availability

Package: Invicti AppSec Core (on-demand)

NTA with Kong API Gateway

The Invicti Network Traffic Analyzer (NTA) integrates with Kong API Gateway (v3.0 and later) using a Kong plugin that intercepts API requests and responses and forwards the captured data to the NTA service for API discovery.

This document explains how to deploy the NTA Kong plugin in Kubernetes, Docker, or Linux.

Why this matters

Kong API Gateway already handles every API request passing through your infrastructure. Adding the NTA plugin means you can passively capture that traffic and automatically build an API inventory, discovering endpoints your teams may never have formally documented, without any changes to your application code.

Requirements

You need Kong v3.0 or later. The NTA plugin binary must match the architecture of your Kong runtime. Invicti Support provides Docker images on request.

Step 1: Generate a registration token

1. Select Discovery > API sources from the left-side menu.
2. Click Add source.
3. Select the Invicti Network Traffic Analyzer source type card.
4. Click Continue.
5. Click Generate token and copy the token. You'll need it when configuring the plugin.

Step 2: Install the NTA Kong plugin

Select the tab for your environment:

Kubernetes

Kubernetes is ideal for scaling Kong in cloud-native environments, managing microservices, and ensuring high availability. NTA integrates into the K8s cluster alongside Kong Gateway for seamless operation.

Prerequisites

• Kong v3.0 or later
• A running Kubernetes cluster (or Minikube)
• kubectl configured for your cluster
• The NTA Reconstructor running

Review and prepare the patch files

When deploying the NTA plugin in a Kubernetes environment with Kong, three patch files are required to configure and enable the plugin properly.

kongPlugin.yaml

Configures the NTA plugin with the target NTA address. Replace the {{NTA_TARGET}} placeholder with your NTA service address (for example, http://192.168.1.38:8090/api/telemetry).

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: invicti-plugin
plugin: nta
config:
  target: "{{NTA_TARGET}}"

Apply with:

kubectl apply -f ./kongPlugin.yaml -n %namespace%

kong-plugin-patch.yaml

Patches the Kong deployment with volume mounts and the required environment variables. Because Kubernetes runs Kong in a read-only environment, the plugin folder is redirected to a writable location.

spec:
  template:
    spec:
      volumes:
        - name: kong-api-trace-plugin
          emptyDir: {}
      containers:
        - name: proxy
          volumeMounts:
            - mountPath: /plugins
              name: kong-api-trace-plugin
              readOnly: false
          env:
            - name: KONG_PLUGINS
              value: bundled,nta
            - name: KONG_PLUGINSERVER_NAMES
              value: nta
            - name: KONG_PLUGINSERVER_NTA_SOCKET
              value: /plugins/nta.socket
            - name: KONG_PLUGINSERVER_NTA_START_CMD
              value: /plugins/nta -kong-prefix /plugins
            - name: KONG_PLUGINSERVER_NTA_QUERY_CMD
              value: "/plugins/nta -dump"
      initContainers:
        - command:
            - cp
            - /kong/nta
            - /plugin/.
          image: mykongplugin:latest
          imagePullPolicy: Never
          name: invicti-kong-plugin-injector
          volumeMounts:
            - mountPath: /plugin
              name: kong-api-trace-plugin

Apply with:

kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

patch-ingress.yaml

Adds the annotation konghq.com/plugins: invicti-plugin to the Kong Ingress resource.

metadata:
  annotations:
    konghq.com/plugins: invicti-plugin

Apply with:

kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
  --patch-file patch-ingress.yaml

Run the deployment script

Use the provided deployment script to apply all three patch files in sequence. The script prompts you for the Kubernetes namespace and the NTA Reconstructor address, then replaces the {{NTA_TARGET}} placeholder and runs the kubectl commands.

• Windows: Run installk8s.bat
• Linux/macOS: Run installk8s.sh

Windows deployment script:

@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Prompt the user for the target string (e.g. http://192.168.1.38:8090/api/telemetry)
set /p target=Enter the target string:

REM Running kubectl command 1
echo Running kubectl command 1...

REM Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '{{NTA_TARGET}}', '%target%' | \
  Set-Content .\kongPlugin.yaml"
kubectl apply -f .\kongPlugin.yaml -n %namespace%

REM Running kubectl command 2
echo Running kubectl command 2...
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

REM Running kubectl command 3
echo Running kubectl command 3...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
  --patch-file patch-ingress.yaml

REM Revert {{NTA_TARGET}} back to the original placeholder
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '%target%', '{{NTA_TARGET}}' | \
  Set-Content .\kongPlugin.yaml"
echo All commands have been executed.

