Package: Invicti API Security Standalone or Bundle
NTA with Kong API Gateway in Kubernetes
Kubernetes (K8s) installation is ideal for scaling Kong in cloud-native environments, managing microservices, and ensuring high availability. NTA integrates into the K8s cluster alongside Kong Gateway for seamless operation.
This document navigates you through the configuration process of Kong into your development environment. The integration process is divided into two key steps:
- Review and prepare the patch files
- Deployment scripts
Prerequisites
- Kong API Gateway: Install and configure Kong API Gateway v3.0 or later.
- Kubernetes or Minikube: Set up Kubernetes or Minikube for local development.
- Reconstructor: Ensure that the Reconstructor is properly configured and operational. It is responsible for generating Swagger files and uploading them to ApiHub.
Review and prepare the patch files
When deploying the NTA plugin in a Kubernetes environment with Kong, several patch files are necessary to configure and enable the plugin properly. These files help ensure that Kong is properly set up to run the plugin and that the necessary resources (such as the Kong deployment and ingress) are correctly configured.
In this Kubernetes.zip file, there are three patch files:
- Kubernetes/kongPlugin.yaml
- Kubernetes/kong-plugin-patch.yaml
- Kubernetes/patch-ingress.yaml
Patch file - Kubernetes/kongplugin.yaml�
This patch file configures the NTA plugin to work with Kong by defining its settings. It specifies a variable ({{NTA_TARGET}}) for the address where Kong sends captured traffic for analysis.
- Customize the kongPlugin.yaml file with the NTA address:
- Example target address: http://192.168.1.38:8090/api/telemetry
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: invicti-plugin
plugin: nta
config:
target: "{{NTA_TARGET}}"
- Then deploy it with:
kubectl apply -f ./kongPlugin.yaml -n %namespace%
Patch file - Kubernetes/kong-plugin-patch.yaml
This patch file deploys the Kong plugin in Kubernetes. Unlike the Docker installation, Kubernetes runs Kong in a read-only environment. Therefore, the configuration specifies kong-prefix /plugins and the KONG_PLUGINSERVER_NTA_SOCKET addresses to ensure that the plugin can interact with the system correctly. To overcome the read-only nature of the Kubernetes environment, the plugin folder is redirected to a location that can be modified, allowing for necessary updates and configurations.
spec:
template:
spec:
volumes:
- name: kong-api-trace-plugin
emptyDir: {}
containers:
- name: proxy
volumeMounts:
- mountPath: /plugins
name: kong-api-trace-plugin
readOnly: false
env:
- name: KONG_PLUGINS
value: bundled,nta
- name: KONG_PLUGINSERVER_NAMES
value: nta
- name: KONG_PLUGINSERVER_NTA_SOCKET
value: /plugins/nta.socket
- name: KONG_PLUGINSERVER_NTA_START_CMD
value: /plugins/nta -kong-prefix /plugins
- name: KONG_PLUGINSERVER_NTA_QUERY_CMD
value: "/plugins/nta -dump"
initContainers:
- command:
- cp
- /kong/nta
- /plugin/.
image: mykongplugin:latest
imagePullPolicy: Never
name: invicti-kong-plugin-injector
volumeMounts:
- mountPath: /plugin
name: kong-api-trace-plugin
- Apply the patch using this command:
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml
Patch file - Kubernetes/patch-ingress.yaml
This patch file updates the Kong Ingress resource by adding the necessary annotation to link it to the NTA plugin.
metadata:
annotations:
konghq.com/plugins: invicti-plugin
- Apply the patch using this command:
kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
--patch-file patch-ingress.yaml
Deployment scripts
To integrate NTA with Kong in Kubernetes, simply run one of the provided scripts. The setup has been streamlined with these batch files:
- Windows:
installk8s.bat - Linux or macOS:
installk8s.sh
When you run the script you are prompted to enter a namespace and the reconstructor engine address. The script then executes three key commands:
- Configure and apply kongPlugin.yaml
- Patch the Kong Deployment
- Patch the Ingress Resource
Windows deployment batch script
@echo off
REM Prompt the user for the namespace
set /p namespace=Enter the namespace:
REM Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry)
set /p target=Enter the target string:
REM Running kubectl command 1
echo Running kubectl command 1...
