Installing scan agents via Kubernetes and OpenShift
The Invicti scanner agent runs on any Kubernetes environment, saving you time by eliminating driver and kernel installations. This document covers installing the agent on Kubernetes and OpenShift Clusters.
If you are using Docker, refer to Installing a scanner agent via Dockerization.
Prerequisites
- Kubernetes Kubectl command line tool
- RedHat OpenShift command line tool
- Docker (to verify Docker installation on your OS, execute the 'docker -v' command in PowerShell)
To run the scanner agent on the Kubernetes environment, you need to:
Pulling the agent image
There are two ways to pull and use the scanner image:
- Pull the image to your local environment and push it to your private registry.
- Pull the image from Invicti’s publicly available private registry (authentication required). You need to provide the token as a secret to the Kubernetes cluster. This way, your Kubernetes cluster can pull images from registry.invicti.com. Refer to this Kubernetes website for more information.
Option A: Pulling an image to your local environment
- In Invicti Enterprise, select Agents > Manage Agents from the left-side menu.
- Click Configure New Agent.
- Run the following command to authenticate the Invicti image registry (replace <registered-user-email> with the email address you use for your Invicti Enterprise account.)
docker login -u <registered-user-email> registry.invicti.com |
- When prompted for a password, copy and paste the password from Invicti using the copy button.
- Pull the agent version using the command from Invicti.
docker pull registry.invicti.com/ie-agent:latest |
- Wait for the system to load the agent image. Then, you can push the loaded image to any private registry for use by the Kubernetes clusters.
Option B: Pulling an image from registry.invicti.com directly to the Kubernetes cluster
- Define a secret in the Kubernetes cluster to authenticate Invicti’s registry.invicti.com. For more information, refer to this Kubernetes documentation.
Deploying the agent to a cluster
This section of the document contains instructions for deploying Kubernetes and OpenShift.
How to deploy to a Kubernetes cluster
- Create a new namespace called 'invicti'.
kubectl create ns invicti |
- Update the 'deployment.yaml' file with your specific values. The following deployment.yaml is a sample that you can use.
--- apiVersion: apps/v1 kind: Deployment metadata: namespace: invicti labels: app: invicti-netsparker-scanner name: invicti-netsparker-scanner spec: replicas: 1 selector: matchLabels: app: invicti-netsparker-scanner template: metadata: labels: app: invicti-netsparker-scanner spec: containers: - name: invicti-netsparker-scanner image: <image registry>:<tag> imagePullPolicy: IfNotPresent env: - name: ApiToken value: "<Enter your Agent token>" - name: ApiRootUrl value: "<Enter your Api Root URL>" - name: AgentName valueFrom: fieldRef: fieldPath: metadata.name - name: AgentMode value: "Scanner" - name: IgnoreSslCertificateErrors value: "false" resources: limits: cpu: 2000m memory: 8Gi requests: cpu: 1000m memory: 4Gi |
Environment Variables
- AgentName: The AgentName can be anything. It will be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you will need these later.)
- ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)
- ApiRootUrl: This is the URL of Invicti Enterprise On-Demand or Invicti Enterprise On-Premises.
- AgentMode: Indicates the agent’s process type as Scanner or Verifier.
- IgnoreSslCertificateErrors: This would ignore SSL certificate errors on the scan target website.
- Apply manifests to your clusters by running the following commands:
kubectl apply -f deployment.yaml kubectl get pod -n invicti |
You have now installed the scanner agent. To check its status in Invicti Enterprise, go to Agents > Manage Agents.
You can now initiate a scan using the installed scanner agent. Navigate to Scans > New Scan, and choose a target with the agent mode set to Internal. You can also configure other necessary settings, including selecting the specific agent to conduct the scan on the target.
How to deploy to an OpenShift cluster
- Log in to the OpenShift cluster by running the command below.
oc login <cluster_url> --username <username> --password <password> |
- Create a new project called 'invicti' by running the command below.
oc new-project invicti |
- Log in to Docker by running the command below.
docker login -u <username> -p $(oc whoami -t) $(oc registry info) |
- Tag the image you downloaded in the previous steps by running the command below.
docker tag registry.invicti.com/ie-opsh-agent:latest <your_openshift_registry:tag> |
- Push the Docker image to the OpenShift registry by running the command below.
docker push <your_openshift_registry:tag> |
- Create the 'deployment.yaml' file and populate the AgentName, ApiToken, and ApiRootUrl parameters.
- AgentName: The AgentName can be anything. It will be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you will need these later.)
- ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)
- ApiRootUrl: This is the URL of Invicti Enterprise On-Demand or Invicti Enterprise On-Premises.
The following 'deployment.yaml' file is a sample that you can use:
--- apiVersion: apps/v1 kind: Deployment metadata: namespace: invicti labels: app: invicti-netsparker-scanner name: invicti-netsparker-scanner spec: replicas: 1 selector: matchLabels: app: invicti-netsparker-scanner template: metadata: labels: app: invicti-netsparker-scanner spec: containers: - name: invicti-netsparker-scanner image: <Your agent image> imagePullPolicy: IfNotPresent env: - name: ApiToken value: “Enter a token” - name: ApiRootUrl value: "Enter a URL" - name: AgentName valueFrom: fieldRef: fieldPath: metadata.name - name: AgentMode value: "Scanner" - name: IgnoreSslCertificateErrors value: "false" resources: limits: cpu: 2000m memory: 8Gi requests: cpu: 1000m memory: 4Gi |
- Apply manifests to your clusters by running these commands.
kubectl apply -f deployment.yaml kubectl get pod |
You have now installed the scanner agent. To check its status in Invicti Enterprise, go to Agents > Manage Agents.
You can now initiate a scan using the installed scanner agent. Navigate to Scans > New Scan, and choose a target with the agent mode set to Internal. You can also configure other necessary settings, including selecting the specific agent to conduct the scan on the target.