Skip to main content
This document is for:
Invicti Enterprise on-demand

This feature is available with Invicti API Security Standalone or Bundle.

Integrate NTA with Kong Gateway in Kubernetes

Kubernetes (K8s) installation is ideal for scaling Kong in cloud-native environments, managing microservices, and ensuring high availability. NTA integrates into the K8s cluster alongside Kong Gateway for seamless operation.

This document navigates you through the configuration process of Kong into your development environment. The integration process is divided into two key steps:

info

The support team can provide the Docker images upon request.

Prerequisites

  • Kong API Gateway: Install and configure Kong API Gateway v3.0 or later.
  • Kubernetes or Minikube: Set up Kubernetes or Minikube for local development.
  • Reconstructor: Ensure that the Reconstructor is properly configured and operational. It's responsible for generating Swagger files and uploading them to ApiHub.

Review and prepare the patch files

When deploying the NTA plugin in a Kubernetes environment with Kong, several patch files are necessary to configure and enable the plugin properly. These files help ensure that Kong is properly set up to run the plugin and that the necessary resources (such as the Kong deployment and ingress) are correctly configured.

In this KongPluginK8s.zip file, there are three patch files:

Patch file: Kubernetes/kongPlugin.yaml

This patch file configures the NTA plugin to work with Kong by defining its settings. It specifies a variable ({{NTA_TARGET}}) for the address where Kong sends captured traffic for analysis.

  • Customize the kongPlugin.yaml file with the NTA address:
    • Example target address: http://192.168.1.38:8090/api/telemetry
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: invicti-plugin
plugin: nta
config:
  target: "{{NTA_TARGET}}"
  • Then deploy it with:
kubectl apply -f ./kongPlugin.yaml -n %namespace%

Patch file: Kubernetes/kong-plugin-patch.yaml

This patch file deploys the Kong plugin in Kubernetes. Unlike the Docker installation, Kubernetes runs Kong in a read-only environment. Therefore, we specify kong-prefix /plugins and the KONG_PLUGINSERVER_NTA_SOCKET addresses to ensure that the plugin can interact with the system correctly. To overcome the read-only nature of the Kubernetes environment, the plugin folder is redirected to a location that can be modified, allowing for necessary updates and configurations.

spec:
  template:
    spec:
      volumes:
      - name: kong-api-trace-plugin
        emptyDir: {}
      containers:
      - name: proxy
        volumeMounts:
        - mountPath: /plugins
          name: kong-api-trace-plugin
          readOnly: false
        env:
        - name: KONG_PLUGINS
          value: bundled,nta
        - name: KONG_PLUGINSERVER_NAMES
          value: nta
        - name: KONG_PLUGINSERVER_NTA_SOCKET
          value: /plugins/nta.socket
        - name: KONG_PLUGINSERVER_NTA_START_CMD
          value: /plugins/nta -kong-prefix /plugins
        - name: KONG_PLUGINSERVER_NTA_QUERY_CMD
          value: "/plugins/nta -dump"
      initContainers:
      - command:
        - cp
        - /kong/nta
        - /plugin/.
        image: mykongplugin:latest
        imagePullPolicy: Never
        name: invicti-kong-plugin-injector
        volumeMounts:
        - mountPath: /plugin
          name: kong-api-trace-plugin
  • Apply the patch using this command:
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

Patch file: Kubernetes/patch-ingress.yaml

This patch file updates the Kong Ingress resource by adding the necessary annotation to link it to the NTA plugin.

metadata:
  annotations:
    konghq.com/plugins: invicti-plugin
  • Apply the patch using this command:
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --patch-file patch-ingress.yaml

Deployment scripts

To integrate NTA with Kong in Kubernetes, simply run one of the provided scripts. The setup has been streamlined with these batch files (Link to the zip file is provided previously):

  • Windows: installk8s.bat
  • Linux or macOS: installk8s.sh

When you run the script, you are prompted to enter a namespace and the reconstructor engine address. The script then executes three key commands:

  1. Configure and apply kongPlugin.yaml
  2. Patch the Kong Deployment
  3. Patch the Ingress Resource
@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Prompt the user for the target string (for example, http://192.168.1.38:8090/api/telemetry)
set /p target=Enter the target string:

REM Running kubectl command 1
echo Running kubectl command 1...
REM Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '{{NTA_TARGET}}', '%target%' | Set-Content .\kongPlugin.yaml"
kubectl apply -f .\kongPlugin.yaml -n %namespace%

REM Running kubectl command 2
echo Running kubectl command 2...
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

REM Running kubectl command 3
echo Running kubectl command 3...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --patch-file patch-ingress.yaml

REM Revert {{NTA_TARGET}} back to the original placeholder
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '%target%', '{{NTA_TARGET}}' | Set-Content .\kongPlugin.yaml"

echo All commands have been executed.

Undeployment script

A rollback script is also provided to remove the plugin from your system. Just specify the namespace where the plugin is deployed on Kong, and the script handles the rest (Link to the zip file is provided previously).

  • Windows: uninstall.bat
  • Linux or macOS: uninstall.sh
@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Confirming the namespace and proceeding
if "%namespace%"=="" (
    echo Namespace is required. Exiting.
    exit /b
)

REM Undo kubectl apply for kongPlugin.yaml
echo Removing plugin resources...
kubectl delete -f .\kongPlugin.yaml -n %namespace%

REM Revert the patch on the Kong deployment
echo Reverting deployment patch...
kubectl patch deployment kong-kong -n %namespace% --type=json --patch "[{\"op\":\"remove\",\"path\":\"/spec/template/spec/containers/0/envFrom\"}]"

REM Revert the patch on the ingress
echo Reverting ingress patch...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --type=json --patch "[{\"op\":\"remove\",\"path\":\"/metadata/annotations\"}]"

echo Uninstall process completed. Verify by checking your Kubernetes resources.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?