Install scan agents via Kubernetes and OpenShift

The Invicti scanner agent runs on any Kubernetes environment, saving you time by eliminating driver and kernel installations. This document covers installing the agent on Kubernetes and OpenShift Clusters.

If you are using Docker, refer to Install a scanner agent via Docker.

Prerequisites

Kubernetes kubectl command line tool
RedHat OpenShift command line tool
Docker (to verify Docker installation on your OS, execute the docker -v command in PowerShell)

To run the scanner agent on the Kubernetes environment, you need to:

Pull the Invicti Enterprise agent image
Deploy the agent to a cluster

Step 1: Pull the agent image

There are two ways to pull and use the scanner image:

Pull the image to your local environment and push it to your private registry.
Pull the image from Invicti’s publicly available private registry (authentication required). You need to provide the token as a secret to the Kubernetes cluster. This way, your Kubernetes cluster can pull images from registry.invicti.com. Refer to this Kubernetes website for more information.

Option A: Pull an image to your local environment

In Invicti Enterprise, select Agents > Manage Agents from the left-side menu.
Click Configure New Agent.
Run the following command to authenticate the Invicti image registry (replace <registered-user-email> with the email address you use for your Invicti Enterprise account.)
```
docker login -u <registered-user-email> registry.invicti.com
```
When prompted for a password, copy and paste the password from Invicti using the copy button.
Pull the agent version using the command from Invicti.
```
docker pull registry.invicti.com/ie-agent:latest
```
Wait for the system to load the agent image. Then, you can push the loaded image to any private registry for use by the Kubernetes clusters.

Option B: Pull an image from registry.invicti.com directly to the Kubernetes cluster

Define a secret in the Kubernetes cluster to authenticate Invicti’s registry.invicti.com. For more information, refer to this Kubernetes documentation.

Step 2: Deploy the agent to a cluster

This section of the document contains instructions for deploying Kubernetes and OpenShift.

Steps to deploy to a Kubernetes cluster

Create a new namespace called 'invicti'.
```
kubectl create ns invicti
```

Update the deployment.yaml file with your specific values. The following deployment.yaml is a sample that you can use.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: invicti
  labels:
    app: invicti-netsparker-scanner
  name: invicti-netsparker-scanner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: invicti-netsparker-scanner
  template:
    metadata:
      labels:
        app: invicti-netsparker-scanner
    spec:
      containers:
        - name: invicti-netsparker-scanner
          image: <image registry>:<tag>
          imagePullPolicy: IfNotPresent
          env:
          - name: ApiToken
            value: "<Enter your Agent token>"
          - name: ApiRootUrl
            value: "<Enter your Api Root URL>"
          - name: AgentName
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: AgentMode
            value: "Scanner"
          - name: IgnoreSslCertificateErrors
            value: "false"
          resources:
            limits:
              cpu: 2000m
              memory: 8Gi
            requests:
              cpu: 1000m
              memory: 4Gi

Environment Variables

AgentName: The AgentName can be anything. It is going to be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you are going to need these later.)
ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)
ApiRootUrl: This is the URL of Invicti Enterprise on-demand or Invicti Enterprise on-premises.
AgentMode: Indicates the agent’s process type as Scanner or Verifier.
IgnoreSslCertificateErrors: This would ignore SSL certificate errors on the scan target website.

Apply manifests to your clusters by running the following commands:
```
kubectl apply -f deployment.yaml
kubectl get pod -n invicti
```

You have now installed the scanner agent. To check its status in Invicti Enterprise, go to Agents > Manage Agents.

You can now initiate a scan using the installed scanner agent. Navigate to Scans > New Scan, and choose a target with the agent mode set to Internal. You can also configure other necessary settings, including selecting the specific agent to conduct the scan on the target.

warning

Scan Agent auto-updates don't work with Kubernetes.

If you select the Enable Auto Updates Command on the Managing Agents page, the agent is going to be put in a constant updating state rendering it unavailable.

Enable Auto Update is disabled by default.

Steps to deploy to an OpenShift cluster

oc login <cluster_url> --username <username> --password <password>

Create a new project called 'invicti' by running the command below.
```
oc new-project invicti
```

docker login -u <username> -p $(oc whoami -t) $(oc registry info)

Tag the image you downloaded in the previous steps by running the command below.

docker tag registry.invicti.com/ie-opsh-agent:latest <your_openshift_registry:tag>

Push the Docker image to the OpenShift registry by running the command below.
```
docker push <your_openshift_registry:tag>
```

Create the deployment.yaml file and populate the AgentName, ApiToken, and ApiRootUrl parameters.

AgentName: The AgentName can be anything. It is going to be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you are going to need these later.)
ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)
ApiRootUrl: This is the URL of Invicti Enterprise on-demand or Invicti Enterprise on-premises.

The following deployment.yaml file is a sample that you can use:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: invicti
  labels:
    app: invicti-netsparker-scanner
  name: invicti-netsparker-scanner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: invicti-netsparker-scanner
  template:
    metadata:
      labels:
        app: invicti-netsparker-scanner
    spec:
      containers:
        - name: invicti-netsparker-scanner
          image: <Your agent image>
          imagePullPolicy: IfNotPresent
          env:
          - name: ApiToken
            value: “Enter a token”
          - name: ApiRootUrl
            value: "Enter a URL"
          - name: AgentName
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: AgentMode
            value: "Scanner"
          - name: IgnoreSslCertificateErrors
            value: "false"
          resources:
            limits:
              cpu: 2000m
              memory: 8Gi
            requests:
              cpu: 1000m
              memory: 4Gi

Apply manifests to your clusters by running these commands.
```
kubectl apply -f deployment.yaml
kubectl get pod
```

You have now installed the scanner agent. To check its status in Invicti Enterprise, go to Agents > Manage Agents.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Step 1: Pull the agent image​

Option A: Pull an image to your local environment​

Option B: Pull an image from registry.invicti.com directly to the Kubernetes cluster​

Step 2: Deploy the agent to a cluster​

Steps to deploy to a Kubernetes cluster​

Steps to deploy to an OpenShift cluster​

Need help?​