REM Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '{{NTA_TARGET}}', '%target%' | \
Set-Content .\kongPlugin.yaml"
kubectl apply -f .\kongPlugin.yaml -n %namespace%
REM Running kubectl command 2
echo Running kubectl command 2...
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml
REM Running kubectl command 3
echo Running kubectl command 3...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
--patch-file patch-ingress.yaml
REM Revert {{NTA_TARGET}} back to the original placeholder
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '%target%', '{{NTA_TARGET}}' | \
Set-Content .\kongPlugin.yaml"
echo All commands have been executed.
Linux or macOS deployment shell script
#!/bin/bash
# Prompt the user for the namespace
read -p "Enter the namespace: " namespace
# Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry)
read -p "Enter the target string: " target
# Running kubectl command 1
echo "Running kubectl command 1..."
# Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
sed -i "s/{{NTA_TARGET}}/$target/g" ./kongPlugin.yaml
kubectl apply -f ./kongPlugin.yaml -n "$namespace"
# Running kubectl command 2
echo "Running kubectl command 2..."
kubectl patch deployment kong-kong -n "$namespace" --patch-file kong-plugin-patch.yaml
# Running kubectl command 3
echo "Running kubectl command 3..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" \
--patch-file patch-ingress.yaml
# Revert the {{NTA_TARGET}} back to its original placeholder
sed -i "s/$target/{{NTA_TARGET}}/g" ./kongPlugin.yaml
echo "All commands have been executed."
Undeployment script
A rollback script is also provided to remove the plugin from your system. Just specify the namespace where the plugin is deployed on Kong, and the script handles the rest.
- Windows:
uninstall.bat - Linux or macOS:
uninstall.sh
Windows undeployment batch script
@echo off
REM Prompt the user for the namespace
set /p namespace=Enter the namespace:
REM Confirming the namespace and proceeding
if "%namespace%"=="" (
echo Namespace is required. Exiting.
exit /b)
REM Undo kubectl apply for kongPlugin.yaml
echo Removing plugin resources...
kubectl delete -f .\kongPlugin.yaml -n %namespace%
REM Revert the patch on the Kong deployment
echo Reverting deployment patch...
kubectl patch deployment kong-kong -n %namespace% --type=json \
--patch "[{\"op\":\"remove\",\"path\":\"/spec/template/spec/containers/0/envFrom\"}]"
REM Revert the patch on the ingress
echo Reverting ingress patch...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --type=json \
--patch "[{\"op\":\"remove\",\"path\":\"/metadata/annotations\"}]"
echo Uninstall process completed. Verify by checking your Kubernetes resources.
Linux or macOS undeployment shell script
#!/bin/bash
# Prompt the user for the namespace
read -p "Enter the namespace: " namespace
# Validate namespace input
if [ -z "$namespace" ]; then
echo "Namespace is required. Exiting."
exit 1
fi
# Undo kubectl apply for kongPlugin.yaml
echo "Removing plugin resources..."
kubectl delete -f ./kongPlugin.yaml -n "$namespace"
# Revert the patch on the Kong deployment
echo "Reverting deployment patch..."
kubectl patch deployment kong-kong -n "$namespace" --type=json \
--patch '[{"op":"remove","path":"/spec/template/spec/containers/0/envFrom"}]'
# Revert the patch on the ingress
echo "Reverting ingress patch..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" --type=json \
--patch '[{"op":"remove","path":"/metadata/annotations"}]'
echo "Uninstall process completed. Verify by checking your Kubernetes resources."
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center