contrast-agent-injector

module
v0.0.0-...-2509b82 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 10, 2021 License: Apache-2.0

README

Contrast Agent Injector

Contrast Agent Injector is a Mutating Admission Webhook that will inject a Contrast Agent into a Kubernetes Pods on creation to instrument the service running in the first container in the pod.

Supported Languages

  • Java

Getting Started

Helm Installation

To get started, you first need to deploy the agent injector service and webhook configuration into a cluster. Right now, the only supported option for that is via Helm. By default, the webhook will use a certificate generated by kube-webhook-certgen for TLS.

  1. Create a Kubernetes Secret from a contrast_security.yaml file containing the required API keys
api:
  url: https://app.contrastsecurity.com/Contrast
  user_name: contrast_user
  api_key: demo
  service_key: demo

kubectl create secret generic contrast-agent-secret --from-file contrast_security.yaml

  1. Update contrast.secretName in the values file to the name of the Secret you created previously (or leave the default)

  2. Install the Helm chart (The chart isn't hosted in a Helm repo as of right now, so you'll need to clone this repo)

helm upgrade --install injector .
Enabling Agent Injection

Now that the contrast-agent-injector service is running inside the cluster, you can enable and configure your Pods to have the agent injected into them on creation.

  1. Add the contrast-agent-injector: enabled label to the namespace that your services are running in (only Pods created in this namespace will have the specified agent injected)

  2. Add the required annotations to a Pod (latest can be used for the agent version). See the examples folder.

contrast-agent-injector/version: <agent version>
contrast-agent-injector/language: java
contrast-agent-injector/enabled: <true|enabled>

  1. Add the optional annotation (contrast-agent-injector/config) to the Pod in order to configure the agent further (See the Agent Configuration section for details)

  2. When new pods are created with the annotations defined above, the contrast-agent-injector service will mutate the Pod spec to include the necessary configuration for instrumenting the service with the specified Contrast Agent.

Agent Configuration

In order to add additional configuration to the Pods that are annotated for injection, the contrast-agent-injector/config annotation accepts a comma separated list of key value pairs to inject as environment variables into the Pod. Find the configuration values supported for each agent here

Example
annotations:
    ...
    contrast-agent-injector/config: CONTRAST__SERVER__ENVIRONMENT=qa, CONTRAST__SERVER__NAME=webgoat-k8s
    ...

Current Limitations

  • Only supports injecting the agent into the first container in a Pod
  • Only supports agent configuration via environment variables using the contrast-agent-injector/config annotation

Directories

Path Synopsis
cmd
injector
pkg
webhooks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.