NTA with Kong API Gateway in Kubernetes

This document is for Invicti Platform

This feature is available with Invicti API Security Standalone or Bundle.

Kubernetes (K8s) installation is ideal for scaling Kong in cloud-native environments, managing microservices, and ensuring high availability. NTA integrates into the K8s cluster alongside Kong Gateway for seamless operation.

This document navigates you through the configuration process of Kong into your development environment. The integration process is divided into two key steps:

Review and prepare the patch files
Deployment scripts

Prerequisites

Kong API Gateway: Install and configure Kong API Gateway v3.0 or later.
Kubernetes or Minikube: Set up Kubernetes or Minikube for local development.
Reconstructor: Ensure that the Reconstructor is properly configured and operational. It is responsible for generating Swagger files and uploading them to ApiHub.

Review and prepare the patch files

When deploying the NTA plugin in a Kubernetes environment with Kong, several patch files are necessary to configure and enable the plugin properly. These files help ensure that Kong is properly set up to run the plugin and that the necessary resources (such as the Kong deployment and ingress) are correctly configured.

In this Kubernetes.zip file, there are three patch files:

Kubernetes/kongPlugin.yaml
Kubernetes/kong-plugin-patch.yaml
Kubernetes/patch-ingress.yaml

Patch file - Kubernetes/kongplugin.yaml

This patch file configures the NTA plugin to work with Kong by defining its settings. It specifies a variable ({{NTA_TARGET}}) for the address where Kong sends captured traffic for analysis.

Customize the kongPlugin.yaml file with the NTA address:
- Example target address: http://192.168.1.38:8090/api/telemetry

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: invicti-plugin
plugin: nta
config:
  target: "{{NTA_TARGET}}"

Then deploy it with:

kubectl apply -f ./kongPlugin.yaml -n %namespace%

Patch file - Kubernetes/kong-plugin-patch.yaml

This patch file deploys the Kong plugin in Kubernetes. Unlike the Docker installation, Kubernetes runs Kong in a read-only environment. Therefore, the configuration specifies kong-prefix /plugins and the KONG_PLUGINSERVER_NTA_SOCKET addresses to ensure that the plugin can interact with the system correctly. To overcome the read-only nature of the Kubernetes environment, the plugin folder is redirected to a location that can be modified, allowing for necessary updates and configurations.

spec:
  template:
    spec:
      volumes:
        - name: kong-api-trace-plugin
          emptyDir: {}
      containers:
        - name: proxy
          volumeMounts:
            - mountPath: /plugins
              name: kong-api-trace-plugin
              readOnly: false
          env:
            - name: KONG_PLUGINS
              value: bundled,nta
            - name: KONG_PLUGINSERVER_NAMES
              value: nta
            - name: KONG_PLUGINSERVER_NTA_SOCKET
              value: /plugins/nta.socket
            - name: KONG_PLUGINSERVER_NTA_START_CMD
              value: /plugins/nta -kong-prefix /plugins
            - name: KONG_PLUGINSERVER_NTA_QUERY_CMD
              value: "/plugins/nta -dump"
      initContainers:
        - command:
            - cp
            - /kong/nta
            - /plugin/.
          image: mykongplugin:latest
          imagePullPolicy: Never
          name: invicti-kong-plugin-injector
          volumeMounts:
            - mountPath: /plugin
              name: kong-api-trace-plugin

Apply the patch using this command:

kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

Patch file - Kubernetes/patch-ingress.yaml

This patch file updates the Kong Ingress resource by adding the necessary annotation to link it to the NTA plugin.

metadata:
  annotations:
    konghq.com/plugins: invicti-plugin

Apply the patch using this command:

kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
  --patch-file patch-ingress.yaml

Deployment scripts

To integrate NTA with Kong in Kubernetes, simply run one of the provided scripts. The setup has been streamlined with these batch files:

Windows: installk8s.bat
Linux or macOS: installk8s.sh

When you run the script you are prompted to enter a namespace and the reconstructor engine address. The script then executes three key commands:

Configure and apply kongPlugin.yaml
Patch the Kong Deployment
Patch the Ingress Resource

Windows deployment batch script

@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry)
set /p target=Enter the target string:

REM Running kubectl command 1
echo Running kubectl command 1...