Linux/macOS deployment script:

#!/bin/bash
# Prompt the user for the namespace
read -p "Enter the namespace: " namespace

# Prompt the user for the target string (e.g. http://192.168.1.38:8090/api/telemetry)
read -p "Enter the target string: " target

# Running kubectl command 1
echo "Running kubectl command 1..."

# Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
sed -i "s/{{NTA_TARGET}}/$target/g" ./kongPlugin.yaml
kubectl apply -f ./kongPlugin.yaml -n "$namespace"

# Running kubectl command 2
echo "Running kubectl command 2..."
kubectl patch deployment kong-kong -n "$namespace" --patch-file kong-plugin-patch.yaml

# Running kubectl command 3
echo "Running kubectl command 3..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" \
  --patch-file patch-ingress.yaml
# Revert the {{NTA_TARGET}} back to its original placeholder
sed -i "s/$target/{{NTA_TARGET}}/g" ./kongPlugin.yaml
echo "All commands have been executed."

Undeployment scripts

To remove the NTA plugin and revert all patches, run uninstallk8s.bat on Windows or uninstallk8s.sh on Linux/macOS.

Windows undeployment script:

@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Confirming the namespace and proceeding
if "%namespace%"=="" (
   echo Namespace is required. Exiting.
   exit /b)

REM Undo kubectl apply for kongPlugin.yaml
echo Removing plugin resources...
kubectl delete -f .\kongPlugin.yaml -n %namespace%

REM Revert the patch on the Kong deployment
echo Reverting deployment patch...
kubectl patch deployment kong-kong -n %namespace% --type=json \
  --patch "[{\"op\":\"remove\",\"path\":\"/spec/template/spec/containers/0/envFrom\"}]"

REM Revert the patch on the ingress
echo Reverting ingress patch...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --type=json \
  --patch "[{\"op\":\"remove\",\"path\":\"/metadata/annotations\"}]"

echo Uninstall process completed. Verify by checking your Kubernetes resources.

Linux/macOS undeployment script:

#!/bin/bash

# Prompt the user for the namespace
read -p "Enter the namespace: " namespace

# Validate namespace input
if [ -z "$namespace" ]; then
  echo "Namespace is required. Exiting."
  exit 1
fi

# Undo kubectl apply for kongPlugin.yaml
echo "Removing plugin resources..."
kubectl delete -f ./kongPlugin.yaml -n "$namespace"

# Revert the patch on the Kong deployment
echo "Reverting deployment patch..."
kubectl patch deployment kong-kong -n "$namespace" --type=json \
  --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/envFrom"}]'

# Revert the patch on the ingress
echo "Reverting ingress patch..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" --type=json \
  --patch '[{"op":"remove","path":"/metadata/annotations"}]'

echo "Uninstall process completed. Verify by checking your Kubernetes resources."

Docker

The Docker installation method is ideal for testing or running Kong API Gateway in isolated environments. It offers a fast and flexible setup for development and small-scale production environments.

Support requirement

The support team provides the Docker images upon request.

Prerequisites

• Kong v3.0 or later
• Docker running
• The NTA plugin Docker image provided by Invicti Support

Step 1: Download nta.zip and copy the plugin

1. Download nta.zip from Invicti Support and extract it.
2. Copy the binary to the running Kong container:

docker cp ./nta kong-gateway:nta

Container identification

Replace kong-gateway with the actual container name or ID used in your Docker setup. To find the container name and ID, run docker ps.

Step 2: Set environment variables

Navigate to Containers > Exec in Docker Desktop and run bash, then paste the following commands one by one:

export KONG_PLUGINS="bundled,nta"
export KONG_PLUGINSERVER_NAMES="nta"
export KONG_PLUGINSERVER_NTA_START_CMD="/nta"
export KONG_PLUGINSERVER_NTA_QUERY_CMD="/nta -dump"

For KONG_PLUGINS, include all your existing plugins in the list separated by commas, then add nta at the end.

Step 3: Restart Kong

Apply the changes by reloading or restarting Kong inside the container:

kong reload

or

kong restart

Linux

In the Linux installation method, Kong Gateway is deployed on a single host without containerization. NTA runs in a separate Docker container alongside Kong Gateway.

Prerequisites

• Kong v3.0 or later installed on the Linux host

Step 1: Download and copy the plugin binary

1. Download KongPluginLinux.zip from Invicti Support and extract it.
2. Copy the binary to Kong's plugins directory:

cp ./nta /usr/local/kong/plugins/

Plugin directory location

The default Kong plugins directory is /usr/local/kong/plugins/. If Kong is installed in a different location, adjust the path accordingly.

3. Verify the file is in place:

ls -l /usr/local/kong/plugins/nta

Step 2: Set environment variables

Run bash, then set the following environment variables:

export KONG_PLUGINS="bundled,nta"
export KONG_PLUGINSERVER_NAMES="nta"
export KONG_PLUGINSERVER_NTA_START_CMD="/usr/local/kong/plugins/nta"
export KONG_PLUGINSERVER_NTA_QUERY_CMD="/usr/local/kong/plugins/nta -dump"

For KONG_PLUGINS, include all your existing plugins in the list separated by commas, then add nta at the end.

Persistent environment variables

To make these environment variables persistent across reboots, add them to your shell profile file (.bashrc, .profile, or .bash_profile) or your Kong configuration file.

Step 3: Apply the changes

Reload or restart Kong to apply the new configuration:

kong reload

or

kong restart

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center