Integrate NTA with Kong in Kubernetes
This feature is available with Invicti API Security Standalone or Bundle
Kubernetes (K8s) installation is ideal for scaling Kong in cloud-native environments, managing microservices, and ensuring high availability. NTA integrates into the K8s cluster alongside Kong Gateway for seamless operation.
This document navigates you through the configuration process of Kong into your development environment. The integration process is divided into two key steps:
IMPORTANT: Our support team will provide the Docker images to you upon request. |
Prerequisites
- Kong API Gateway: Install and configure Kong API Gateway v3.0 or later.
- Kubernetes or Minikube: Set up Kubernetes or Minikube for local development.
- Reconstructor: Ensure that the Reconstructor is properly configured and operational. It will be responsible for generating Swagger files and uploading them to ApiHub.
Review and prepare the patch files
When deploying the NTA plugin in a Kubernetes environment with Kong, several patch files are necessary to configure and enable the plugin properly. These files help ensure that Kong is properly set up to run the plugin and that the necessary resources (such as the Kong deployment and ingress) are correctly configured.
In this k8s.zip file, there are three patch files:
Patch file - k8s/kongPlugin.yaml
This patch file configures the NTA plugin to work with Kong by defining its settings. It specifies a variable ({{NTA_TARGET}}) for the address where Kong will send captured traffic for analysis.
- Customize the kongPlugin.yaml file with the NTA address:
- Example target address: http://192.168.1.38:8090/api/telemetry
apiVersion: configuration.konghq.com/v1 kind: KongPlugin metadata: name: invicti-plugin plugin: nta config: target: "{{NTA_TARGET}}" |
- Then deploy it with:
kubectl apply -f ./kongPlugin.yaml -n %namespace% |
Patch file - k8s/kong-plugin-patch.yaml
This patch file deploys the Kong plugin in Kubernetes. Unlike the Docker installation, Kubernetes runs Kong in a read-only environment. Therefore, we specify kong-prefix /plugins and the KONG_PLUGINSERVER_NTA_SOCKET addresses to ensure that the plugin can interact with the system correctly. To overcome the read-only nature of the Kubernetes environment, we redirect the plugin folder to a location that can be modified, allowing for necessary updates and configurations.
spec: template: spec: volumes: - name: kong-api-trace-plugin emptyDir: {} containers: - name: proxy volumeMounts: - mountPath: /plugins name: kong-api-trace-plugin readOnly: false env: - name: KONG_PLUGINS value: bundled,nta - name: KONG_PLUGINSERVER_NAMES value: nta - name: KONG_PLUGINSERVER_NTA_SOCKET value: /plugins/nta.socket - name: KONG_PLUGINSERVER_NTA_START_CMD value: /plugins/nta -kong-prefix /plugins - name: KONG_PLUGINSERVER_NTA_QUERY_CMD value: "/plugins/nta -dump" initContainers: - command: - cp - /kong/nta - /plugin/. image: mykongplugin:latest imagePullPolicy: Never name: invicti-kong-plugin-injector volumeMounts: - mountPath: /plugin name: kong-api-trace-plugin |
- Apply the patch using this command:
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml |
Patch file - k8s/patch-ingress.yaml
This patch file updates the Kong Ingress resource by adding the necessary annotation to link it to the NTA plugin.
metadata: annotations: konghq.com/plugins: invicti-plugin |
- Apply the patch using this command:
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --patch-file patch-ingress.yaml |
Deployment scripts
To integrate NTA with Kong in Kubernetes, simply run one of the provided scripts. We have streamlined the setup with these batch files (Link to the zip file is provided above):
- Windows: installk8s.bat
- Linux or macOS: installk8s.sh
When you run the script you will be prompted to enter a namespace and the reconstructor engine address. The script then executes three key commands:
- Configure and apply kongPlugin.yaml
- Patch the Kong Deployment
- Patch the Ingress Resource
Windows deployment batch script
@echo off REM Prompt the user for the namespace set /p namespace=Enter the namespace: REM Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry) set /p target=Enter the target string: REM Running kubectl command 1 echo Running kubectl command 1... REM Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '{{NTA_TARGET}}', '%target%' | Set-Content .\kongPlugin.yaml" kubectl apply -f .\kongPlugin.yaml -n %namespace% REM Running kubectl command 2 echo Running kubectl command 2... kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml REM Running kubectl command 3 echo Running kubectl command 3... kubectl patch ingresses.networking.k8s.io echo -n %namespace% --patch-file patch-ingress.yaml REM Revert {{NTA_TARGET}} back to the original placeholder powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '%target%', '{{NTA_TARGET}}' | Set-Content .\kongPlugin.yaml" echo All commands have been executed. |
Linux or macOS deployment shell script
#!/bin/bash # Prompt the user for the namespace read -p "Enter the namespace: " namespace # Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry) read -p "Enter the target string: " target # Running kubectl command 1 echo "Running kubectl command 1..." # Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml sed -i "s/{{NTA_TARGET}}/$target/g" ./kongPlugin.yaml kubectl apply -f ./kongPlugin.yaml -n "$namespace" # Running kubectl command 2 echo "Running kubectl command 2..." kubectl patch deployment kong-kong -n "$namespace" --patch-file kong-plugin-patch.yaml # Running kubectl command 3 echo "Running kubectl command 3..." kubectl patch ingresses.networking.k8s.io echo -n "$namespace" --patch-file patch-ingress.yaml # Revert the {{NTA_TARGET}} back to its original placeholder sed -i "s/$target/{{NTA_TARGET}}/g" ./kongPlugin.yaml echo "All commands have been executed." |
Undeployment script
We also provide a rollback script to remove our plugin from your system. Just specify the namespace where the plugin is deployed on Kong, and the script will handle the rest (Link to the zip file is provided above).
- Windows: uninstall.bat
- Linux or macOS: uninstall.sh
Windows undeployment batch script
@echo off REM Prompt the user for the namespace set /p namespace=Enter the namespace: REM Confirming the namespace and proceeding if "%namespace%"=="" ( echo Namespace is required. Exiting. exit /b ) REM Undo kubectl apply for kongPlugin.yaml echo Removing plugin resources... kubectl delete -f .\kongPlugin.yaml -n %namespace% REM Revert the patch on the Kong deployment echo Reverting deployment patch... kubectl patch deployment kong-kong -n %namespace% --type=json --patch "[{\"op\":\"remove\",\"path\":\"/spec/template/spec/containers/0/envFrom\"}]" REM Revert the patch on the ingress echo Reverting ingress patch... kubectl patch ingresses.networking.k8s.io echo -n %namespace% --type=json --patch "[{\"op\":\"remove\",\"path\":\"/metadata/annotations\"}]" echo Uninstall process completed. Verify by checking your Kubernetes resources. |
Linux or macOS undeployment shell script
#!/bin/bash # Prompt the user for the namespace read -p "Enter the namespace: " namespace # Validate namespace input if [ -z "$namespace" ]; then echo "Namespace is required. Exiting." exit 1 fi # Undo kubectl apply for kongPlugin.yaml echo "Removing plugin resources..." kubectl delete -f ./kongPlugin.yaml -n "$namespace" # Revert the patch on the Kong deployment echo "Reverting deployment patch..." kubectl patch deployment kong-kong -n "$namespace" --type=json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/envFrom"}]' # Revert the patch on the ingress echo "Reverting ingress patch..." kubectl patch ingresses.networking.k8s.io echo -n "$namespace" --type=json --patch '[{"op":"remove","path":"/metadata/annotations"}]' echo "Uninstall process completed. Verify by checking your Kubernetes resources." |