit the installation command below to add the following information:
- -n default: This sets the namespace where the Invicti NTA will be installed. Replace default with the namespace you created for the Invicti NTA as part of the prerequisites.
- email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
- password: Replace password with the password you copied from Invicti Enterprise (Step 1.12 above).
- registration-token: Replace registration-token with the registration token you copied from Invicti Enterprise (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").
INSTALLATION COMMAND: helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 -n default --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.tap.enabled=true --set reconstructor.JWT_TOKEN="registration-token" |
Step 3: Log in to Invicti's public registry
- Open the Helm CLI that you installed as part of the prerequisites.
- Execute the following command: helm registry login registry.invicti.com
- When prompted for a username, enter the email address you use for your Invicti Enterprise account.
- When prompted for a password, enter the password you copied from Invicti Enterprise (Step 1.12 above).
Step 4: Deploy the Invicti NTA helm chart into your Kubernetes cluster
- Copy the installation command that you prepared in step 2 above.
- In the Helm CLI, paste and run the installation command.
The Invicti NTA is now installed and the Tap Plugin is enabled. For more information about the Tap Plugin, refer to Network Traffic Analyzer: Tap Plugin FAQs.
How to configure and enable the Istio Service Mesh Envoy
To discover encrypted traffic, you need to enable and configure the Istio Service Mesh Envoy to specify which service mesh traffic will be watched and sniffed by the WASM filters.
- Label the target namespaces that are to be watched by the Istio Service Mesh Envoy using the following command:
kubectl label namespaces your-namespace istio-injection=enabled |
- Set the WASM filter as enabled for your namespace using the following command:
helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set trafficSource.envoyWasm.enabled=true --set trafficSource.envoyWasm.namespaces="your-namespace" invicti-api-discovery . -n your-namespace |
- email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
- password: Replace password with the password copied from Invicti Enterprise (Step 1.12 above).
- your-namespace: Use the name of the namespace you created as part of the prerequisites. Note that the first instance of your-namespace must be placed between the double quotation marks (between " and ").
How to update or reinstall the Invicti Network Traffic Analyzer
Updating or reinstalling the Invicti NTA requires pulling the latest version of the helm chart from the Invicti registry and installing it again. If you have previously uninstalled the Invicti NTA and now wish to install it again or want to update an existing installation to the latest version, follow the instructions below:
- Follow the instructions in step 1 above to retrieve your access token and password.
- Prepare the update command:
- email-address: Replace email-address with the email address you use for your Invicti Enterprise account.
- password: Replace password with the password copied from Invicti Enterprise (Step 1.12 above).
- registration-token: Replace registration-token with the registration token copied from Invicti Enterprise (Step 1.7 above). Note that the registration token must be placed between the double quotation marks (between " and ").
- your-namespace: Use the name of the namespace you created as part of the prerequisites
UPDATE COMMAND: helm upgrade --install api-disco oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.tap.enabled=true invicti-api-discovery . -n your-namespace |
- Follow step 3 above to log in to Invicti's public registry.
- Using the Helm CLI, run the update command in your Kubernetes namespace to install the latest version of the helm chart.
The Invicti NTA is now installed and the Tap Plugin is enabled.