REM Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '{{NTA_TARGET}}', '%target%' | \
  Set-Content .\kongPlugin.yaml"
kubectl apply -f .\kongPlugin.yaml -n %namespace%

REM Running kubectl command 2
echo Running kubectl command 2...
kubectl patch deployment kong-kong -n %namespace% --patch-file kong-plugin-patch.yaml

REM Running kubectl command 3
echo Running kubectl command 3...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% \
  --patch-file patch-ingress.yaml

REM Revert {{NTA_TARGET}} back to the original placeholder
powershell -Command "(Get-Content .\kongPlugin.yaml) -replace '%target%', '{{NTA_TARGET}}' | \
  Set-Content .\kongPlugin.yaml"
echo All commands have been executed.

Linux or macOS deployment shell script

#!/bin/bash
# Prompt the user for the namespace
read -p "Enter the namespace: " namespace

# Prompt the user for the target string (i.g. http://192.168.1.38:8090/api/telemetry)
read -p "Enter the target string: " target

# Running kubectl command 1
echo "Running kubectl command 1..."

# Replace {{NTA_TARGET}} with the provided target temporarily in kongPlugin.yaml
sed -i "s/{{NTA_TARGET}}/$target/g" ./kongPlugin.yaml
kubectl apply -f ./kongPlugin.yaml -n "$namespace"

# Running kubectl command 2
echo "Running kubectl command 2..."
kubectl patch deployment kong-kong -n "$namespace" --patch-file kong-plugin-patch.yaml

# Running kubectl command 3
echo "Running kubectl command 3..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" \
  --patch-file patch-ingress.yaml
# Revert the {{NTA_TARGET}} back to its original placeholder
sed -i "s/$target/{{NTA_TARGET}}/g" ./kongPlugin.yaml
echo "All commands have been executed."

Undeployment script

A rollback script is also provided to remove the plugin from your system. Just specify the namespace where the plugin is deployed on Kong, and the script handles the rest.

Windows: uninstall.bat
Linux or macOS: uninstall.sh

Windows undeployment batch script

@echo off

REM Prompt the user for the namespace
set /p namespace=Enter the namespace:

REM Confirming the namespace and proceeding
if "%namespace%"=="" (
   echo Namespace is required. Exiting.
   exit /b)

REM Undo kubectl apply for kongPlugin.yaml
echo Removing plugin resources...
kubectl delete -f .\kongPlugin.yaml -n %namespace%

REM Revert the patch on the Kong deployment
echo Reverting deployment patch...
kubectl patch deployment kong-kong -n %namespace% --type=json \
  --patch "[{\"op\":\"remove\",\"path\":\"/spec/template/spec/containers/0/envFrom\"}]"

REM Revert the patch on the ingress
echo Reverting ingress patch...
kubectl patch ingresses.networking.k8s.io echo -n %namespace% --type=json \
  --patch "[{\"op\":\"remove\",\"path\":\"/metadata/annotations\"}]"

echo Uninstall process completed. Verify by checking your Kubernetes resources.

Linux or macOS undeployment shell script

#!/bin/bash

# Prompt the user for the namespace
read -p "Enter the namespace: " namespace

# Validate namespace input
if [ -z "$namespace" ]; then
  echo "Namespace is required. Exiting."
  exit 1
fi

# Undo kubectl apply for kongPlugin.yaml
echo "Removing plugin resources..."
kubectl delete -f ./kongPlugin.yaml -n "$namespace"

# Revert the patch on the Kong deployment
echo "Reverting deployment patch..."
kubectl patch deployment kong-kong -n "$namespace" --type=json \
  --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/envFrom"}]'

# Revert the patch on the ingress
echo "Reverting ingress patch..."
kubectl patch ingresses.networking.k8s.io echo -n "$namespace" --type=json \
  --patch '[{"op":"remove","path":"/metadata/annotations"}]'

echo "Uninstall process completed. Verify by checking your Kubernetes resources."

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Prerequisites​

Review and prepare the patch files​

Patch file - Kubernetes/kongplugin.yaml​

Patch file - Kubernetes/kong-plugin-patch.yaml​

Patch file - Kubernetes/patch-ingress.yaml​

Deployment scripts​

Windows deployment batch script​

Linux or macOS deployment shell script​

Undeployment script​

Windows undeployment batch script​

Linux or macOS undeployment shell script​

Need help?​